DERMATOLOGIC SURGERY OF CENTRAL VIRGINIA, PLC
NOTICE OF PRIVACY PRACTICES
Effective Date: April 1, 2003
Revision Date: February 15, 2011
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
If you have any questions about this notice, please contact the Privacy Officer by calling (434) 979-7700, or writing to:
Brandy Martin, Privacy Officer
Dermatologic Surgery of Central Virginia, PLC
902 E. Jefferson Street, Suite 201
Charlottesville, Virginia 22902
WHO WILL FOLLOW THIS NOTICE
This notice describes the privacy practices followed by Dermatologic Surgery of Central Virginia, PLC’s (the “Practice”) employees, staff and other office personnel. The practices described in this notice will also be followed by the Practice’s health care providers you consult with by telephone (when your regular health care provider from our office is not available) who provide "call coverage" for your regular health care provider and Business Associates of the Practice.
YOUR PROTECTED HEALTH INFORMATION and THIS NOTICE
“Protected Health Information” (“PHI”) or if it is in electronic format, “Electronic Protected Health Information” (“EPHI”), is the information that you provide us or that we create or receive from other healthcare providers about your health care or your billing information. This Notice of our legal duties and privacy practices is being provided to you as a requirement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). This Notice applies to the information and records we have about your health, health status, and the health care and service you receive at this Dermatologic Surgery of Central Virginia, PLC. When we use or disclose (share) your Protected Health Information in any format, we are required to follow the terms of this Notice or other notice in effect at the time we use or share the PHI or EPHI.
This Notice describes how, when and why we may use and disclose your protected health information to carry out treatment, payment or health care operations and for other purposes that are permitted or required by law. It also describes your rights to access and control your protected health information in some cases. “Protected health information” means any written, recorded or oral information about you, including demographic data and any electronic information or data, “EPHI”, that consists of protected health information in digital format, that may identify you or that can be used to identify you that is created or received by Dermatologic Surgery of Central Virginia, PLC, and that relates to your past, present or future physical or mental health or condition, the provision of health care to you or the past, present or future payment for the provision of health care to you.
WE ARE REQUIRED BY LAW TO:
HOW WE MAY USE AND DISCLOSE PROTECTED HEALTH INFORMATION ABOUT YOU
The following describes different ways that we are permitted by HIPAA to use and disclose your PHI and EPHI. For each category of uses or disclosures we will explain what we mean and give some examples. Not every use or disclosure will be listed and the examples are not exhaustive. However, all of the ways we are permitted to use and disclose protected health information will fall within one of the categories. The explanation is provided for your general information only. Disclosure of your PHI or EPHI for the purposes described in this Notice may be made in writing, orally, or electronically (e-mail), by facsimile or by other means.
For Treatment: We may use protected health information about you to provide you with medical treatment or services. We may disclose such information about you to doctors, nurses, dentists, technicians, office staff or other personnel who are involved in taking care of you and your health.
For example, your doctor may be treating you for a medical condition and may need to know if you have other health problems that could complicate the treatment or if there were earlier X-rays available. The doctor may use your medical history to decide what treatment is best. The doctor may also tell another provider about your condition so that provider can help determine the most appropriate care.
Different personnel in our office may share information about you and disclose information to people who do not work in our office in order to coordinate your care, such as phoning in prescriptions to the pharmacy, scheduling referrals, and ordering x‑rays. Family members and other health care providers may be part of your medical care outside this office and may require information about you that we have.
For Payment: We may use and disclose protected health information about you so that the treatment and services received at this office may be billed to and payment may be collected from you, an insurance company or a third party. For example, we may need to give your health plan information about a service you received here so your health plan will pay us or reimburse you for the service. We may also tell your health plan about a treatment you are going to receive to obtain prior approval, or to determine whether your plan will cover the treatment. We may also disclose protected health information to another provider involved in your care for the other provider’s payment activities. This might include disclosures of demographic information to specialists, surgeons or x-ray providers for payment of their services.
For Health Care Operations: We may use and disclose protected health information about you in order to run the office and make sure that you and our other patients receive quality care. For example, we may use your health information to evaluate the performance of our staff in caring for you. We may also use health information about all or many of our patients to help us decide what additional services we should offer, how we can become more efficient, or whether certain new medical treatments are effective.
Other Health Care Providers: We may also share PHI with other doctors and other health care providers when they need it to provide Treatment to you, to obtain Payment for the care they give to you, to perform certain Health Care Operations, such as reviewing the quality and skill of health care professionals, or to review their actions in following the law. We may also disclose PHI and EPHI to another entity covered by HIPAA for certain health care operations of that entity, if the entity either has or had a relationship with you, such as a treatment relationship, and if the protected health information pertains to such relationship. Such disclosure is limited to certain activities of the other entity, including quality assessment and related activities, protocol development, care coordination, contacting health care providers and patients with information about treatment alternatives, reviewing the competency and qualifications of health care professionals, conducting training programs, accreditation, certification, licensure or credentialing activities.
Business Associates: There are some services provided in our Practice through contracts with business associates. An example would be the clearinghouse we use to process our claims and electronically transmit them to your insurance company. To protect your health information, however, we require the business associate to sign a contract with us that they and their employees will appropriately safeguard your information. In addition, HIPAA requires business associates to restrict the use and disclosure of protected health information (PHI) and subjects business associates directly to civil and criminal penalties for violating HIPAA requirements in the same manner as Dermatologic Surgery of Central Virginia, PLC.
Appointment Reminders: We may use and disclose PHI or EPHI to contact you as a reminder that you have an appointment for treatment or medical care. We may leave a message on your answering machine or with the person answering the telephone at your residence, or send you a written reminder by postcard, letter, or electronically by email if you request.
Sign-in Sheets: We may use sign-in sheets to check you into the facility. We also may call your name in the waiting room area.
Treatment Alternatives: We may use and disclose PHI or EPHI to tell you about or recommend possible treatment options or alternatives that may be of interest to you .
Health‑Related Benefits and Services: We may use and disclose PHI or EPHI to tell you about health- related products or services that may be of interest to you.
Family and Friends: Using our best judgment, we may disclose to a family member, close friend or other person you identify, PHI or EPHI relevant to their involvement in the care or payment related to your care. If you are present, then prior to use or disclosure of such information, we will provide you with an opportunity to object to such uses or disclosures. For example, we may assume you agree to our disclosure of your protected health information to your spouse when you bring your spouse with you into the exam room during treatment or while treatment is being discussed. We will use professional judgment and our experience with common practice to make a reasonable determination, in your best interest, in allowing a person to pick up prescriptions, medical supplies, x-rays or other similar forms of medical information.
In situations where you are not capable of giving consent (because you are not present or due to your incapacity or medical emergency), we may, using our professional judgment, determine that a disclosure to your family member or friend is in your best interest. In that situation, we will disclose only health information relevant to the person's involvement in your care. For example, we may inform the person who accompanied you to Dermatologic Surgery of Central Virginia, PLC that you suffered a broken arm and a fractured jaw and provide updates on your progress and prognosis.
We may also use or share your PHI and/or EPHI to notify (or assist in notifying) these individuals about your location and general condition. We may also use our professional judgment and experience to make reasonable inferences that it is in your best interest to allow another person to act on your behalf to pick up, for example, filled prescriptions, medical supplies, or x-rays.
Please notify us if you do not wish to be contacted for appointment reminders, or if you do not wish to receive communications about treatment alternatives or health‑related products and services, or if there are specific individuals you want restricted from knowledge of your PHI or EPHI.
SPECIAL SITUATIONS
We may use or disclose protected health information about you without your authorization for the following purposes, subject to all applicable legal requirements and limitations:
To Avert a Serious Threat to Health or Safety: We may use and disclose protected health information about you when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person.
As Required By Law: We will disclose protected health information about you when required to do so by federal, state or local law.
Research: Under certain circumstances, we may use and disclose protected health information about you for research purposes regarding medications, efficiency of treatment protocols and the like. All research projects are subject to an approval process, which evaluates a proposed research project and its use of protected health information. Before we use or disclose protected health information for research, the project will have been approved through this research approval process by an Institutional Review Board (“IRB”) or a Privacy Board. We will obtain an Authorization from you before using or disclosing your protected health information unless the authorization requirement has been altered or waived by the IRB or Privacy Board. If reasonably possible, we may make the information non-identifiable to any specific patient. If the information has been sufficiently de-identified, an Authorization for the use or disclosure is not required. If we obtain certain representations from the researcher, we may use and disclose protected health information about your for the researcher to prepare protocols preparatory to research.
Eye, Organ and Tissue Donation: If you are an organ donor, we may disclose protected health information to organizations that handle organ procurement or organ, eye or tissue transplantation or to an organ donation bank, as necessary to facilitate such donation and transplantation.
Workers’ Compensation: We may disclose protected health information about you for workers’ compensation or similar programs. These programs provide benefits for work-related injuries or illness without regard to fault.
Military, Veterans, National Security and Intelligence: If you are or were a member of the armed forces, or are part of the national security or intelligence communities, we may be required by military command or other government authorities to disclose protected health information about you. We may also disclose information about foreign military personnel to the appropriate foreign military authority.
Public Health Risks: We may disclose protected health information about you for public health reasons in order to prevent or control disease, injury or disability; or report births, deaths or other vital events; to report suspected abuse or neglect; non‑accidental physical injuries; reactions to medications or problems with products; or to notify someone who may have been exposed to a disease or be at risk for contracting or spreading a disease.
Health Oversight Activities: We may disclose protected health information to a health oversight agency for audits, investigations, inspections, or licensing purposes. These disclosures may be necessary for certain state and federal agencies to monitor the health care system, government programs, compliance with civil rights laws and entities subject to government regulation.
Lawsuits and Administrative Disputes: If you are involved in a lawsuit or a dispute, we may disclose protected health information about you in response to a court or administrative order. We may also disclose such information in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have been made by the party requesting the information to tell you about the request or to obtain an order protecting the information requested. We may also use such information to defend ourselves or any member of the Company in any actual or threatened action.
Law Enforcement: We may release protected health information if asked to do so by a law enforcement official or agency:
(i) in response to a court order, subpoena, warrant, summons or similar process;
(ii) to identify or locate a suspect, fugitive, material witness, or a missing person;
(iii) about the victim of a crime if the individual agrees and, under certain limited circumstances, where we are unable obtain the person’s agreement;
(iv) about a death we believe may be the result of criminal conduct;
(v) about criminal conduct at the Practice;
(vi) in emergency circumstances to report a crime, the location of the crime or victims, or the identity, description or location of the person who committed the crime; or,
(vii) about certain types of wound or physical injuries, subject to all applicable legal requirements.
Coroners, Medical Examiners and Funeral Directors: We may release protected health information to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death. We may also disclose protected health information about patients of Dermatologic Surgery of Central Virginia, PLC to funeral directors as necessary to carry out their duties.
Information Not Personally Identifiable: We may use or disclose protected health information about you in a way that does not personally identify you or reveal who you are.
National Security and Intelligence Activities: We may disclose protected health information about you to authorized federal officials so they may conduct intelligence, counter-intelligence and other activities authorized by the National Security Act.
Protective Services for the President and Others: We may disclosure protected health information about you to authorized federal officials so they may provide protection to the President, other authorized persons or foreign heads of state or conduct special investigations.
Inmates: If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may disclose protected health information about you to the correctional institution or law enforcement official. This disclosure may be necessary
(i) for the institution to provide you with health care;
(ii) to protect your health and safety or the health and safety of others; or
(iii) for the safety and security of the correctional institution.
Incidental Disclosures: We may use and disclose protected health information about you incidental to otherwise permitted or required uses and disclosures.
To the Secretary of the Department of Health and Human Services: We are required to disclose protected health information about you when requested by the Secretary of the Department of Health and Human Services in order to investigate or determine our compliance with HIPAA.
OTHER USES AND DISCLOSURES OF HEALTH INFORMATION
We will not use or disclose your protected health information for any purpose other than those identified in the previous sections without your specific, written Authorization.
If you give us Authorizationto use or disclose health information about you, you may revoke that Authorization, in writing, at any time. If you revoke your Authorization, we will no longer use or disclose information about you for the reasons covered by your written Authorization, but we cannot take back any uses or disclosures already made with your permission.
Highly Sensitive Information: Federal and state law may require us to obtain your written authorization to disclose highly sensitive health information about your under certain circumstances. Highly sensitive health information is health information that is:
(1) in a therapist’s psychotherapy notes;
(2) about mental illness or developmental disabilities;
(3) in alcohol and drug abuse treatment program records;
(4) in HIV/AIDS test results;
(5) about genetic testing; or
(6) sexual assault.
Sometimes the law even requires us to obtain a minor patient’s authorization to disclose this highly sensitive information to a parent or guardian.
Marketing: We will obtain your written authorization before using patient information about you to send you any marketing materials. However, we may provide you with marketing materials in a face-to-face encounter or give you a promotional gift of minimal value without your authorization. We may also communicate with you about products or services relating to your treatment, care settings or alternative therapies without your written authorization.
YOUR RIGHTS REGARDING PROTECTED HEALTH INFORMATION
Your health record is the physical property of Dermatologic Surgery of Central Virginia, PLC. We are required to retain our records of the care we provide to you, but the information belongs to you. You have the following rights regarding protected health information we maintain about you:
Right to Inspect and Copy: You have the right to inspect and obtain copies of your “designated record set,” which includes medical and billing records and other records, that we use to make decisions about your care. You must submit a written request to thePrivacy Officer in order to inspect and/or receive copies of this protected health information. If you request a copy of the information, we will charge a fee for the costs of copying, mailing or other associated supplies. We may deny your request to inspect and/or receive copies in certain limited circumstances, including when your doctor determines that access may present a danger to you or another person. If you are denied access to your protected health information for this reason, you may ask that the denial be reviewed. We will select a licensed health care professional to review your request and our denial. The person conducting the review will not be the person who denied your request, and we will comply with the outcome of the review.
Access Rights to Electronic Format: The HIPAA Privacy Rule has been amended to give you the right to obtain access to you PHI in electronic format, if requested. You must submit a written request to thePrivacy Officer in order to receive a copy of this electronic protected health information.
Right to Amend: If you believe protected health information we have about you is incorrect or incomplete, you may ask us to amend the information. You have the right to request an amendment as long as this office keeps the information. The amendment (if the request is approved) along with the original request will be maintained in your record.
To request an amendment, complete and submit a “Patient Request to Amend Protected Health Information” form to thePrivacy Officer. We may deny your request for an amendment if it is not in writing or does not include a reason to support the request.
In addition, we may deny your request if you ask us to amend information that:
a) We did not create, unless the person or entity that created the information is no longer available to make the amendment;
b) Is not part of the designated record set that we keep;
c) You would not be permitted to inspect and copy; or
d) Is accurate and complete.
Our written denial will state the reasons for the denial and explain your right to file a written statement of disagreement. If you don’t file one, you have the right to ask that your request and our denial be attached to all future disclosures of your protected health information. If we approve your request, we will make the change to your protected health information, tell you we have done it, and tell others whom you identify and authorize us to tell that need to know about the change to your protected health information.
Right to an Accounting of Disclosures: You have the right to request an "accounting of disclosures." This is a list of the disclosures we made of protected health information about you for purposes other than treatment, payment and health care operations. We are also not required to account for disclosures to you, disclosures that you agreed to by signing an authorization, disclosures for a facility directory, to friends or family members involved in your care, incidental disclosures, or certain other disclosures we are permitted to make without your authorization. This list will not include uses and disclosures made for national security purposes, or to correction or law enforcement personnel. To obtain this list, you must submit your request in writing to the Privacy Officer. It must state a time period, which may not be longer than six years and may not include dates before April 14, 2003. Your request should indicate in what form you want the list (for example, on paper, electronically). The first report within a 12-month period will be provided at no charge. Subsequent reports within the same 12-month period will be provided at a reasonable, cost-based fee. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time before any costs are incurred. We have 60 days to respond to your request, and the right to request an additional 30-day extension if we notify you in writing.
Right to an Accounting of Disclosures with EHR Use: Dermatologic Surgery of Central Virginia, PLC, when using and disclosing PHI through an EHR, is required to provide you with an accounting, when requested, for the prior three years. Uses and disclosures of PHI through EHRs include treatment, payment and health care operations. The accounting will only be available for the previous three years. We may include disclosures from business associates in the accounting report we develop for you, or we can give you a list of the business associates involved in disclosing protected health information from our records (and contact information) and direct you to request an accounting directly from the business associate. The business associate must comply with such a request.
Right to Request Restrictions:You have the right to request a restriction or limitation on the protected health information we use or disclose about you for treatment, payment or health care operations. You also have the right to request a limit on the protected health information we disclose about you to someone who is involved in your care or the payment for it, like a family member or friend. For example, you could ask that we not use or disclose information about a surgery you had.
Dermatologic Surgery of Central Virginia, PLCmust honor your request to restrict disclosure of protected health information, unless required by law, about you to a health plan for purposes of payment or health care operations if the information pertains solely to a health care item or service that has been paid for in full, outof pocket, at the time of the service.
If you would like to request a restriction on our use or disclosure of your protected health information, submit a “Patient Request for a Restriction on Uses and Disclosures of Protected Health Care Information” form to thePrivacy Officer, using the contact information in this notice or on the form.
We Are Not Required to Agree to Your Request: For example, we cannot agree to a restriction of the use or disclosure of your information that is required by law. Each request will be reviewed on an individual basis and you will be informed of our decision. We may need to discuss the requested restrictions with you, particularly if we do not feel the restriction would be in your best interest.
Any agreement we make to your request for additional restrictions, must be in writing and signed by the Privacy Officer. We are not bound to any agreement not made in writing. We may, under certain circumstances, find it necessary to withdraw our acceptance of a restriction, and will let you know of our decision in writing. If we do agree to your restriction, we will comply with your request until we receive notice from you that you no longer want the restriction to apply (except as required by law or in emergency situations).
Right to Request Confidential Communications:You have the right to request that we communicate with you about your medical matters in a certain way or at a certain location. For example, you can ask that we only contact you at work, by mail or by email through a secure patient portal.
To request confidential communications, you must complete and submit the “Patient Request for An Alternative Means of Communication of Protected Health Information” form to thePrivacy Officer. We will not ask you the reason for your request. We will accommodate all reasonable requests. Your request must specify how or where you wish to be contacted.
Right to be Notified of PHI or EPH Breach: Dermatologic Surgery of Central Virginia, PLCmust notify you of any unauthorized acquisition, access, use, or disclosure of our unsecured PHIthat compromises the privacy or security of such information. Unless otherwise defined by the U.S. Department of Health and Human Services (HHS), unsecured PHI is defined as any PHI that is not secured by a technology standard that renders it unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute.
IMPORTANT NOTE: This breach notification requirement does not include encrypted endpoint data on PCs or mobile devices.
Right to a Paper Copy of This Notice:You have the right to a paper copy of this notice. You may ask us to give you a copy of this notice at any time. Even if you have agreed to receive it electronically, you are still entitled to a paper copy. To obtain such a copy, contact the Privacy Officer at (434) 979-7700.
CHANGES TO THIS NOTICE
We reserve the right to change this notice. We reserve the right to make the revised or changed notice effective for protected health information we already have about you as well as any protected health information we receive in the future. We will provide copies of the current notice to any patient who requests a written copy. The effective date of each notice is contained on the last page of the notice.
Should our business practices change, a revised notice will be available at your next appointment in our office upon your request. You are entitled to a copy of the notice currently in effect.
FOR MORE INFORMATION OR TO FILE A COMPLAINT
If you believe your privacy rights have been violated, or you disagree with a decision we made about access to your protected health information or in response to a request you made to amend or restrict the use or disclosure of your medical information, or to have us communicate with you by alternative means or at an alternative location, you may filea complaint by phoning (434) 979-7700or by contacting:
Brandy Martin, Privacy and Security Officer
Dermatologic Surgery of Central Virginia, PLC
902 E. Jefferson Street, Suite 201
Charlottesville, Virginia 22902
If you are not satisfied with how our office handled your complaint, you may submit a written complaint to:
Secretary of the Department of Health and Human Services
200 Independent Avenue, S.W.
Washington, D.C. 20201
We support your right to the privacy of your protected health information. We will not retaliate or penalize you in any way if you choose to file a complaint with us, or the Department of Health and Human Services.
FORM 025
Effective Date: The effective date of this notice is April 14, 2003.
Revision Date: February 15, 2011.