NOTICE OF PRIVACY PRACTICES
REQUIRED BY THE FEDERAL PRIVACY RULE UNDER
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
EFFECTIVE DATE: APRIL 14, 2003 rev. 9/14/04
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
IF YOU HAVE ANY QUESTIONS ABOUT THIS NOTICE PLEASE CONTACT:
Nancy Welch, RHIT
Corporate Privacy Officer
By law, we are required to maintain the privacy of your protected health information and to provide you with Notice of our legal duties and privacy practices with respect to your protected health information. We are required to abide by the terms of our Notice of Privacy Practices currently in effect.
Protected health information, also called personal medical information, may be information about health care we provide to you or payment for health care provided to you. It may also be information about your past, present, or future physical or mental health and medical condition.
Please know that any part of the HIPAA Privacy Rule that is contrary to a provision of Massachusetts law generally will replace Massachusetts law. But in general, if a Massachusetts law protects your medical information more than the Privacy Rule does or gives you greater access to your personal medical information, we will follow the Massachusetts law.
We may change this Notice in the future and the way your personal medical information is used and given out. We reserve the right from time to time to make changes and to make the changed Notice effective for all of your personal medical information that we maintain, including information we created or obtained before the Notice was changed. If we make changes to the Notice, we will post the new Notice in our common area and at www.welchhrg.com on the Internet and we’ll give you a copy of the new Notice when you ask for it.
The rest of this Notice will tell you how we may use and disclose your personal medical information; what your rights are with respect to your information; and how and where you can file a privacy-related complaint.
I. How we will use and disclose your personal medical information
We are required by law to disclose your personal medical information to you in most circumstances upon your request. We are required by law to disclose your personal medical information when required by the Secretary of Health and Human Services or the Secretary’s designee to investigate or determine our compliance with HIPAA.
Here are examples of the types of uses and disclosures of your personal medical information that we may make. Other uses and disclosures may be made to the extent permitted or required by law:
1. Treatment: We may use and disclose your personal medical information to provide, coordinate, or manage your health care and any related services, including with a third party and for treatment activities of another health care provider. This may include talking with and writing to other health care providers, inside and outside of our organization, about your treatment, and coordinating and managing your health care with others.
2. Payment: We may use and disclose your personal medical information to get or give reimbursement for the provision of health care to you. This means we may use and disclose your personal medical information to get paid (including determining eligibility, preparing bills and managing accounts). We may also give your personal medical information to others (such as insurers, utilization reviewers, collection agencies, consumer reporting agencies, and lawyers) for payment purposes, and to a health plan covered by the Privacy Rule or a health care clearinghouse or another health care provider for that provider’s payment activities. Sometimes we may give your personal medical information to an insurance plan before you receive certain health care services, because we need to know whether the insurance plan will pay for a service.
3. Health care operations: We may use and disclose your personal medical information in performing many business activities, called health care operations. For example, we may use or disclose your personal medical information when we:
· Conduct quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines
· Review the competence or qualifications of health care professionals, and evaluate practitioner and provider performance
· Conduct training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills
· Do accreditation, certification, licensing, and credentialing activities.
Note: for the preceding four purposes, and for the purpose of health care fraud and abuse detection or compliance, we may also disclose your personal medical information to a health plan covered by the Privacy Rule, to a health care clearinghouse, or to another covered health care provider, for their health care operations, if the recipient has or had a relationship with you, and the information pertains to such relationship.
· Do medical review, legal and auditing functions, including compliance programs, business planning and development, business management, and general administrative activities
4. Persons involved in your care: We may disclose to a family member, other relatives, or your close personal friend, or any other person you identify, personal medical information directly relevant to your care or payment related to your care. We may also, in general, use or disclose your personal medical information to tell, or assist in telling (including identifying or finding) your personal representative, or another person responsible for your care, of your location, general condition or death. You can tell us, before such uses or disclosures, that they are or are not acceptable to you.
If you are present when such uses or disclosures take place, you can tell us not to make such uses or disclosures. If you are not present or could not tell us whether such uses or disclosures are okay, we can, in the exercise of our professional judgment, decide whether such uses or disclosures are in your best interests and directly relevant to the person’s involvement with your health care. We may also use or disclose your personal medical information for disaster relief purposes.
5. Organization directories: Unless you tell us not to, we may use your name, your room number, your general condition (without specific medical information) and your religious affiliation, to maintain an organization directory. We may disclose this information for directory purposes to members of the clergy and (except for religious affiliation) to any other persons who ask for you by name. You may tell us that you do not want your information disclosed for directory purposes.
6. Required by law: We will use or disclose your personal medical information if our use or disclosure is required by and is limited to the relevant requirements of law. There are many Massachusetts and other state and federal laws that may require the use or disclosure of personal medical information. For example, Massachusetts law requires us to report known or suspected abuse or neglect to the Department of Public Health. Massachusetts nursing home ombudsmen may visit our organization and ask for information.
7. National and other priority uses and disclosures: When required or permitted by law, we may use or disclose personal medical information about you without your permission for some activities that are recognized as national priorities. In other words, the government says that sometimes it is so important to disclose personal medical information that it is okay to disclose the information without your permission, when we are permitted or required to do so by law. Here are descriptions of some national priority activities with respect to which disclosures without your authorization may be recognized by law: threat to health or safety; public health activities; national security or intelligence; abuse, neglect or domestic violence; health oversight activities; correctional institutions; organ and tissue donation; United States Food and Drug Administration adverse events and oversight; court proceedings and law enforcement; coroners, medical examiner, and funeral directors; workers’ compensation; and certain government functions, such as military and veterans’ activities and national security and intelligence activities.
8. Authorization: Other than the uses and disclosures described in this Notice and as may otherwise be permitted or required by law, we will not use or disclose your personal medical information without your, or your personal representative’s, written and dated authorization. Sometimes we may want to use or disclose your personal medical information and we may ask – but not require – that you sign an authorization. We will give you a copy of your signed authorization. Sometimes you may ask us to disclose personal medical information and we will ask you that you first sign an authorization.
If you sign an authorization permitting us to use or disclose your personal medical information, you may cancel your authorization in writing (except in very limited circumstances related to obtaining insurance coverage). Our policy is that most authorizations are valid for thirty (30) days. If you want to cancel your authorization prior to thirty (30) days, you should tell us in writing that you revoke your authorization or you should fill out an Authorization Revocation Form, which you can get from our Privacy Official. If you cancel your authorization, we will follow your instructions, except to the extent that we have already acted in reliance upon your authorization.
Because we don’t do all of our health care activities and functions by ourselves, we need help from our business associates who are not members of our workforce. In general, we are allowed to share your personal medical information with our business associates, so long as we get satisfactory assurances from them in writing that they will safeguard the information. We don’t need your authorization to share your information with our business associates.
We may also give you appointment reminders or information about treatment alternatives or other health-related benefits and services that may be of interest to you, without your authorization.
9. Special Uses and Disclosures Requiring Authorization:
In general, Massachusetts or federal laws require that we obtain your written authorization before using or disclosing your information about genetic testing or genetic test results, HIV testing or test results, drug, alcohol and other substance abuse rehabilitation treatment programs, treatment for venereal or other sexually transmitted diseases (except legally required disclosures to public health officials), certain information that is legally privileged, and psychotherapy notes (except sharing with your therapist).
II. You have these rights with respect to your personal medical information
1. A right to a copy of this Notice
You have a right to have a paper copy of our Notice of Privacy Practices at any time. In addition, a copy of this Notice is posted in our common area and at www.welchhrg.com on the Internet. If you want a copy of our Notice, ask us for a copy or tell our Privacy Official, or download and print one from www.welchhrg.com on the Internet.
2. A right of access to inspect and copy your personal medical information
You have the right to see, review and get a copy of your personal medical information that we keep in certain groups of records. If you want to see or get a copy of your personal medical information, ask us or write to us, or fill out our Access Request Form available from our Privacy Official. If you want a copy of your information, we may charge you a reasonable fee to cover the costs of the copying. If your medical information is maintained in an electronic health record, you also have the right to request that an electronic copy of your record be sent to you or to another individual or entity. We may charge you a reasonable cost based fee limited to the labor costs associated with transmitting the electronic health record. We may be able to provide you with a summary or explanation of the information. Ask our Privacy Official if you want to know more about these services and any possible additional fees.
3. A right to ask us to amend your personal medical information
You have the right to ask us to amend your personal medical information that we keep in certain groups of records. If you believe that our information either is inaccurate or incomplete, we may amend the information (if we agree with you) and tell others who have copies of the inaccurate or incomplete information about the amendment. If you want us to amend your information, ask us or fill out our Amendment Request Form available from our Privacy Official, and explain why you want us to amend your information. If we say no, we will tell you why in writing. You can tell us why you disagree, and we will share your disagreement whenever we disclose the information.
4. A right to an accounting of certain disclosures
You have the right to an accounting (which means a detailed listing) of certain disclosures that we made for the six (6) years before the time you ask us for an accounting, but not before April 14, 2003. If you want an accounting, you may write to us or fill out an Accounting Request Form available from our Privacy Official.
Our accounting will not include some kinds of disclosures, including disclosures for treatment, payment or health care operations, or disclosures to you or your personal representative, or disclosures authorized by you or your personal representative. If you ask for an accounting more than once every twelve (12) months, we may charge you a fee to cover the costs of the accounting.
5. A right to request restrictions on uses and disclosures
You have the right to ask that we restrict the use and disclosure of your personal medical information to carry out treatment, payment or health care operations. In general, we don’t have to say yes to your request. If we say yes, we must follow the restrictions we agree to (except if information is needed for emergency treatment). If you paid out-of-pocket for a specific item or service, you have the right to request that medical information with respect to that item or service not be disclosed to a health plan for purposes of payment or health care operations, and we are required to honor that request. You may cancel your restrictions at any time. We may cancel a restriction at any time, so long as we tell you about the cancellation and continue to apply the restriction to information collected before the cancellation.
6. A right to request an alternative method of contact
You have the right to ask to be contacted at a different location or in a different way. For example, you may want to have all written information mailed to your work address instead of to your home address or to one relative rather than another. We will agree to any reasonable request for other ways of contacting you. If you would like to ask for another way of being contacted, you have to tell us in writing. An Alternative Contact Request Form is available from our Privacy Official.
7. Right to Receive Notice of a Breach
We are required to notify you by first class mail or by e-mail (if you have indicated a preference to receive information by e-mail), of any breaches of Unsecured Protected Health Information as soon as possible, but in any event, no later than 60 days following the discovery of the breach. “Unsecured Protected Health Information” is information that is not secured through the use of a technology or methodology identified by the Secretary of the U.S. Department of Health and Human Services to render the Protected Health Information unusable, unreadable, and undecipherable to unauthorized users. The notice is required to include the following information:
· a brief description of the breach, including the date of the breach and the date of its discovery, if known;
· a description of the type of Unsecured Protected Health Information involved in the breach;
· steps you should take to protect yourself from potential harm resulting from the breach;
· a brief description of actions we are taking to investigate the breach, mitigate losses, and protect against further breaches;
· contact information, including a toll-free telephone number, e-mail address, Web site or postal address to permit you to ask questions or obtain additional information.
In the event the breach involves 10 or more residents whose contact information is out of date we will post a notice of the breach on the home page of our Web site or in a major print or broadcast media. If the breach involves more than 500 residents in the state or jurisdiction, we will send notices to prominent media outlets. If the breach involves more than 500 residents, we are required to immediately notify the Secretary. We also are required to submit an annual report to the Secretary of a breach that involved less than 500 residents during the year and will maintain a written log of breaches involving less than 500 residents.
III. How you may file a privacy-related complaint
If you believe that your privacy rights set out in this Notice have been violated or you believe we are not complying with the HIPAA Privacy Rule, we urge you to tell our Privacy Official as soon as possible. You may file a complaint with us or with the federal government. There will be no retaliation for filing a complaint.
●To file a complaint with us, you may contact our Privacy Official whose name and telephone number appear on the Staff Listing in the Admission Handbook.
●To file a complaint with the federal government, send your complaint to:
Office for Civil Rights
U. S. Department Health and Human Services
J. F. Kennedy Federal Building – Room 1875
Boston, Massachusetts 02203
Voice phone (617) 565-1340
Fax (617) 565-3809
TDD (617) 565-1343
Please know that a complaint filed with the Office for Civil Rights must be filed within 180 days of when you knew or should have known of the act or omission believed to be in violation, unless this time limit is waived by the government.