HIPPA Policy
Purpose: To protect patient privacy and to limit the use or release of confidential information pertaining to a patient. To describe how protected health information (PHI) may be used and disclosed. To describe how PHI is protected.
Policy: This Notice of Privacy Practices describes how Sleep Management Institute (SMI) may use and disclose a patient’s Protected Health Information (PHI) to carry out treatment, payment or health care operations, and for other purposes that are permitted or required by law. It also describes patient rights to access and control their PHI. PHI is personal patient information, including demographic information, that may identify a patient and that relates to a patient’s past, present or future physical or mental health or condition and related health care services.
SMI is required to abide by the terms of this Notice of Privacy Practices. We may modify the terms of our notice at any time, and the new notice will be effective for all PHI in our possession at the time of the change and any that we receive thereafter. Upon a patient’s written or verbal request, we will provide a patient with any revised Notice of Privacy
Uses and Disclosures of Protected Health Information
A patient will be asked by SMI to sign an acknowledgement that a patient received this Notice of Privacy Practices. A good faith effort will be made to obtain written acknowledgement of receipt of this notice, the first time we provide services to them after April 14, 2003. The patient’s PHI may be used and disclosed by their physician, our office staff and others outside of our office that are involved in their care and treatment for the purpose of providing health care services to them. PHI may also be used and disclosed to obtain payment for health care bills and to support the operation of the physician’s practice.
Following are examples of the types of uses and disclosures of protected health care information that SMI is permitted to make:
Treatment. SMI may use and disclose PHI to provide, coordinate or manage health care and any related services. This includes the coordination or management of health care with a third party that may need access to a patient’s PHI. For example, we would disclose PHI, as necessary, to a durable medical equipment company that provides care to the patient.
In addition, we may disclose a patient’s PHI to another physician or health care provider (e.g., a specialist or laboratory) who, at the request of their physician, becomes involved in a patient’s care by providing assistance with their health care diagnosis or treatment.
Payment. SMI may use or disclose a patient’s PHI, as needed, to obtain payment for their health care services. This may include certain activities that their health insurance plan may undertake before it approves or pays for the health care services we recommend, such as: making a determination of eligibility or coverage for insurance benefits, reviewing services provided to a patient for medical necessity, and undertaking utilization review activities. For example, obtaining approval for a sleep testing may require that a patient’s relevant PHI be disclosed to the health plan to obtain approval for the test.
Healthcare Operations. SMI may use or disclose, as needed, a patient’s PHI in order to support our business activities. These activities include, but are not limited to, quality assessment activities, employee reviews, medical training, licensing, and conducting or arranging for other business activities.
For example, we may disclose a patient’s PHI to physicians undergoing sleep-disorder training that see patients at our office. In addition, we may use a sign-in sheet at the registration desk where a patient will be asked to sign their name. We may also call a patient by name in the waiting room, and may use or disclose a patient’s PHI, as necessary, to contact a patient to remind them of their appointment.
We will share a patient’s PHI with third party “business associates” that perform various activities (e.g., billing, transcription services) for the practice. We will have a written contract with the business associate that contains terms that will protect the privacy of a patient’s PHI.
We may use or disclose a patient’s PHI, as necessary, to provide information about treatment alternatives or other health-related benefits and services. We may also use and disclose a patient’s PHI for other marketing activities. For example, a patient’s name and address may be used to send a patient a newsletter about our practice, services that we offer, or information about products or services that we believe may be beneficial to a patient. If a patient does not want to receive these materials, they may contact our Privacy Officer to request that these materials not be sent.
Uses and Disclosures of Protected Health Information Based Upon a Patient’s Written Authorization
Other uses and disclosures of a patient’s PHI will be made only with a patient’s written authorization, unless otherwise permitted or required by law as described below. A patient may revoke this authorization, at any time, in writing, except to the extent that a patient’s physician or the physician’s practice has taken an action in reliance on the use or disclosure indicated in the authorization.
Other Permitted and Required Uses and Disclosures that may be made without a Patient’s Authorization or Opportunity to Object
SMI may use and disclose a patient’s PHI in the following instances. A patient has the opportunity to agree or object to the use or disclosure of all or part of a patient’s PHI. If a patient is not present or able to agree or object to the use or disclosure of the PHI, then a patient’s physician may, using professional judgment, determine whether the disclosure is in a patient’s best interest. Only the PHI that is relevant to a patient’s health care will be disclosed.
Others Involved in a patient’s Healthcare. Unless a patient objects, we may disclose to a family member, relative, close friend or any other person one identifies, a patient’s PHI that directly relates to that person’s involvement in a patient’s health care. If a patient is unable to agree or object to such a disclosure, we may disclose such information as necessary if we determine that it is in a patient’s best interest based on our professional judgment. Finally, we may use or disclose a patient’s PHI to an authorized public or private entity to assist in disaster relief efforts and to coordinate uses and disclosures to family or other individuals involved in a patient’s health care.
Emergencies. We may use or disclose a patient’s PHI in an emergency treatment situation. If this happens, a patient’s physician shall try to obtain a patient’s acknowledgement of our Privacy Practices as soon as reasonably practicable after the delivery of treatment
Communication Barriers. We may use and disclose a patient’s PHI if a patient’s physician or another physician in the practice attempts to obtain an acknowledgement of our Privacy Practices from the patient, but is unable to do so due to substantial communication barriers.
Other Permitted and Required Uses and Disclosures that may be made without a Patient’s Consent, Authorization or Opportunity to Object
We may use or disclose a patient’s PHI in the following situations without a patient’s acknowledgement or authorization. These situations include:
Required By Law. We may use or disclose a patient’s PHI to the extent that the use or disclosure is required by law. The use or disclosure will be made in compliance with the law and will be limited to the relevant requirements of the law. A patient will be notified, as required by law, of any such uses or disclosures.
Public Health. We may disclose a patient’s PHI for public health activities and purposes to a public health authority that is permitted by law to collect or receive the information. The disclosure will be made for the purpose of controlling disease, injury or disability.
Communicable Diseases. We may disclose a patient’s PHI, if authorized by law, to a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading the disease.
Health Oversight. We may disclose PHI to a health oversight agency for activities authorized by law, such as audits, investigations, and inspections. Oversight agencies seeking this information include government agencies that oversee the health care system, government benefit programs, other government regulatory programs and civil rights laws.
Abuse or Neglect. We may disclose PHI to a public health authority or governmental agency authorized by law to receive reports of child abuse or neglect, or if we believe that a patient has been a victim of abuse, neglect or domestic violence to the. The disclosure will be made consistent with applicable federal and state laws.
Food and Drug Administration (FDA). We may disclose a patient’s PHI to a person or company required by the FDA to report adverse events, product defects or problems, biologic product deviations; track products; to enable product recalls; to make repairs or replacements; or to conduct post marketing surveillance, as required.
Legal Proceedings. We may disclose PHI in the course of any judicial or administrative proceeding, in response to an order of a court or administrative tribunal (to the extent such disclosure is expressly authorized), in certain conditions in response to a subpoena, discovery request or other lawful process.
Law Enforcement. We may also disclose PHI, so long as applicable legal requirements are met, for law enforcement purposes. These law enforcement purposes include: (1) legal processes and otherwise required by law, (2) limited information requests for identification and location purposes, (3) pertaining to victims of a crime, (4) suspicion that death has occurred as a result of criminal conduct, (5) in the event that a crime occurs on the premises of the practice, and (6) medical emergency (not on the practice’s premises) and it is likely that a crime has occurred.
Coroners, Funeral Directors, and Organ Donation. We may disclose PHI to a coroner or medical examiner for identification purposes, determining cause of death or for the coroner or medical examiner to perform other duties authorized by law. We may also disclose PHI to a funeral director, as authorized by law. We may disclose such information in reasonable anticipation of death.
Research. We may disclose a patient’s PHI to researchers when their research has been approved by an institutional review board that has established protocols to ensure the privacy of a patient’s PHI.
Criminal Activity. Consistent with applicable federal and state laws, we may disclose a patient’s PHI if we believe that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, or to identify or apprehend an individual.
Military Activity and National Security. When appropriate, we may use or disclose PHI of individuals who are Armed Forces personnel: (1) for activities deemed necessary by appropriate military command authorities; (2) for the purpose of a determination by the Department of Veterans Affairs of a patient’s eligibility for benefits; (3) to foreign military authority if a patient is a member of that foreign military services; (4) for national security and intelligence activities, including the provision of protective services to the President or others legally authorized.
Workers’ Compensation. A patient’s PHI may be disclosed by us as authorized to comply with workers’ compensation laws and other similar legally established programs.
Inmates. We may use or disclose a patient’s PHI if the patient is an inmate of a correctional facility and their physician created or received their PHI in the course of providing care to them.
Required Uses and Disclosures. Under the law, we must make disclosures to a patient and when required by the Secretary of the Department of Health and Human Services to investigate or determine our compliance with the requirements of federal regulations that protect the privacy of a patient’s PHI.
Patient Rights
Following is a statement of a patient’s rights with respect to a patient’s Protected Health Information and a brief description of how one may exercise these rights.
A patient has The Right To Inspect And Copy their PHI. Patients are entitled to inspect and obtain a copy of their PHI that is contained in a designated record set for as long as we maintain the PHI. A “designated record set” contains all medical, billing and other records that we may use to make decisions about a patient.
However, under federal law, a patient may not inspect or copy the following records: psychotherapy notes; information compiled in reasonable anticipation of, or use in, a civil, criminal, or administrative action or proceeding; and PHI that is subject to law that prohibits access to PHI. In some circumstances, a patient may have a right to have a decision to deny access of their PHI reviewed.
A patient has The Right to Request Restrictions Of their PHI. A patient may ask us not to use or disclose any part of their PHI for the purposes of treatment, payment, healthcare operations, to family or friends, or for notification purposes as described in this notice. Their request must state what PHI they want restricted and who is restricted.
We are not required to agree to their request, if it is believed to be in their best interest. If we agree to the requested restriction, we may not use or disclose a patient’s PHI, unless it is needed to provide emergency treatment. Restriction requests must be submitted in writing to our Privacy Officer.
A patient has The Right to Request to Receive Confidential Communications of PHI By Alternative Means or at Alternative Locations. For example, a patient’s may ask us to contact them at a particular phone number or only by mail. We will accommodate reasonable request, but may condition this request by asking a patient as to how payment will be handled or specification of an alternative address or other method of contact. We will not request an explanation from them as to the basis for the request. Please make this request in writing to our Privacy Officer.
A Patient has The Right To Amend Their PHI. If a patient feels that any PHI we have about them is incorrect or incomplete, one may ask us to amend the information for as long as we maintain the records. A request to amendment their PHI must be made in writing. One must also provide a reason that supports their request. We have the right to deny their request, but a patient has the right to file a statement of disagreement with us. We may prepare a rebuttal to their statement and will provide them with a copy of any such rebuttal.
A Patient has The Right To Receive An Accounting Of Disclosures We Have Made Of Their PHI. This right applies to disclosures for purposes other than treatment, payment or healthcare operations and valid authorizations or incidental disclosures as described in this Notice of Privacy Practices. It excludes disclosures we may have made to a patient, for a facility directory, to family members or friends involved in a patient’s care, or for notification purposes. A patient has the right to receive specific information regarding these disclosures that occurred after April 14, 2003. A patient may request a shorter time frame. The right to receive this information is subject to certain exceptions, restrictions and limitations.
A patient has The Right To Obtain A Paper Copy Of This Notice From SMI, upon request, even if a patient has agreed to accept this notice electronically.
Protection of PHI
Information pertaining to a patient’s condition or treatment is confidential and should never be discussed with anyone except to perform the necessary and defined functions of their care. Employees are only permitted to access the PHI of patients that they are directly involved in their care or to carry out the function of their job. SMI employees have an obligation to keep all PHI safe from unauthorized access. All PHI on paper, when disposed of, will be shredded. Computer monitors and all medical records will not be left viewable by the public. Employee discussion of a patient will not be audible to the public.
Patients may complain to us or to the secretary of Health Services. If they believe that their privacy rights have been violated by us. One may file a complaint with us by notifying our Privacy contact of your complaint. We will not retaliate against a patient for filing a complaint
