HIPAA JOINT PRIVACY NOTICE  (updated November 19, 2013)

THIS JOINT NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.  PLEASE REVIEW IT CAREFULLY.

INTRODUCTION

This Joint Notice is being provided to you on behalf of the ucpn and the practitioners with clinical privileges that work at the Agency with respect to services provided at the Agency facilities (collectively referred to herein as “We” or “Our”).  We understand that your medical information is private and confidential.  Further, we are required by law to maintain the privacy of “protected health information.” “Protected health information” or “PHI” includes any individually identifiable information that we obtain from you or others that relates to your past, present or future physical or mental health, the health care you have received, or payment for your health care.  We will share protected health information with one another, as necessary, to carry out treatment, payment or health care operations relating to the services to be rendered at the Agency facilities.

As required by law, this notice provides you with information about your rights and our legal duties and privacy practices with respect to the privacy of PHI.  This notice also discusses the uses and disclosures we will make of your PHI.  We must comply with the provisions of this notice as currently in effect, although we reserve the right to change the terms of this notice from time to time and to make the revised notice effective for all PHI we maintain.  You can always request a written copy of our most current privacy notice from the HIPAA Privacy Officer at the Agency or you can access it on our website at web1.cpnassau.org.

PERMITTED USES AND DISCLOSURES

We can use or disclose your PHI for purposes of treatment, payment and health care operations.  For each of these categories of uses and disclosures, we have provided a description and an example below.  However, not every particular use or disclosure in every category will be listed.

• Treatment means the provision, coordination or management of your health care, including consultations between health care providers relating to your care and referrals for health care from one health care provider to another.  For example, a psychologist treating you may need to know from your psychiatrist if you are on any medications.
• Payment means the activities we undertake to obtain reimbursement for the health care provided to you, including billing, collections, claims management, determinations of eligibility and coverage and other utilization review activities.  For example, we may need to provide PHI to your Third Party Payor to determine whether the proposed course of treatment will be covered or if necessary to obtain payment.  Federal or state law may require us to obtain a written release from you prior to disclosing certain specially protected PHI for payment purposes, and we will ask you to sign a release when necessary under applicable law.
• Health care operations means the support functions of the Agency, related to treatment and payment, such as quality assurance activities, case management, receiving and responding to patient comments and complaints, physician reviews, compliance programs, audits, business planning, development, management and administrative activities.  For example, we may use your PHI to evaluate the performance of our staff when caring for you.  We may also combine PHI about many patients to decide what additional services we should offer, what services are not needed, and whether certain new treatments are effective. We may also disclose PHI for review and learning purposes.  In addition, we may remove information that identifies you so that others can use the de-identified information to study health care and health care delivery without learning who you are.

OTHER USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION

We may also use your PHI in the following ways:

• To provide appointment reminders for treatment or medical care.
• To tell you about or recommend possible treatment alternatives or other health-related benefits and services that may be of interest to you.
• To your family or friends or any other individual identified by you to the extent directly related to such person’s involvement in your care or the payment for your care.  We may use or disclose your PHI to notify, or assist in the notification of, a family member, a personal representative, or another person responsible for your care, of your location, general condition or death.  If you are available, we will give you an opportunity to object to these disclosures, and we will not make these disclosures if you object.  If you are not available, we will determine whether a disclosure to your family or friends is in your best interest, taking into account the circumstances and based upon our professional judgment.
• When permitted by law, we may coordinate our uses and disclosures of PHI with public or private entities authorized by law or by charter to assist in disaster relief efforts.
• We may contact you as part of our fundraising and marketing efforts as permitted by applicable law.  You have the right to opt out of receiving such fundraising communications.
• We may use or disclose your PHI for research purposes, subject to the requirements of applicable law.  For example, a research project may involve comparisons of the health and recovery of all patients who received a particular medication.  All research projects are subject to a special approval process which balances research needs with a patient’s need for privacy.  When required, we will obtain a written authorization from you prior to using your health information for research.
• We will use or disclose PHI about you when required to do so by applicable law.

Note: incidental uses and disclosures of PHI sometimes occur and are not considered to be a violation of your rights.  Incidental uses and disclosures are by-products of otherwise permitted uses or disclosures which are limited in nature and cannot be reasonably prevented.

SPECIAL SITUATIONS

Subject to the requirements of applicable law, we will make the following uses and disclosures of your PHI:

• Organ and Tissue Donation.  If you are an organ donor, we may release PHI to organizations that handle organ procurement or transplantation as necessary to facilitate organ or tissue donation and transplantation.
• Military and Veterans.  If you are a member of the Armed Forces, we may release PHI about you as required by military command authorities.  We may also release PHI about foreign military personnel to the appropriate foreign military authority.
• Worker’s Compensation.  We may release PHI about you for programs that provide benefits for work-related injuries or illnesses.
• Public Health Activities.  We may disclose PHI about you for public health activities, including disclosures:

*        to prevent or control disease, injury or disability;

*        to report births and deaths;

*        to report child abuse or neglect;

*        to persons subject to the jurisdiction of the Food and Drug Administration (FDA) for activities related to the quality, safety, or effectiveness of FDA-regulated products or services and to report reactions to medications or problems with products;

*        to notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition;

*        to notify the appropriate government authority if we believe that an adult patient has been the victim of abuse, neglect or domestic violence.  We will only make this disclosure if the patient agrees or when required or authorized by law.

• Health Oversight Activities.  We may disclose PHI to federal or state agencies that oversee our activities (e.g., providing health care, seeking payment, and civil rights).
• Lawsuits and Disputes.  If you are involved in a lawsuit or a dispute, we may disclose PHI subject to certain limitations.
• Law Enforcement.  We may release PHI if asked to do so by a law enforcement official:

*        In response to a court order, warrant, summons or similar process;

*        To identify or locate a suspect, fugitive, material witness, or missing person;

*        About the victim of a crime under certain limited circumstances;

*        About a death we believe may be the result of criminal conduct;

*        About criminal conduct on our premises; or

*        In emergency circumstances, to report a crime, the location of the crime or the victims, or the identity, description or location of the person who committed the crime.

• Coroners, Medical Examiners and Funeral Directors.  We may release PHI to a coroner or medical examiner.  We may also release PHI about patients to funeral directors as necessary to carry out their duties.
• National Security and Intelligence Activities.  We may release PHI about you to authorized federal officials for intelligence, counterintelligence, other national security activities authorized by law or to authorized federal officials so they may provide protection to the President or foreign heads of state.
• Inmates.  If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may release PHI about you to the correctional institution or law enforcement official.  This release would be necessary (1) to provide you with health care; (2) to protect your health and safety or the health and safety of others; or (3) for the safety and security of the correctional institution.
• Serious Threats.  As permitted by applicable law and standards of ethical conduct, we may use and disclose PHI if we, in good faith, believe that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public or is necessary for law enforcement authorities to identify or apprehend an individual.

Note:  HIV‑related information, genetic information, alcohol and/or substance abuse records, mental health records and other specially protected health information may enjoy certain special confidentiality protections under applicable state and federal law.  Any disclosures of these types of records will be subject to these special protections.

OTHER USES OF YOUR HEALTH INFORMATION

Certain uses and disclosures of PHI will be made only with your written authorization, including uses and/or disclosures: (a) of psychotherapy notes (where appropriate); (b) for marketing purposes; and (c) that constitute a sale of PHI under the Privacy Rule.  Other uses and disclosures of PHI not covered by this notice or the laws that apply to us will be made only with your written authorization.  You have the right to revoke that authorization at any time, provided that the revocation is in writing, except to the extent that we already have taken action in reliance on your authorization.

YOUR RIGHTS
1.                You have the right to request restrictions on our uses and disclosures of PHI for treatment, payment and health care operations.  However, we are not required to agree to your request.  We are, however, required to comply with your request if it relates to a disclosure to your health plan regarding health care items or services for which you have paid the bill in full.  To request a restriction, you may make your request in writing to the Privacy Officer.
2.                You have the right to reasonably request to receive confidential communications of your PHI by alternative means or at alternative locations.  To make such a request, you may submit your request in writing to the Privacy Officer.
3.                You have the right to inspect and copy the PHI contained in our Agency records, except:
     (i)                for psychotherapy notes, (i.e., notes that have been recorded by a mental health professional documenting counseling sessions and have been separated from the rest of your medical record);
     (ii)              for information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding;
     (iii)             for PHI involving laboratory tests when your access is restricted by law;
     (iv)             if you are a prison inmate, and access would jeopardize your health, safety, security, custody, or rehabilitation or that of other inmates, any officer, employee, or other person at the correctional institution or person responsible for transporting you;
     (v)              if we obtained or created  PHI as part of a research study, your access to the PHI  may be restricted for as long as the research is in progress, provided that you agreed to the temporary denial of access when consenting to participate in the research;
     (vi)             for PHI contained in records kept by a federal agency or contractor when your access is restricted by law; and
     (vii)            for PHI obtained from someone other than us under a promise of confidentiality when the access requested would be reasonably likely to reveal the source of the information.
     (viii)          for other reasons permitted by applicable State or Federal law.
In order to inspect or obtain a copy your PHI, you may submit your request in writing to the Medical Records Custodian.  If you request a copy, we may charge you a fee for the costs of copying and mailing your records, as well as other costs associated with your request.

We may also deny a request for access to PHI under certain circumstances if there is a potential for harm to yourself or others. If we deny a request for access for this purpose, you have the right to have our denial reviewed in accordance with the requirements of applicable law.
4.                You have the right to request an amendment to your PHI but we may deny your request for amendment, if we determine that the PHI or record that is the subject of the request:
(i)                was not created by us, unless you provide a reasonable basis to believe that the originator of PHI is no longer available to act on the requested amendment;
(ii)              is not part of your medical or billing records or other records used to make decisions about you;
(iii)             is not available for inspection as set forth above; or
(iv)             is accurate and complete.
In any event, any agreed upon amendment will be included as an addition to, and not a replacement of, already existing records.  In order to request an amendment to your PHI, you must submit your request in writing to Medical Record Custodian at our Agency, along with a description of the reason for your request.
5.                You have the right to receive an accounting of disclosures of PHI made by us to individuals or entities other than to you for the six years prior to your request, except for disclosures:
(i)                to carry out treatment, payment and health care operations as provided above;
(ii)              incidental to a use or disclosure otherwise permitted or required by applicable law;
(iii)             pursuant to your written authorization;
(iv)             for the Agency’s directory or to persons involved in your care or for other notification purposes as provided by law;
(v)              for national security or intelligence purposes as provided by law;
(vi)             to correctional institutions or law enforcement officials as provided by law;
(vii)            as part of a limited data set as provided by law.
To request an accounting of disclosures of your PHI, you must submit your request in writing to the Privacy Officer at our Agency.  Your request must state a specific time period for the accounting (e.g., the past three months).  The first accounting you request within a twelve (12) month period will be free.  For additional accountings, we may charge you for the costs of providing the list.  We will notify you of the costs involved, and you may choose to withdraw or modify your request at that time before any costs are incurred.
6.                You have the right to receive a notification, in the event that there is a breach of your unsecured PHI, which requires notification under the Privacy Rule.
COMPLAINTS

If you believe that your privacy rights have been violated, you should immediately contact the Agency Privacy Officer at 516-377-2032.  We will not take action against you for filing a complaint.  You also may file a complaint with the Secretary of the U. S. Department of Health and Human Services.

CONTACT PERSON

If you have any questions or would like further information about this notice, please contact the Agency Privacy Officer at 516-377-2032.

This notice is effective as of March 26, 2013.

SAMPLE ACKNOWLEDGMENT

I, __________________________, acknowledge that I have been provided with a copy of [Insert name of Agency]’s privacy notice.

Date:______________________, 201___         ______________________________

Legal: change of privacy policies

UNITED CEREBRAL PALSY ASSOCIATION OF NASSAU COUNTY, INC.
380 Washington Avenue, Roosevelt, New York 11575

NOTICE OF CHANGE IN PRIVACY POLICIES
Dated:  February 1, 2010

This memo is intended to inform our consumers and families that we have made changes to our privacy policies in accordance with recent changes in federal law.  The federal Health Information Technology for Economic and Clinical Health Act enacted in 2009, made changes to the HIPAA privacy and security rules that apply to personal health information maintained by us.  As a result, we have revised our privacy policies in accordance with the new federal requirements.

The following is an overview of the HIPAA changes that go into effect on February 17, 2010:   

• Access to Information in Electronic Format:  If we maintain an electronic health record for an individual, the individual may request access to the information in an electronic format.
• Restrictions on Disclosures:  We must comply with any request for restrictions on disclosures if the information is to be sent to a health plan for payment or health care operations purposes and the disclosure relates to products or services that were paid for solely out-of-pocket.
• Accounting of Disclosures:  If we maintain an electronic health record for an individual, the individual will now be entitled to receive an accounting of routine disclosures of their health information, upon request.
• Marketing and Health Care Operations:  The new rule clarifies the interaction between marketing activities and health care operations activities.
• Opt-Out of Fundraising:  Language providing individuals with the chance to “opt-out” of fundraising communications must be presented in a clear and conspicuous manner.  Any opt-outs elected will be treated as a revocation of any prior authorization.
• Business Associates:  HIPAA privacy and security rules will now apply directly to business associates who will be subject to the same civil and criminal penalties that apply to providers.
• Enhanced Enforcement:  HIPAA civil money penalties are now increased and criminal penalties are added for individuals or employees of providers who violate HIPAA.
• Breach Notification:  HIPAA providers and business associates must provide notice to all affected individuals in the event of an unauthorized or inadvertent breach of unsecured personal health information.

For more information or to request a copy of our revised Notice of Privacy Practices, please contact the agency’s HIPAA Privacy Officer at 516-377-2032.