Athens Heart Center and Specialty Clinics
Notice of Privacy Practices
Effective Date: [May 10,2017]
Per HIPAA Breach Notification Rule 45 CFR 164.400.414 on 7/14/2017, this to notify that unauthorized individuals may have had access to some of the patient names, appointment dates, times and reason for visit. To the best of our knowledge no other patient information was viewable. If you have any questions, please contact us at 706-208-9700.
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
Athens Heart Center and Specialty Clinics, PC (“AHCSPC”) is committed to providing quality healthcare services to you. An important part of that is protecting your medical information according to applicable law. This notice (“Notice”) describes your rights and our duties under Federal Law, as well as other pertinent information. We are happy to answer any questions you may have regarding this Notice. Our staff will briefly review the key points contained herein once you have had an opportunity to read and sign.
- Healthcare Operations. “Healthcare Operations” means business activities that we engage in so as to provide healthcare services to you, including but not limited to, quality assessment and improvement activities, personnel training and evaluation, business planning and development, and other administrative and managerial functions.
- Payment. “Payment” means activities that we undertake as a healthcare provider to obtain reimbursement for the provision of healthcare to you which include, but are not limited to: determinations of eligibility or coverage (including coordination of benefits or the determination of cost sharing amounts), and processing health benefit claims.
- Protected Health Information. “Protected Health Information” or “PHI” means information which identifies you (e.g. name, address, social security number, etc.) and relates to your past, present, or future physical or mental health or condition; the provision of healthcare to you; or the past, present, or future payment for the provision of healthcare to you.
- Treatment. “Treatment” means the provision, coordination, or management of healthcare and related services on your behalf, including the coordination or management of healthcare with a third party; consultation between AHCSPC and other healthcare providers relating to your care; or the referral by AHCSPC of your care to another healthcare provider.
AHCSPC facilities that will abide by this notice include, but are not limited to, Athens Heart Center, Athens Sleep and Wellness Center, Family First Healthcare of Northeast Georgia, Family First Healthcare (Athens), Danielsville Family Practice, and Athena Clinical Research, LLC.
There are three instances where an Authorization is required from you before we disclose your PHI: (1) most Uses and Disclosures of psychotherapy notes; (2) Uses and Disclosures for marketing purposes; and (3) Uses and Disclosures that involve the sale of PHI.
There are a number of Disclosures that do not require your Authorization: (1) public health activities; (2) research purposes; (3) your treatment; (4) the sale, transfer, merger or consolidation of all or part of our organization and for related due diligence; (5) services rendered by a business associate pursuant to a business associate contract and at the specific request of our organization; (6) providing you with access to your PHI; and (7) other purposes that the Secretary of the Department of Health and Human Services deems necessary and appropriate.
You may, at your own discretion, provide us with other Authorizations. It is our Policy only to use and disclose PHI requiring an Authorization consistent with the Authorization as provided by you. Our Compliance Officer will ensure that all Authorizations meet the requirements of the Privacy Rule and that our staff is trained regarding those instances of Uses and Disclosures wherein Authorizations are implicated.
Uses and disclosures of your protected health information (“PHI”) may be permitted, required, or authorized. Examples are provided below under various categories to give you a sense of how we may use and/or disclose your PHI.
Treatment, Payment and Operations
We will use and/or disclose your PHI as follows: 1) to ensure that we appropriately provide for your care and Treatment; 2) to obtain Payment for our services; and 3) as necessary to conduct our Healthcare Operations.
Our staff, including doctors, nurses and other clinicians, will use your PHI to order tests, procedures, and medications; and to otherwise provide for your care. We may disclose your PHI to pharmacies and other healthcare providers as needed. For example, we may disclose your PHI when we refer you to another healthcare provider.
Your PHI will be used to check for eligibility for insurance coverage and prepare claims for your insurance company where appropriate. We may also use your PHI to invoice you directly or to invoice a government agency on your behalf. For example, in order to prepare invoices, we will disclose information regarding your treatment, the conditions you were treated for, and when you were treated.
We may use and disclose your PHI in order to conduct our healthcare business and to perform functions associated with our business activities. For example, your PHI may be disclosed when we train staff, conduct quality improvement activities, and develop business plans. Your PHI may also be shared with business associates who perform certain business functions on our behalf such as billing, transcriptions and electronic PHI transmissions with other healthcare providers.
Appointments and Reminders
We may use your PHI to contact you regarding appointment reminders or information about treatment alternatives or other health-related benefits and services that may be of interest to you.
AHCSPC may contact you by phone, U.S. postal mail or electronic mail to raise funds for AHCSPC and you have the right to opt out of receiving such communications.
Opportunity to Agree or Object
Under certain circumstances, we may only use and disclose your PHI with your permission as directly provided by you, or in a context wherein we can reasonably infer it, unless you are not present, are incapacitated, or an emergency exists, in which case we are compelled by law to use our professional judgment to determine when to use your PHI, and the extent to which it is used. The following are examples of when you will have an opportunity to agree or object.
Friends and Family
In your presence, we may only disclose your PHI to friends and family with your express permission. For example, we will request that you grant us express permission before discussing your PHI in the company of friends and family. If you elect not to proceed, then friends and family will be excluded from any such conversation. In emergency circumstances, or if you are not present to agree or object, then we will use our professional judgment regarding those communications.
We will include your name and location in our directory and disclose such information (including disclosures of religious affiliation to clergy), unless you notify us that you want to restrict or prohibit such uses and disclosures.
We may use or disclose your PHI to notify, or assist in the notification of (including identifying or locating), a family member, a personal representative, or another person responsible for your care. Any such use or disclosure of your PHI for notification purposes will be made consistent with this policy and applicable law. For example, such notification will only proceed with your permission if you have the capacity to grant it, otherwise the required notification will be guided by our professional judgment.
We may use or disclose your PHI to a business associate that performs a business function on our behalf and requires your PHI in order to do so. Such use or disclosure will only occur after performing due diligence to ensure that the business associate is meeting all statutory and contractual requirements. A written contract will be executed with each business associate, and will be reviewed on a yearly basis, to ensure that the business associate is providing adequate PHI safeguards.
There are a number of uses and disclosures that we are required or permitted to make for public policy reasons. The following is a representative list of uses and disclosures that fall under this category.
Required by Law
We may use or disclose your PHI to the extent that such use or disclosure is required by law. In such cases, the use or disclosure will be limited to uses and disclosures pertaining to the relevant requirements of such law.
Public Health Activities
We may disclose your PHI to governmental authorities for public health activities and for purposes described as follows:
- preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority;
- reporting child abuse or neglect;
- activities related to the quality, safety or effectiveness of a Food and Drug Administration regulated product or process;
- to persons who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if we are authorized by law to notify such persons as necessary in the conduct of a public health intervention or investigation; or
- to an employer, about an individual who is a member of the workforce of the employer, under a limited set of conditions.
We may disclose your PHI for law enforcement purposes to a law enforcement official, but only if certain specified conditions are met. For example, we may disclose your PHI to law enforcement for purposes of identification and for purposes related to a crime.
We may disclose PHI to a coroner, medical examiner or funeral director for the purpose of identifying a deceased person, determining a cause of death, or otherwise carrying out their duties as authorized by law.
Cadaveric Organ, Eye or Tissue Donation
We may disclose PHI to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye or tissue donation and transplantation.
We may use or disclose your PHI for research, regardless of the source of funding of the research, provided that certain conditions are met, including but not limited to the approval of an Institutional Review Board and consistent with applicable law.
Threats to Health or Safety
We may, consistent with applicable law and standards of ethical conduct, use or disclose your PHI if we have a good faith belief that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public or is required by law enforcement authorities to identify or apprehend an individual.
We may use or disclose your PHI for the following governmental functions as long as certain specified conditions are met: 1) military and veterans activities; 2) national security and intelligence activities; 3) protective services for the President and others; 4) medical suitability determinations for a covered entity that is a component of the Department of State; 5) correctional institutions and other law enforcement custodial situations; and 6) covered entities that are government programs providing public benefits.
We may disclose your PHI as authorized by and to the extent necessary to comply with laws relating to workers’ compensation or other similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault.
ederal law provides you several important rights regarding your PHI. The following sections summarize your rights and provide information regarding how to exercise them. Protecting your PHI is an important part of the services we provide you. We want to ensure that you have access to your PHI when you need it and that you clearly understand your rights as described below.
Right to Notice
You have a right to adequate notice of the uses and disclosures of your PHI, and our duties and responsibilities regarding same, as provided for herein. You have a right to request both a paper and electronic copy of this Notice.
Right to Request Restrictions
You have a right to request restrictions on how we use and disclose your PHI for treatment, payment and operations, as well as regarding those instances where you have an opportunity to agree or object. We are not required to agree to restrictions for treatment, payment and operations except in limited circumstances. If we do agree to a restriction of any kind then we will honor it going forward, unless you take affirmative steps to revoke it or we believe, in our professional judgment, that an emergency warrants circumventing the restriction in order to provide the appropriate care. In rare circumstances, we reserve the right to terminate a restriction that we have previously agreed to, but only after providing you notice of termination.
You have a right to restrict certain disclosures of PHI to a health plan where you have paid out of pocket in full for the healthcare item or service. You are required to notify all downstream healthcare providers (e.g. a pharmacist) and business associates, including Health Information Exchange(s), of the restriction. We are required by law to honor this restriction and will do so unless affirmatively terminated by you in writing.
Right to Confidential Communications
You have a right to request alternative communication methods with respect your health matters and related PHI. We ask that you make such communication requests in writing. We will honor all reasonable requests consistent with our duty to ensure that your PHI is appropriately protected.
Right of Access to PHI
You have a right to access, inspect and obtain a copy of your PHI except where excluded by applicable law. All requests for access to your PHI must be made in writing. Under a limited set of circumstances, we may deny your request. Any denial of a request to access will be communicated to you in writing. In general, you have a right to have a denial reviewed by a licensed third party healthcare professional (i.e. one not affiliated with us). We will comply with the decision made by the designated professional. We may charge you a reasonable fee for providing you a copy of your PHI.
Right to Amend PHI
You have a right to request that we amend your PHI for as long as it is maintained by us. The request must be made in writing and you must provide a reason to support the requested amendment. Under certain conditions we may deny your request to amend, including but not limited to, when the PHI: 1) was not created by us; 2) is excluded from access and inspection under applicable law; or 3) is accurate and complete. If we accept the amendment we will work with you to identify other healthcare stakeholders that require notification and provide the notification. If we deny the amendment, we will provide the rationale for denial to you in writing and afford you the opportunity to submit a statement of disagreement.
Right to an Accounting of PHI Disclosures
You have right to receive an accounting of your PHI disclosures made by us during a time period specified by applicable law prior to the date on which the accounting is requested. You must make any request for an accounting in writing. Certain PHI is excluded from an accounting by law and therefore will not be provided. One accounting within any twelve (12) month period will be provided to you at no charge. Additional accountings may require that you pay us a reasonable fee. We will notify you of the fee to be charged (if any) at the time of the request.
We are required by law to: 1) maintain the privacy of your PHI; 2) provide you with this Notice of our privacy practices; 3) abide by the terns of the Notice currently in effect; and 4) modify this Notice when there are material changes to your rights, our duties, or other practices contained herein. This Notice will remain in effect until it is revised.
We reserve the right to change our privacy practices and the terms of this Notice consistent with applicable law and our current business processes. Should we make revisions to this Notice, we will provide you notification as follows: 1) upon request; 2) electronically via our website or via other electronic communications; and 3) as posted in our place of business. Any modifications to our Notice will apply retroactively to your entire PHI, as maintained by us.
In addition to the above, we have an affirmative duty to respond to your requests (i.e. those corresponding to your rights) in a timely and appropriate manner. We support and value your right to privacy and are committed to maintaining reasonable and appropriate safeguards for your PHI. We will not retaliate in any way shape or form should you decided to file a complaint with us or with the Department of Health and Human Services.
Questions and Requests for Information
Questions, requests for information, and other inquiries under this Notice should be directed to us as follows:
Athens Heart Center and Specialty Clinics, PC
Attn: Privacy Officer
2005 Prince Ave.
Athens, Ga, 30606
If you believe that your rights have been violated, then you may submit a formal written complaint to us using the contact information provided above.
You may also send a written complaint directly to the Department of Health and Human Services (“HHS”) by using its Health Information Privacy Complaint Package. If you have questions regarding how to file a complaint with HHS you may contact the agency via email at OCRMail@hhs.gov or visit the HHS website at www.hhs.gov.
We reserve the right make modifications to our policies and procedures, including to this Notice, as necessary and appropriate to comply with applicable law, including the standards, implementation specifications, and other requirements of the HIPAA Privacy Rule.
Credit to 3Lions Publishing, Inc., for this notice of privacy practices model and verbiage.