REGENERATIVE MEDICINE SPECIALISTS
1100 Paseo Camarillo Camarillo, CA 93010
Privacy Officer: Ann Cox
Phone: (805) 585-5004 Fax: (805) 512-8539
Dec 1st, 2010
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
We understand the importance of privacy and are committed to maintaining the confidentiality of your medical information. We make a record of the medical care we provide and may receive such records from others. We use these records to provide or enable other health care providers to provide quality medical care, to obtain payment for services provided to you as allowed by your health plan and to enable us to meet our professional and legal obligations to operate this medical practice properly. We are required by law to maintain the privacy of protected health information and to provide individuals with notice of our legal duties and privacy practices with respect to protected health information. This notice describes how we may use and disclose your medical information. It also describes your rights and our legal obligations with respect to your medical information. If you have any questions about this Notice, please contact our Privacy Officer listed above.
A. How This Medical Practice May Use or Disclose Your Health Information
This medical practice collects health information about you and stores it in a chart and on a computer. This is your medical record. The medical record is the property of this medical practice, but the information in the medical record belongs to you. The law permits us to use or disclose your health information for the following purposes:
- Treatment. We use medical information about you to provide your medical care. We disclose medical information to our employees and others who are involved in providing the care you need. For example, we may share your medical information with other physicians or other health care providers who will provide services which we do not provide. Or we may share this information with a pharmacist who needs it to dispense a prescription to you, or a laboratory that performs a test. We may also disclose medical information to members of your family or others who can help you when you are sick or injured.
- Payment. We use and disclose medical information about you to obtain payment for the services we 2. provide. For example, we give your health plan the information it requires before it will pay us. We may also disclose information to other health care providers to assist them in obtaining payment for services they have provided to you.
- Health Care Operations. We may use and disclose medical information about you to operate this medical practice. For example, we may use and disclose this information to review and improve the quality of care we provide, or the competence and qualifications of our professional staff. Or we may use and disclose this information to get your health plan to authorize services or referrals. We may also use and disclose this information as necessary for medical reviews, legal services and audits, including fraud and abuse detection and compliance programs and business planning and management. We may also share your medical information with our “business associates,” such as our billing service, that perform administrative services for us. We have a written contract with each of these business associates that contains terms requiring them to protect the confidentiality and security of your medical information. Although federal law does not protect health information which is disclosed to someone other than another healthcare provider, health plan or healthcare clearinghouse, under California law all recipients of health care information are prohibited from re- disclosing it except as specifically required or permitted by law. We may also share your information with other health care providers, health care clearinghouses or health plans that have a relationship with you, when they request this information to help them with their quality assessment and improvement activities, their efforts to improve health or reduce health care costs, their review of competence, qualifications and performance of health care professionals, their training programs, their accreditation, certification or licensing activities, or their health care fraud and abuse detection and compliance efforts. [Participants in organized health care arrangements only should add: We may also share medical information about you with the other health care providers, health care clearinghouses and health plans that participate with us in “organized health care arrangements” (OHCAs) for any of the OHCAs’ health care operations. OHCAs include hospitals, physician organizations, health plans, and other entities which collectively provide health care services. A listing of the OHCAs we participate in is available from the Privacy Official.]
- Appointment Reminders. We may use and disclose medical information to contact and remind you about appointments. If you are not home, we may leave this information on your answering machine or in a message left with the person answering the phone.
- Sign In Sheet. We may use and disclose medical information about you by having you sign in when you arrive at our office. We may also call out your name when we are ready to see you.
- Notification and Communication With Family. We may disclose your health information to notify or assist in notifying a family member, your personal representative or another person responsible for your care about your location, your general condition or in the event of your death. In the event of a disaster, we may disclose information to a relief organization so that they may coordinate these notification efforts. We may also disclose information to someone who is involved with your care or helps pay for your care. If you are able and available to agree or object, we will give you the opportunity to object prior to making these disclosures, although we may disclose this information in a disaster even over your objection if we believe it is necessary to respond to the emergency circumstances. If you are unable or unavailable to agree or object, our health professionals will use their best judgment in communication with your family and others.
- Marketing. We may contact you to give you information about products or services related to your treatment, case management or care coordination, or to direct or recommend other treatments or health-related benefits and services that may be of interest to you, or to provide you with small gifts. We may also encourage you to purchase a product or service when we see you. If you are currently an enrollee of a health plan, we may receive payment for communications to you in conjunction with our provision, coordination, or management of your health care and related services, including our coordination or management of your health care with a third party, our consultation with other health care providers relating to your care, or if we refer you for health care, but only to the extent these communications describe: 1) a provider’s participation in the health plan’s network, 2) the extent of your covered benefits, or 3) concerning the availability of more cost-effective pharmaceuticals. We will not accept any payment for other marketing communications without your prior written authorization unless you have a chronic and seriously debilitating or life-threatening condition and we are making the communication in conjunction with our provision, coordination, or management of your health care and related services, including our coordination or management of your health care with a third party, our consultation with other health care providers relating to your care, or if we refer you for health care. If we make these types of communications to you while you have a chronic and seriously debilitating or life-threatening condition, we will tell you who is paying us, and we will also tell you how to stop these communications if you prefer not to receive them. We will not otherwise use or disclose your medical information for marketing purposes without your written authorization, and we will disclose whether we receive any payments for any marketing activity you authorize.
- Required by Law. As required by law, we will use and disclose your health information, but we will limit our use or disclosure to the relevant requirements of the law. When the law requires us to report abuse, neglect or domestic violence, or respond to judicial or administrative proceedings, or to law enforcement officials, we will further comply with the requirement set forth below concerning those activities.
- Public Health. We may, and are sometimes required by law to disclose your health information to public health authorities for purposes related to: preventing or controlling disease, injury or disability; reporting child, elder or dependent adult abuse or neglect; reporting domestic violence; reporting to the Food and Drug Administration problems with products and reactions to medications; and reporting disease or infection exposure. When we report suspected elder or dependent adult abuse or domestic violence, we will inform you or your personal representative promptly unless in our best professional judgment, we believe the notification would place you at risk of serious harm or would require informing a personal representative we believe is responsible for the abuse or harm.
- Health Oversight Activities. We may, and are sometimes required by law to disclose your health information to health oversight agencies during the course of audits, investigations, inspections, licensure and other proceedings, subject to the limitations imposed by federal and California law.
- Judicial and Administrative Proceedings. We may, and are sometimes required by law, to disclose your health information in the course of any administrative or judicial proceeding to the extent expressly authorized by a court or administrative order. We may also disclose information about you in response to a subpoena, discovery request or other lawful process if reasonable efforts have been made to notify you of the request and you have not objected, or if your objections have been resolved by a court or administrative order.
- Law Enforcement. We may, and are sometimes required by law, to disclose your health information to a law enforcement official for purposes such as identifying of locating a suspect, fugitive, material witness or missing person, complying with a court order, warrant, grand jury subpoena and other law enforcement purposes.
- Coroners. We may, and are often required by law, to disclose your health information to coroners in connection with their investigations of deaths.
- Organ or Tissue Donation. We may disclose your health information to organizations involved in procuring, banking or transplanting organs and tissues.
- Public Safety. We may, and are sometimes required by law, to disclose your health information to appropriate persons in order to prevent or lessen a serious and imminent threat to the health or safety of a particular person or the general public.
- Specialized Government Functions. We may disclose your health information for military or national security purposes or to correctional institutions or law enforcement officers that have you in their lawful custody.
- Worker’s Compensation. We may disclose your health information as necessary to comply with worker’s compensation laws. For example, to the extent your care is covered by workers’ compensation, we will make periodic reports to your employer about your condition. We are also required by law to report cases of occupational injury or occupational illness to the employer or workers’ compensation insurer.
- Change of Ownership. In the event that this medical practice is sold or merged with another organization, your health information/record will become the property of the new owner, although you will maintain the right to request that copies of your health information be transferred to another physician or medical group.
- Breach Notification. In the case of a breach of unsecured protected health information, we will notify
you as required by law. If you have provided us with a current email address, we may use email to communicate information related to the breach. In some circumstances our business associate may provide the notification. We may also provide notification by other methods as appropriate. [Note: Only use email notification if you are certain it will not contain PHI and it will not disclose inappropriate information. For example if your email address is “digestivediseaseassociates.com” an email sent with this address could, if intercepted, identify the patient and their condition.]
- Research. We may disclose your health information to researchers conducting research with respect to which your written authorization is not required as approved by an Institutional Review Board or privacy board, in compliance with governing law.
- Fundraising. We may use or disclose your demographic information and the dates that you received treatment in order to contact you for fundraising activities. If you do not want to receive these materials, notify the Privacy Officer listed at the top of this Notice of Privacy Practices and we will stop any further fundraising communications.
B. When This Medical Practice May Not Use or Disclose Your Health Information
Except as described in this Notice of Privacy Practices, this medical practice will not use or disclose health information which identifies you without your written authorization. If you do authorize this medical practice to use or disclose your health information for another purpose, you may revoke your authorization in writing at any time.
C. Your Health Information Rights
- Right to Request Special Privacy Protections. You have the right to request restrictions on certain uses and disclosures of your health information by a written request specifying what information you want to limit, and what limitations on our use or disclosure of that information you wish to have imposed. If you tell us not to disclose information to your commercial health plan concerning health care items or services for which you paid for in full out-of-pocket, we will abide by your request, unless we must disclose the information for treatment or legal reasons. We reserve the right to accept or reject any other request, and will notify you of our decision.
- Right to Request Confidential Communications. You have the right to request that you receive your health information in a specific way or at a specific location. For example, you may ask that we send information to a particular e-mail account or to your work address. We will comply with all reasonable requests submitted in writing which specify how or where you wish to receive these communications.
- Right to Inspect and Copy. You have the right to inspect and copy your health information, with limited exceptions. To access your medical information, you must submit a written request detailing what information you want access to and whether you want to inspect it or get a copy of it. We will charge a reasonable fee, as allowed by California and federal law. We may deny your request under limited circumstances. If we deny your request to access your child’s records or the records of an incapacitated adult you are representing because we believe allowing access would be reasonably likely to cause substantial harm to the patient, you will have a right to appeal our decision. If we deny your request to access your psychotherapy notes, you will have the right to have them transferred to another mental health professional. [Add if you use an electronic health record: If your written request clearly, conspicuously and specifically asks us to send you or some other person or entity an electronic copy of your medical record, and we do not deny the request as discussed above, we will send a copy of the electronic health record as you requested, and will charge you no more than what it cost us to respond to your request.]
- Right to Amend or Supplement. You have a right to request that we amend your health information that you believe is incorrect or incomplete. You must make a request to amend in writing, and include the reasons you believe the information is inaccurate or incomplete. We are not required to change your health information, and will provide you with information about this medical practice’s denial and how you can disagree with the denial. We may deny your request if we do not have the information, if we did not create the information (unless the person or entity that created the information is no longer available to make the amendment), if you would not be permitted to inspect or copy the information at issue, or if the information is accurate and complete as is. You also have the right to request that we add to your record a statement of up to 250 words concerning any statement or item you believe to be incomplete or incorrect.
- Right to an Accounting of Disclosures. You have a right to receive an accounting of disclosures of your health information made by this medical practice, except that this medical practice does not have to account for the disclosures provided to you or pursuant to your written authorization, or as described in paragraphs 1 (treatment), 2 (payment), 3 (health care operations), 6 (notification and communication with family) and 16 (specialized government functions) of Section A of this Notice of Privacy Practices or disclosures for purposes of research or public health which exclude direct patient identifiers, or which are incident to a use or disclosure otherwise permitted or authorized by law, or the disclosures to a health oversight agency or law enforcement official to the extent this medical practice has received notice from that agency or official that providing this accounting would be reasonably likely to impede their activities.
- You have a right to a paper copy of this Notice of Privacy Practices, even if you have previously requested its receipt by e-mail.
If you would like to have a more detailed explanation of these rights or if you would like to exercise one or more of these rights, contact our Privacy Officer listed at the top of this Notice of Privacy Practices.
D. Changes to this Notice of Privacy Practices
We reserve the right to amend this Notice of Privacy Practices at any time in the future. Until such amendment is made, we are required by law to comply with this Notice. After an amendment is made, the revised Notice of Privacy Protections will apply to all protected health information that we maintain, regardless of when it was created or received. We will keep a copy of the current notice posted in our reception area, and a copy will be available at each appointment.We will also post the current notice on our website, www.capaindoctors.com.
Complaints about this Notice of Privacy Practices or how this medical practice handles your health
information should be directed to our Privacy Officer listed at the top of this Notice of Privacy Practices.
If you are not satisfied with the manner in which this office handles a complaint, you may submit a formal complaint to:
Office for Civil Rights
U.S. Department of Health & Human Services 90 7th Street, Suite 4-100 San
Francisco, CA 94103
(415) 437-8310; (415) 437-8311 (TDD)
(415) 437-8329 FAX
The complaint form may be found at www.hhs.gov/ocr/privacy/hipaa/complaints/hipcomplaint.pdf. You will not be penalized for filing a complaint.
Additional Privacy Information
It is the policy of this Practice that we will adopt, maintain and comply with our Notice of Privacy Practices, which shall be consistent with HIPAA and California law.
Notice of Privacy Practices
It is the policy of this Physician Practice that a notice of privacy practices must be published, that this notice be provided to all subject individuals at the first patient encounter if possible, and that all uses and disclosures of protected health information be done in accord with this organization’s notice of privacy practices. It is the policy of this Physician Practice to post the most current notice of privacy practices in our “waiting room” area, and to have copies available for distribution at our reception desk.
Assigning Privacy and Security Responsibilities
It is the policy of this Physician Practice that specific individuals within our workforce are assigned the responsibility of implementing and maintaining the HIPAA Privacy and Security Rules’ requirements. Furthermore, it is the policy of this Physician Practice that these individuals will be provided sufficient resources and authority to fulfill their responsibilities. At a minimum it is the policy of this Physician Practice that there will be one individual or job description designated as the Privacy Official.
It is the policy of this Physician Practice that privacy protections extend to information concerning deceased individuals.
Minimum Necessary Use and Disclosure of Protected Health Information
It is the policy of this Physician Practice that for all routine and recurring uses and disclosures of protected health information (PHI) (except for uses or disclosures made 1) for treatment purposes, 2) to or as authorized by the patient or 3) as required by law for HIPAA compliance) such uses and disclosures of PHI must be limited to the minimum amount of information needed to accomplish the purpose of the use or disclosure. It is also the policy of this Physician Practice that non-routine uses and disclosures will be handled pursuant to established criteria. It is also the policy of this organization that all requests for PHI (except as specified above) must be limited to the minimum amount of information needed to accomplish the purpose of the request, and where practicable, to the limited data set.
It is the policy of this Physician Practice that any uses or disclosures of protected health information for marketing activities will be done only after a valid authorization is in effect except as permitted by law. It is the policy of this organization to consider any communication intended to induce the purchase or use of a product or service where an arrangement exists with a third party for such inducement in exchange for direct or indirect remuneration, or where this organization encourages purchase or use of a product or service directly to patients to constitute “marketing”. This organization does not consider the communication of alternate forms of treatment, or the use of products and services in treatment, or a face- to-face communication made by us to the patient, or a promotional gift of nominal value given to the patient to be marketing, unless direct or indirect remuneration is received from a third party. Similarly, this organization does not consider communication to our patients who are health plan enrollees in conjunction with our provision, coordination, or management of their health care and related services, including our coordination or management of their health care with a third party, our consultation with other health care providers relating to their care, or if we refer them for health care to be marketing, but only to the extent these communications describe: 1) a provider’s participation in the health plan’s network, 2) the extent of their covered benefits, or 3) concerning the availability of more cost-effective pharmaceuticals. This organization may make remunerated communications tailored to individual patients with chronic and seriously debilitating or life-threatening conditions provided we are making the communication in conjunction with our provision, coordination, or management of their health care and related services, including our coordination or management of their health care with a third party, our consultation with other health care providers relating to their care, or if we refer them for health care. If we makes these types of communications to patients who have a chronic and seriously debilitating or life-threatening condition, we will disclose in at least 14-point type the fact that the communication is remunerated, the name of the party remunerating us, and the fact the patient may opt out of future remunerated communications by calling a toll- free number. This organization will stop any further remunerated communications within 30 days of receiving an opt-out request.
Mental Health Records
It is the policy of this Physician Practice to require an authorization for any use or disclosure of psychotherapy notes, as defined in the HIPAA regulations, except for treatment, payment or health care operations as follows:
- Use by originator for treatment;
- Use or disclosure in defense of a legal action brought by the individual whose records are at issue; and
- Use or disclosures as required by law, or as authorized by law to enable health oversight agencies to oversee the originator of the psychotherapy notes.
It is the policy of this Physician Practice that all complaints relating to the protection of health information be investigated and resolved in a timely fashion. Furthermore, it is the policy of this Physician Practice that all complaints will be addressed to [name or job title of person authorized to handle complaints] [(i.e. Privacy Official)] who is duly authorized to investigate complaints and implement resolutions if the complaint stems from a valid area of non-compliance with the HIPAA Privacy or Security Rule.
Prohibited Activities-No Retaliation or Intimidation
It is the policy of this Physician Practice that no employee or contractor may engage in any intimidating or retaliatory acts against persons who file complaints or otherwise exercise their rights under HIPAA.
It is also the policy of this organization that no employee or contractor may condition treatment, payment, enrollment or eligibility for benefits on the provision of an authorization to disclose protected health information except as expressly authorized under the regulations.
It is the policy of this Physician Practice that the responsibility for designing and implementing procedures to implement this policy lies with the Privacy Official.
Verification of Identity
It is the policy of this Physician Practice that the identity of all persons who request access to protected health information be verified before such access is granted.
It is the policy of this Physician Practice that the effects of any unauthorized use or disclosure of protected health information be mitigated to the extent possible.
It is the policy of this Physician Practice that appropriate safeguards will be in place to reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the HIPAA Privacy Rule. These safeguards will include physical protection of premises and PHI, technical protection of PHI maintained electronically and administrative protection of PHI. These safeguards will extend to the oral communication of PHI. These safeguards will extend to PHI that is removed from this organization.
It is the policy of this Physician Practice that business associates must comply with the HIPAA Privacy and Security Rules to the same extent as this Physician Practice, and that they be contractually bound to protect health information to the same degree as set forth in this policy pursuant to a written business associate agreement. It is also the policy of this organization that business associates who violate their agreement will be dealt with first by an attempt to correct the problem, and if that fails by termination of the agreement and discontinuation of services by the business associate, or if that is not feasible, by notification of the HHS Secretary. Finally, it is the policy of this organization that organizations that transmit PHI to this Physician Practice or any of its business associates and require access on a routine basis to such PHI, including a Health Information Exchange Organization, a Regional Health Information Organization, or an E-prescribing Gateway, and Personal Health Record vendors, shall be business associates of this Physician Practice.
Training and Awareness
It is the policy of this Physician Practice that all members of our workforce have been trained by the compliance date on the policies and procedures governing protected health information and how this Physician Practice complies with the HIPAA Privacy and Security Rules. It is also the policy of this Physician Practice that new members of our workforce receive training on these matters within a reasonable time (you may elect to enter the exact time frame) after they have joined the workforce. It is the policy of this Physician Practice to provide training should any policy or procedure related to the HIPAA Privacy and Security Rule materially change. This training will be provided within a reasonable time (you may elect to enter the exact time frame) after the policy or procedure materially changes. Furthermore, it is the policy of this Physician Practice that training will be documented indicating participants, date and subject matter.
It is the policy of this Physician Practice that the term “material change” for the purposes of these policies is any change in our HIPAA compliance activities.
It is the policy of this Physician Practice that sanctions will be in effect for any member of the workforce who intentionally or unintentionally violates any of these policies or any procedures related to the fulfillment of these policies. Such sanctions will be recorded in the individual’s personnel file.
Retention of Records
It is the policy of this Physician Practice that the HIPAA Privacy and Security Rules’ records retention requirement of six years will be strictly adhered to. All records designated by HIPAA in this retention requirement will be maintained in a manner that allows for access within a reasonable period of time. This records retention time requirement may be extended at this organization’s discretion to meet with other governmental regulations or those requirements imposed by our professional liability carrier.
It is the policy of this Physician Practice to remain current in our compliance program with HIPAA regulations.
Cooperation with Privacy Oversight Authorities
It is the policy of this Physician Practice that oversight agencies such as the Office for Civil Rights of the Department of Health and Human Services be given full support and cooperation in their efforts to ensure the protection of health information within this organization. It is also the policy of this organization that all personnel must cooperate fully with all privacy and security compliance reviews and investigations.
Investigation and Enforcement
It is the policy of this Physician Practice that in addition to cooperation with Privacy Oversight Authorities, this Physician Practice will follow procedures to ensure that investigations are supported internally and that members of our workforce will not be retaliated against for cooperation with any authority. It is our policy to attempt to resolve all investigations and avoid any penalty phase if at all possible.