The Health Information Portability and Accountability Act of 1996 (HIPAA) requires all health care entities to develop and document security programs to guard Protected Health Information (PHI) against loss or unauthorized disclosure. HIPAA clearly stresses that these security measures must be “reasonable and appropriate” in nature. This legislation also specifies a series of administrative, technical and physical security practices and procedures for agencies to use that will assure the confidentiality of electronic protected health information.
Woodfords Family Services is also required by HIPAA to maintain the privacy of your protected health information, and to provide you with a notice of Woodfords’ privacy practices. Protected Health Information (PHI) includes any information which makes it possible to identify an individual. This includes direct information such as name, address, telephone number, social security number and birth date, or indirect information such as diagnosis which can be used to reasonably conclude the identity of an individual.
In order to comply with HIPAA, Woodfords has incorporated the federal and Maine State requirements into its Confidentiality practices. This includes providing protections in the transmission of PHI via email, cell phone or by fax. Agency staff ensure that consumers and/or their legally-responsible persons are able to make reasoned decisions around transmission of PHI in a manner that is easily understood and includes all the risks and benefits of services. Consumers and legally responsible persons are informed about the laws, rights and regulations that protect their PHI and are given a written summary of this information as part of the Notice of Privacy Practices.
Notice of Privacy Practices
This Notice of privacy describes how protected health information (PHI) about you may be used and disclosed, and how you get access to this information. Please review it carefully.
Introduction: Woodfords Family Services is required by law to maintain the privacy of your protected health information (PHI) and to provide you with a notice of Woodfords’ privacy practices. While we are required to abide by the terms of the notice that is currently in effect, Woodfords reserves the right to change our privacy practices at any time. If Woodfords’ privacy practices change, we will provide you with a revised notice or you may obtain a copy any time by contacting the main office.
A. OUR COMMITMENT TO YOUR PRIVACY
Woodfords Family Services uses your health information for your treatment, to obtain payment for treatment, for administrative purposes, and to evaluate the quality of care that you require. Your health information is maintained in a record that is the physical property of Woodfords. Woodfords Family Services has a duty to maintain the privacy of your protected health information (PHI) and to provide you with a notice of our legal duties and privacy practices with respect to your health information. While we are required to abide by the terms of this notice while it is in effect, Woodfords reserves the right to change our privacy practices at any time and to make new provisions effective for all PHI we maintain. If we make important changes to this notice, we will provide you with a new notice. You may also obtain a copy any time by contacting the main office.
PHI is health information, including demographic information such as your name, address, telephone number, social security number, birth date and gender, as well as past, present or future information about your or your child’s physical, developmental or mental health condition, and information about the services provided to you, including payment information, if any of that information may be used to identify you.
This Notice describes how Woodfords may use and disclose PHI. It also advises you of your rights to access and control your PHI.
B. WE MAY USE AND DISCLOSE YOUR PROTECTED HEALTH INFORMATION IN THE FOLLOWING WAYS:
The following categories describe the different ways in which we may use and disclose your PHI:
Treatment. We may use and disclose your PHI to provide you with health care treatment or services, including your treatment options. For example, we may use your PHI to assist in your treatment.
Payment. We may use and disclose your PHI in order to bill and collect payment for the treatment and services you receive from us. For example, we may contact your health insurer to certify that you are eligible for benefits, and we may provide your insurer with details regarding your treatment to determine if your insurer will cover, or pay for, the treatment.
Health Care Operations. We may use and disclose your PHI to assist in the operation of Woodfords in certain circumstances. For example, we may use your PHI to evaluate the quality of care you receive from us, or to conduct cost-management and business-planning activities.
Business Associates. We sometimes contract with third-party business associates for services. Examples include medical transcriptionists, answering services, billing services, consultants and legal counsel. We may disclose your PHI to our business associates so that they can perform the job we have asked them to do. To protect your PHI, we require our business associates to appropriately safeguard your information.
Appointment Reminders. We may use and disclose your PHI to contact you to remind you about an appointment. You may request that we provide such reminders only in a certain way or only at a certain place. We will try to accommodate reasonable requests.
Release of Information to Family/Friends. We may disclose your PHI to a family member, close friend or other person you identify, to the extent the information is relevant to that person’s involvement in your care or payment related to your care. We will provide you with an opportunity to object to such a disclosure whenever it is reasonably practicable for us to do so. We may generally disclose the health information of minor children to their parents or guardians unless such disclosure is otherwise prohibited by law.
Disclosure Required by Law. We may disclose your PHI as required by federal, state or local law.
De-identified Information. We may use your PHI to create de-identified information or we may disclose your information to a business associate so that the business associate can create de-identified information on our behalf. When we de-identify health information, we remove information that identifies you as the source of the information.
Limited Data Set. We may use and disclose a limited data set that does not contain specific readily identifiable information about you for research, public health and health care operations. We may not disclose the limited data set unless we enter into a data use agreement with the recipient in which the recipient agrees to limit the use of that data set to the purposes for which it was provided, ensure the security of the data and not identify the information or use it to contact any individual.
Health Related Benefits and Services. We may use and disclose PHI to tell you about health-related benefits or services that may be of interest to you. In face-to-face communications, such as appointments with your care provider, we may tell you about other products or services that may be of interest to you.
Newsletters and Other Communications. We may disclose your PHI in order to communicate to you via newsletters, mailings or other means regarding treatment options, health-related information, disease management programs, wellness programs or other community-based initiatives or activities in which we are participating.
Marketing. In most circumstances, we are required by law to receive your written authorization before we use or disclose your health information for marketing purposes. However, we may provide you with promotional gifts of nominal value. We do not sell or license your PHI.
Fundraising. We may use and disclose your PHI to contact you as part of a fundraising effort relating to Woodfords. You have the right to “opt out” of receiving fundraising communications by following the opt out instructions on the communication or contacting our Privacy Officer and making a request to opt out of receiving fundraising communications.
C. USE AND DISCLOSURE OF YOUR PHI IN CERTAIN SPECIAL CIRCUMSTANCES
The following categories describe special circumstances in which we may use or disclose your PHI:
Public Health Risks. We may disclose your PHI to public health authorities that are authorized by law to collect information for the purposes that include maintaining vital records, such as births and deaths, reporting child abuse or neglect, and preventing or controlling disease, injury or disability.
Health Oversight Activities. We may disclose your PHI as part of health oversight activities as authorized by law. These activities include investigations and audits to monitor government programs and the health care system in general.
Mental Health Information and HIV Infection Status. State law protects the confidentiality of certain mental health information and HIV infection status. We may not disclose any information regarding HIV infection status or certain mental health information without your written consent except as required by law.
Lawsuits and Similar Proceedings. We may use and disclose your PHI in a court or administrative proceeding in response to an order expressly directing disclosure and, in certain circumstances, in response to a subpoena, discovery request or other lawful process.
Law Enforcement. We may release PHI if asked to do so by a law enforcement official in certain circumstances regarding a crime victim when authorized by law, concerning a death we believe has resulted from criminal conduct when authorized or required by law, regarding criminal conduct at our offices, and in response to a warrant, summons, court order or similar legal process.
Deceased Patients. We may release PHI to a medical examiner, coroner or funeral director as required by law to enable them to carry out their lawful duties.
Organ and Tissue Donation. If you are an organ donor, we may release your PHI to organizations that handle organ, eye or tissue procurement or transplantation, including organ donation banks, as necessary, to facilitate organ or tissue donation and transplantation.
Research. We may use and disclose your PHI for research purposes in certain limited circumstances. We will obtain your written authorization to use your PHI for research purposes in accordance with applicable law.
Threats to Health or Safety. We may use and disclose your PHI when necessary to reduce or prevent a serious threat to your health and safety or the health and safety of another individual or the public. Under these circumstances, we will only make disclosures to a person or organization able to help prevent the threat.
Government Functions. We may disclose your PHI if you are a member of United States or foreign military forces (including veterans) and if required by the appropriate authorities. We may disclose your PHI to federal officials for intelligence and national security activities authorized by law.
Inmates. We may disclose your PHI to correctional institutions or law enforcement officials if you are an inmate or under the custody of a law enforcement official. Disclosure for these purposes would be necessary for the institution to provide health care services to you, for the safety and security of the institution, and/or to protect your health and safety or the health and safety of other individuals.
Workers’ Compensation. We may disclose your PHI to the extent authorized by and necessary to comply with laws relating to workers’ compensation and similar programs.
D. YOUR HEALTH INFORMATION RIGHTS
You have the following rights regarding the PHI that we maintain about you:
Confidential Communications. You have the right to request that we communicate with you about your health and related issues in a particular manner or at a certain location. The request must be made in writing to the Privacy Officer specifying the requested method of contact, or the location where you wish to be contacted. Please call (207) 878-9663 for more information.
Requesting Restrictions. You have the right to request a restriction on our use or disclosure of your PHI for treatment, payment or health care operations. If you paid out-of-pocket in full for a health care service or item provided by Woodfords, you have the right to restrict disclosure of your PHI to your health plan for purposes of payment or health care operations, and we are required to honor this request.
To request a restriction on our disclosure of your PHI, you must make your request in writing to the Privacy Officer. Please call (207) 878-9663 for more information.
Inspection and Copies. You have the right to inspect and obtain a copy of your PHI that may be used to make decisions about you, including your medical records and billing records, but not including psychotherapy notes. You must submit a request in writing to the Privacy Officer in order to inspect and/or obtain a copy of your PHI. Please call (207) 878-9663 for more information. If your information is maintained in an electronic health record, you also have the right to request that an electronic copy of your record be sent to you or to another individual or entity. We may charge a reasonable fee.
Amendment. You may ask us to amend your health information if you believe it is incorrect or incomplete, and may request an amendment for as long as the information is kept by or for Woodfords. To request an amendment, you must submit your request in writing to the Privacy Officer. Please call (207) 878-9663 for more information.
Accounting of Disclosures. You have the right to request an “accounting of disclosures.” An accounting of disclosures is a list of certain disclosures we have made of your PHI. In your accounting, we are not required to list certain disclosures, including:
- Disclosures made for treatment, payment and health care operations purposes or disclosures made incident to treatment, payment and health care operations, unless the disclosures were made through an electronic health record. If the disclosures were made through an electronic health record, you have the right to request an accounting of disclosures for treatment, payment and health care operations during the previous three years.
- Disclosures made pursuant to your authorization.
- Disclosures made to create a limited data set.
- Disclosures made directly to you.
To request an accounting of disclosures, you must submit your request in writing to the Privacy Officer. Please call (207) 878-9663 for more information.
Right to a Paper Copy of this Notice. If you received this Notice in electronic format and you would like to receive a paper copy, please contact the Privacy Officer at (207) 878-9663.
Right to Provide an Authorization for Other Uses and Disclosures. We will obtain your written authorization for uses and disclosures that are not identified by this Notice or permitted by applicable law. Any authorization you provide us regarding the use and disclosure of your PHI may be revoked at any time in writing. Once an authorization is revoked, we will no longer use or disclose your PHI for the reasons described in the authorization. Please note: we are required to retain records of your care.
Right to Receive Notice of a Breach. We are required to notify you by first class mail or by email (if you have indicated a preference to receive information by email), of any breaches of Unsecured Protected Health Information as soon as possible, but in any event, not later than 60 days following the discovery of the breach. “Unsecured Protected Health Information” is information that is not secured through the use of a technology or methodology identified by the Secretary of the Department of Health and Human Services to render the PHI unusable, unreadable and indecipherable to unauthorized users. The notice is required to include the following information:
- A brief description of the breach, including the date of the breach and the date of its discovery, if known.
- A description of the type of Unsecured Protected Health Information involved in the breach.
- Steps you should take to protect yourself from potential harm resulting from the breach.
- A brief description of actions we are taking to investigate the breach, mitigate losses and protect against further breaches.
- Contact information, including a toll-free telephone number, email address, website or postal address to permit you to ask questions or obtain additional information.
In the event the breach involves 10 or more patients whose contact information is out-of-date, we will post a notice of the breach on the home page of our wesite or in a major print or broadcast media. If the breach involves more than 500 patients in the state or jurisdiction, we are required to immediately notify the Secretary of the Department of Health and Human Services. We are also required to submit an annual report to the Secretary of the Department of Health and Human Services of a breach that involved less than 500 patients during the year and will maintain a written log of breaches involving less than 500 patients.
Complaints. If you believe your privacy rights have been violated, you may file a complaint with us or with the Secretary of the Department of Health and Human Services, 200 Independence Avenue, S.W., Washington, D.C. 20201. To file a complaint with us, contact the Privacy Officer at the address above. All complaints must be submitted in writing and should be submitted within 180 days of when you knew or should have known that the alleged violation occurred. See the Office of Civil Rights website, www.hhs.gov/ocr/hipaa for more information. You will not be penalized for filing a complaint.
E. EFFECTIVE DATE OF NOTICE
This notice was published and originally became effective on April 14, 2003.
If you have any questions about this Notice of Privacy Practices, please contact Privacy Officer Sandra L. Hayward, MBA, Director of Quality Improvement, at PO Box 1768, Portland, ME 04104-1768.
Woodfords is accredited by the Council on Accreditation (COA), whose program of quality improvement is designed to identify providers that have met high performance standards and have made a commitment to their stakeholders to deliver the very best quality services.