FLORIDA EYE CLINIC - NOTICE OF PRIVACY PRACTICES
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.
PLEASE REVIEW IT CAREFULLY
In fulfillment of one of the HIPAA requirements, FEC has prepared and implemented a Patient Confidentiality Policy. This notice is a component of that policy. As a covered entity, we are required to inform you of your rights. We are also required to obtain your signature indicating that we have informed you. Thank you for your cooperation.
The U.S. Department of Health and Human Services (HHS) has issued the final rules for protecting the privacy of individually identifiable health information. The rules were issued pursuant to provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Effective September 23, 2009, a new HIPAA Breach Notification Rule (Rule) was created as a component of the American Recovery and Reinvestment Act of 2009. This Rule concerns the unauthorized acquisition, access, use, or disclosure of unsecured patient protected health information (PHI) as a result of a security breach.
Effective March 26, 2013, the (HIPAA/HITECH) Final Omnibus Rule, §164.520(b)(1)(ii)(E), adopted modifications, which require certain additional statements in this document regarding uses and disclosures that require authorization.
The final rules cover health plans, health clearinghouses (i.e., entities that process health information received from a covered entity), and healthcare providers, like FEC, that conduct certain financial and administrative transactions electronically (e.g., electronic billing and funds transfer).
The regulations cover all medical records and any other individually identifiable health information, whether communicated electronically, on paper, or orally. The rules do not apply to information that contains no identifying information, or information that has been altered so as not to identify the individual about whom the information applies.
Limits on Use and Release of Protected Information
Protected patient information generally can only be used or disclosed for purposes of healthcare treatment (e.g., documenting and referring to patient information in a medical record, sharing patient information with referring doctors, etc.), payment (i.e., submitting claims to Medicare/Medicaid or private insurance companies), and operations (i.e., internal accounting and record keeping) pursuant to a general advance consent from the patient, except for disclosures to the patient or the patient’s personal representative, emergencies, and other limited exceptions discussed below.
Permitted Uses and Disclosures
The privacy standard identifies certain permissible uses and disclosures, without the need to obtain written consent or authorization from a patient. The following are permissible uses and disclosures:
- Oversight of the healthcare system, including quality assurance activities.
- Public health.
- Research, generally limited to when a waiver of authorization is independently provided by a privacy board or institutional review board.
- Certain marketing and fund-raising activities, as long as individuals targeted by such activities are given the opportunity to opt out from receiving future communications.
- Judicial or administrative proceedings.
- Certain law enforcement activities.
- Information on abuse, neglect, or domestic violence victims.
- Decedent information.
- Cadaveric, organ, eye, or tissue donation purposes.
- To avert a serious threat to health or safety.
- For specialized government functions (such as military, national security, intelligence).
- Workers compensation (state law dictates disclosure requirements).
Other uses and disclosures not described above, including but not limited to psychotherapy notes, most uses and disclosures of PHI for marketing purposes and most sales of PHI^ will require prior authorization by you.
Prohibition on the Sale of Protected Health Information
FEC and its business associates shall not directly or indirectly receive compensation in exchange for any patient PHI, except as provided below; and, only if FEC obtains valid patient authorization that states whether the PHI can be further compensated by the entity receiving that patient PHI.
The paragraph above shall not apply when the purpose of the exchange is:
- For public health activities
- For research and the price charged reflects the costs of preparation and transmittal of the data for that purpose.
- For patient treatment
- For business management purposes specifically related to the sale, transfer, merger, or consolidation of all or part of FEC with another covered entity, or an entity that following such activity will become the covered entity.
- For remuneration that is provided by FEC to a business associate for activities involving the exchange of PHI
- To provide you with copies of your PHI
- Otherwise determined by the Secretary in regulations to be similarly necessary and appropriate as the exceptions above.
- Patients must be able to see and obtain copies of their records and to request changes. They are also entitled to receive an accounting of disclosures of their PHI (must be in writing) other than disclosures related to treatment, payment, and healthcare operations, and subject to certain other exceptions. Requests for access to records and accountings of disclosure will be acted upon within timeframes allowed by HIPAA regulations. The patient may be charged for any copying and mailing costs up to the statutory limit.
- Patients have the right to request restrictions on the uses and disclosures of their information. FEC doctors will make the final determination as to whether or not to comply with such requests, but if they do, they must consistently comply with and document such restrictions.
- Patients have a right to request changes to their medical records. Such requests may be denied for the following reasons:
- The information the patient wants amended was not created by someone in the practice;
- The Individual/entity that created the information is no longer available to make the amendment;
- The information is not part of the medical record kept by the practice;
- The information is not part of the medical record that a patient is permitted to inspect and copy; or
- The practice believes the information is correct and accurate as is.
- Patients have the right to complain to FEC or to the Secretary of Health and Human Services about violations of the rules or the policies and procedures of FEC. Patients will not be penalized for filing such complaints.
- Patients have the right to request that FEC confidentially communicate health information to them by alternative means or at alternative locations. FEC must comply with such requests if they are reasonable.
- Patients have the right to revoke any consent or authorization previously provided to FEC. A request for this must be in writing and sent or given to FEC’s privacy officer.
It is the treating FEC physician’s prerogative to accept or deny the patient’s request.
In compliance with the (HIPAA/HITECH) Final Omnibus Rule discussed under History above, and to the extent that these requirements apply to FEC operations, you have the right to:
- Restrict certain disclosures of PHI to a health plan where you pay out of pocket in full for a healthcare item or service.
- Opt out of receiving any fundraising communications.
- Request an electronic copy of PHI, provided that it is maintained electronically. For this purpose, FEC must provide you with access to the electronic information in the electronic form and format requested by you if it is readily producible or, if not, in a readable electronic form and format as agreed to you and FEC.
- Request FEC to transmit a copy of your PHI directly to another person designated by you. The request must be made in writing, signed by you, and clearly identify the designated person and where to send the copy. This written request is distinct from FEC's Authorization for Use & Disclosure of Patient-Identifiable Health Information, which has additional required elements and must also be completed and signed.
In compliance with the HIPAA Breach Notification Rule discussed under History above, FEC will take appropriate steps to determine any unauthorized acquisition, access, use, or disclosure of unsecured PHI caused by security breaches. Once a security breach has been determined, FEC, through its Privacy and Security Officer, will determine the nature of the breach, what steps will be taken to prevent such a breach from reoccurring, and take appropriate steps to notify those individuals or entities specified in the Rule.
HIPAA regulations permit covered entities like FEC to change terms of this notice. In the event changes occur, notice of such changes will be visibly posted in each FEC practice location. You may request a copy of the notice that incorporates the changes.
The regulations require that covered entities, like FEC, appoint a Privacy Officer. In keeping with this requirement, the FEC Board of Directors has appointed Sondra Hoffman,COE,CPC,CMPE,OCS in this capacity. She may be reached at 160 Boston Avenue Altamonte Springs, Fl 32701 or by calling 407-915-0485 extension 102.
*All requests for access and/or amendment to Protected Health Information (PHI) must be in writing. This written request must be addressed to the Privacy Officer referenced above.