HIPAA Privacy Practices
Arc GLOW, NYSARC, Inc.
NOTICE OF PRIVACY PRACTICES
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. IT HAS BEEN UPDATED TO REFLECT CHANGES IN THE HIPAA REGULATIONS EFFECTIVE 9/23/2013. PLEASE READ IT CAREFULLY.
Arc GLOW recognizes that our relationships with current and prospective customers are based on integrity and trust. We work hard to maintain your privacy and are very careful to preserve the private nature of our relationship with you. At the same time, the very nature of our programs and services sometimes requires that we collect or share information about you with other organizations or individuals. This Notice of Privacy Practices describes how we may use and disclose your protected health information as well as your rights to access and control your protected health information. Arc GLOW restricts access to personal information about you to those individuals who need to know that information in order to provide supports and services to you. We also maintain physical, electronic, and procedural safeguards that comply with state and federal regulations to protect your personal information.
WHO WILL FOLLOW THIS NOTICE?
This Notice describes our agency’s practices and that of any health care professional authorized to enter information into your individual charts or records, all departments of the agency, including all employees, staff, volunteers, and other agency personnel, and all other entities, sites, and locations affiliated with the agency who are authorized to enter information in your clinical record or need to review your records to provide services to you.
WHAT INFORMATION IS PROTECTED?
All information we create or keep that relates to your health or care and treatment, including your name, address, birth date, social security number, your medical condition, your service or treatment plans, and other information (including photographs and other images) about your care in our programs.
OUR RESPONSIBILITY TO YOU
Arc GLOW is required by state and federal law to maintain the privacy of your health information. We are required to give you this notice of our privacy practices with respect to the health information that we collect and maintain about you. We are required to abide by the terms of this Notice of Privacy Practices.
HOW WE MAY USE AND DISCLOSE MEDICAL INFORMATION ABOUT YOU
The following categories describe different ways that we use and disclose protected health information. Not every use or disclosure in a category will be listed but all of the ways we are permitted to use and disclose information will fall within one of these categories.
We may use protected health information about you to provide you with treatment or services. We may disclose medical information about you to doctors, nurses, technicians, or other agency personnel who are involved in delivering services to you. For example, a doctor treating you for a broken leg may need to know if you have diabetes because diabetes may slow the healing process. In addition, the dietician may need to tell the Residential Department if you have diabetes so that we can coordinate your services in accordance with your needs. Different departments of the agency also may share medical information about you in order to coordinate the different things you need, such as prescriptions, lab work, follow-up care and needs assessments. We also may disclose protected health information about you to people outside the agency who may be involved in your care and services, such as family members, advocates, employers or others we use to provide services that are part of your plans of service.
We may use and disclose protected health information about you so that the treatment and services you receive from the agency may be billed to and payment may be collected from you, Medicaid, an insurance company, or a third party. For example, we may need to give your health plan information about clinic services you received at the agency so your health plan will pay us or reimburse you for the visits. We may also tell your health plan about a treatment you are going to receive to obtain prior approval or to determine whether your plan will cover the treatment.
We may use and disclose protected health information about you for agency operations. These uses and disclosures are necessary to ensure that all people receiving services receive quality care. For example, we may use medical information to review our treatment and services and to evaluate the performance of our staff in caring for you. We may also combine medical information about many people receiving services to decide what additional services the agency should offer, what services are not needed, and whether certain new programs are effective. We may also disclose information to doctors, nurses, technicians, and other agency personnel for review and learning purposes. We may also combine the protected health information we have with protected health information from other agencies to compare how we are doing and see where we can make improvements in the care and services we offer. We will remove information that identifies you from this set of medical information so others may use it to study health care and health care delivery without learning who the specific patients are.
We may use and disclose medical information to contact you by telephone or email, as a reminder that you have an appointment for treatment or services at the agency.
We may use and disclose protected health information to tell you about or recommend possible treatment options, alternatives, or other services that may be of interest to you.
We may use and disclose medical information to tell you about health-related benefits or services that may be of interest to you.
The agency must obtain your prior written authorization to use your protected health information for marketing purposes, except for a face-to-face encounter or a communication involving a promotional gift of nominal value. We may not sell your protected health information or use your health information for marketing purposes without your prior authorization.
We may use protected health information to send fundraising communications to you. We must offer you the opportunity to opt out of future fundraising communications.
We may release protected health information about you to a family member, friend, or other person you identify as being involved in your care or payment for care. In an emergency or when you are not capable of agreeing or objecting, we will use and disclose your protected health information as we determine is in your best interest. We will inform you after the emergency and give you the opportunity to object to future disclosures to family and friends. We may also give information to someone who helps pay for your care. In addition, we may disclose protected health information about you to an entity assisting in a disaster relief effort so that your family can be notified about your condition, status and location.
We may use or disclosure your protected health information for the purposes of research when you have agreed to participate in the research and an Institutional Review Board or Privacy Committee has approved the use of the health information for the research purposes;
We will disclose protected health information about you when required to do so by federal, state or local law. We may disclose your protected health information in the course of any judicial or administrative proceeding as allowed or required by law, or as directed by court order.
We may use and disclose protected health information about you when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat. We may also disclose your protected health information to public authorities as required by law or regulation to report abuse or neglect.
We may use and disclose your protected health information to Worker’s Compensation or similar programs that provide benefits for work-related injuries or illnesses, for your compensation.
We may disclose medical information about you for public health activities. These activities generally include prevention or control of disease, injury, or disability, reporting of births, deaths, child abuse/neglect, reactions to medications/problems with products, notification to individuals regarding recall of products, and notification to an individual who may have been exposed to a disease or may be at risk for contracting or spreading a disease.
We may disclose protected health information to an oversight agency for activities authorized by law. These oversight activities include, for example, audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws.
We may disclose protected health information about you in the course of any administrative or judicial proceeding. If you are involved in such a proceeding, we will disclose health information if the judge or presiding officer orders us to do so.
We may release protected health information if asked to do so by a law enforcement official:
• In response to a court order, subpoena, warrant, summons or similar process;
• To identify or locate a suspect, fugitive, material witness, or missing person;
• About the victim of a crime if, under certain limited circumstances, we are unable to obtain the person’s agreement;
• About a death we believe may be the result of criminal conduct;
• About criminal conduct at the agency; and
• In emergency circumstances to report a crime; the location of the crime or victims; or the identity, description or location of the person who committed the crime.
We may release protected health information to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death. We may also release protected health information about people receiving services from the agency to funeral directors as necessary to carry out their duties.
If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may release medical information about you to the correctional institution or law enforcement official. This release would be necessary (1) for the institution to provide you with health care; (2) to protect your health and safety or the health and safety of others; or (3) for the safety and security of the correctional institution.
YOUR AUTHORIZATION PRIOR TO DISCLOSURE IS REQUIRED IN SOME CASES
The law requires your prior written authorization in the following cases. Not every use or disclosure in a category will be listed.
We may use and disclose most psychotherapy notes, where appropriate, only with your prior authorization.
We may use and disclose protected health information for marketing purposes or for disclosures constituting a sale of protected health information only with your prior authorization.
Under New York State Law, confidential HIV-related information (information concerning whether or not you have had an HIV-related test, or have HIV infection, HIV-related illness, or AIDS, or which could indicate that a person has been potentially exposed to HIV), cannot be disclosed except to those people you authorize it writing to have it.
Other uses and disclosures of protected health information not covered by this notice or the laws that apply to us will be made only with your written authorization. If you provide us authorization to use or disclose protected health information about you, you may revoke that authorization, in writing, at any time. If you revoke your authorization, we will no longer use or disclose protected health information about you for the reasons covered by your written authorization.
YOUR RIGHTS REGARDING MEDICAL INFORMATION ABOUT YOU
You have the following rights regarding medical information we maintain about
You have the right to inspect and copy protected health information that may be used to make decisions about your care. Usually, this includes medical and billing records, but does not include psychotherapy notes. If we maintain electronic health records, you have the right to obtain an electronic copy of your records. You may also, by written request, ask us to send your health information directly to another party.
To inspect and copy protected health information that may be used to make decisions about you, you must submit your request in writing to HIPAA Privacy Officer (Director of Corporate Compliance), 18 Main St. Mt. Morris, NY 14510. If you request a copy of the information, we may charge a fee for the costs of copying, mailing or other supplies associated with your request.
We may deny your request to inspect and copy in certain very limited circumstances. If you are denied access to protected health information, you may request that the denial be reviewed. Another professional chosen by the agency will review your request and the denial. The person conducting the review will not be the person who denied your request. We will comply with the outcome of the review.
If you feel that protected health information we have about you is incorrect or incomplete, you may ask us to amend the information. You have the right to request an amendment for as long as the information is kept by or for the agency.
To request an amendment, your request must be made in writing and submitted to HIPAA Privacy Officer, 18 Main St. Mt. Morris, NY 14510. In addition, you must provide a reason that supports your request.
We may deny your request for an amendment if it is not in writing or does not include a reason to support the request. In addition, we may deny your request if you ask us to amend information that:
• Was not created by us
• Is not part of the protected health information kept by or for the agency;
• Is not part of the information which you would be permitted to inspect and copy; or
• Is accurate and complete.
You have the right to request an “accounting of disclosures.” This is a list of the disclosures we made of medical information about you, excluding information used for treatment, health care operations and payment, or disclosures made to you or made to others with your permission.
To request this list or accounting of disclosures, you must submit your request in writing to HIPAA Privacy Officer, 18 Main St. Mt. Morris, NY 14510. Your request must state a time period, which may not be longer than six years and may not include dates before April 14, 2003. Your request should indicate in what form you want the list (for example, on paper, electronically). The first list you request within a 12-month period will be free. For additional lists, we may charge you for the costs of providing the list. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time before any costs are incurred.
You have the right to request a restriction or limitation on the protected health information we use or disclose about you for treatment, payment or health care operations. You also have the right to request a limit on the protected health information we disclose about you to someone who is involved in your care or the payment for your care, like a family member or friend. For example, you could ask that we not use or disclose information about a clinic appointment you had.
We are not required to agree to your request. If we do agree, we will comply with your request unless the information is needed to provide you emergency treatment.
We are required to agree to any request by you to restrict disclosure of protected health information to a health plan if the disclosure is for payment or health care operations and pertains to a health care item or service for which you have paid out of pocket in full.
To request restrictions, you must make your request in writing to HIPAA Privacy Officer, 18 Main St. Mt. Morris, NY 14510. In your request, you must tell us (1) what information you want to limit; (2) whether you want to limit our use, disclosure or both; and (3) to whom you want the limits to apply, for example, disclosures to your spouse.
You have the right to be notified following a breach of your unsecured health information. We are required to notify you if your protected health information has been (or is reasonably believed to have been) accessed, acquired, or disclosed due to a breach. Our business associates have a similar duty to provide notification of health information breaches.
You have the right to request that we communicate with you about medical matters in a certain way or at a certain location. For example, you can ask that we only contact you at work or by mail. Your request must specify how or where you wish to be contacted.
To request confidential communications, you must make your request in writing to HIPAA Privacy Officer, 18 Main St. Mt. Morris, NY 14510. We will not ask you the reason for your request. We will accommodate all reasonable requests.
You have a right to obtain a paper copy of this Notice. Copies are available at our agency and upon request.
CHANGES TO THIS NOTICE
We reserve the right to change this notice. We reserve the right to make the revised or changed notice effective for protected health information that we already have about you as well as any information we receive in the future. We will post the new notice with the effective date at our agency and on our website at http://www.arcglow.org
If you believe your privacy rights have been violated, you may file a complaint with the Privacy Officer for the agency or with the Secretary of the United States Department of Health and Human Services. All complaints must be submitted in writing.
To file a complaint with the agency, contact:
Privacy Officer (Director of Corporate Compliance)
18 Main St.
Mt. Morris, NY 14510
To file a complaint with the US Department of Health and Human Services, contact:
US Department of Health and Human Services, Hubert H. Humphrey Building
200 Independence Avenue, S.W.
Washington, DC 20201
We will never retaliate against anyone for filing a complaint.
If you have questions, would like additional information or assistance, or want to report a problem regarding the handling of your information, please contact the HIPAA Privacy Officer (Director of Corporate Compliance) at 585-658-2828 during our normal business hours. Or you may contact the Privacy Officer in writing at: 18 Main St., Mt. Morris, NY 14510.