Notice of HIPAA Privacy Practice
Last Modified: May 21, 2020
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
We are required by law to protect the privacy of health information that may reveal your identity, and to provide you with a copy of this notice, which describes the health information privacy practices of our medical group, its medical staff and affiliated health care providers who jointly perform health care services with our medical group, including physicians and physician groups who provide services at our facilities. A copy of our current notice will always be posted at all registration and/or admission points, including in the main reception area. You will also be able to obtain your own copies by accessing our website at www.firefly.health or emailing the Privacy Officer: Brian Lynch at firstname.lastname@example.org.
If you have any questions about this notice or would like further information, please contact the above referenced individual.
WHAT HEALTH INFORMATION IS PROTECTED
We are committed to protecting the privacy of information we gather about you while providing health-related services. Some examples of protected health information include information indicating that you are a patient of our medical group or receiving health-related services from our facilities, information about your health condition, genetic information, or information about your health care benefits under an insurance plan, each when combined with identifying information, such as your name, address, social security number or phone number.
REQUIREMENT FOR WRITTEN AUTHORIZATION
Generally, we will obtain your written authorization before using your health information or sharing it with others outside of our medical group. There are certain situations where we must obtain your written authorization before using your health information or sharing it, including:
- Most Uses of Psychotherapy Notes: when appropriate.
- Marketing: We may not disclose any of your health information for marketing purposes if our medical group will receive direct or indirect financial payment not reasonably related to our medical group’s cost of making the communication.
- Sale of Protected Health Information: We will not sell your protected health information to third parties. The sale of protected health information, however, does not include a disclosure for public health purposes, for research purposes where our medical group will only receive payment for our costs to prepare and transmit the health information, for treatment and payment purposes, for the sale, transfer, merger or consolidation of all or part of our medical group, for a business associate or its subcontractor to perform health care functions on our medical group’s behalf, or for other purposes as required and permitted by law.
If you provide us with written authorization, you may revoke that written authorization at any time, except to the extent that we have already relied upon it. To revoke a written authorization, please write to the Privacy Officer at our medical group. You may also initiate the transfer of your records to another person by completing a written authorization form.
HOW WE MAY USE AND DISCLOSE YOUR HEALTH INFORMATION WITHOUT YOUR WRITTEN AUTHORIZATION
There are some situations when we do not need your written authorization before using your health information or sharing it with others, including:
Treatment, Payment and Health Care Operations.
- Treatment: We may share your health information with providers at the medical group who are involved in taking care of you, and they may in turn use that information to diagnose or treat you. A provider in our medical group may share your health information with another provider to determine how to diagnose or treat you. Your provider may also share your health information with another provider to whom you have been referred for further health care.
- Payment: We may use your health information or share it with others so that we may obtain payment for your health care services. For example, we may share information about you with your health insurance company in order to obtain reimbursement after we have treated you. In some cases, we may share information about you with your health insurance company to determine whether it will cover your treatment.
- Health Care Operations: We may use your health information or share it with others in order to conduct our business operations. For example, we may use your health information to evaluate the performance of our staff in caring for you, or to educate our staff on how to improve the care they provide for you.
Appointment Reminders, Treatment Alternatives, Benefits and Services. In the course of providing treatment to you, we may use your health information to contact you with a reminder that you have an appointment for treatment, services or refills or in order to recommend possible treatment alternatives or health-related benefits and services that may be of interest to you.
Business Associates. We may disclose your health information to contractors, agents and other “business associates” who need the information in order to assist us with obtaining payment or carrying out our business operations. For example, we may share your health information with a billing company that helps us to obtain payment from your insurance company, or we may share your health information with an accounting firm or law firm that provides professional advice to us. Business associates are required by law to abide by the HIPAA regulations. If we do disclose your health information to a business associate, we will have a written contract to ensure that our business associate also protects the privacy of your health information. If our business associate discloses your health information to a subcontractor or vendor, the business associate will have a written contract to ensure that the subcontractor or vendor also protects the privacy of the information.
Friends and Family Designated to be Involved in Your Care. If you have not voiced an objection, we may share your health information with a family member, relative, or close personal friend who is involved in your care or payment for your care, including following your death.
Proof of Immunization. We may disclose proof a child’s immunization to a school, about a child who is a student or prospective student of the school, as required by State or other law, if a parent, guardian, other person acting in loco parentis, or an emancipated minor, authorizes us to do so, but we do not need written authorization. The authorization may be oral.
Emergencies or Public Need.
- Emergencies or as Required by Law: We may use or disclose your health information if you need emergency treatment or if we are required by law to treat you. We may use or disclose your health information if we are required by law to do so, and we will notify you of these uses and disclosures if notice is required by law.
- Public Health Activities: We may disclose your health information to authorized public health officials (or a foreign government agency collaborating with such officials) so they may carry out their public health activities under law, such as controlling disease or public health hazards. We may also disclose your health information to a person who may have been exposed to a communicable disease or be at risk for contracting or spreading the disease if permitted by law. We may disclose a child’s proof of immunization to a school, if required by State or other law, if we obtain and document the agreement for disclosure (which may be oral) from the parent, guardian, person acting in loco parentis, an emancipated minor or an adult. And finally, we may release some health information about you to your employer if your employer hires us to provide you with a physical exam and we discover that you have a work related injury or disease that your employer must know about in order to comply with employment laws.
- Victims of Abuse, Neglect or Domestic Violence: We may release your health information to a public health authority authorized to receive reports of abuse, neglect or domestic violence.
- Health Oversight Activities: We may release your health information to government agencies authorized to conduct audits, investigations, and inspections of our facilities. These government agencies monitor the operation of the health care system, government benefit programs such as Medicare and Medicaid, and compliance with government regulatory programs and civil rights laws.
- Lawsuits and Disputes: We may disclose your health information if we are ordered to do so by a court or administrative tribunal that is handling a lawsuit or other dispute. We may also disclose your information in response to a subpoena, discovery request, or other lawful request by someone else involved in the dispute, but only if required judicial or other approval or necessary authorization is obtained.
- Law Enforcement: We may disclose your health information to law enforcement officials for certain reasons, such as complying with court orders, assisting in the identification of fugitives or the location of missing persons, if we suspect that your death resulted from a crime, or if necessary, to report a crime that occurred on our property or off-site in a medical emergency.
- To Avert a Serious and Imminent Threat to Health or Safety: We may use your health information or share it with others when necessary to prevent a serious and imminent threat to your health or safety, or the health or safety of another person or the public. In such cases, we will only share your information with someone able to help prevent the threat. We may also disclose your health information to law enforcement officers if you tell us that you participated in a violent crime that may have caused serious physical harm to another person (unless you admitted that fact while in counseling), or if we determine that you escaped from lawful custody (such as a prison or mental health institution).
- National Security and Intelligence Activities or Protective Services: We may disclose your health information to authorized federal officials who are conducting national security and intelligence activities or providing protective services to the President or other important officials.
- Military and Veterans: If you are in the Armed Forces, we may disclose health information about you to appropriate military command authorities for activities they deem necessary to carry out their military mission. We may also release health information about foreign military personnel to the appropriate foreign military authority.
- Inmates and Correctional Institutions: If you are an inmate or you are detained by a law enforcement officer, we may disclose your health information to the prison officers or law enforcement officers if necessary to provide you with health care, or to maintain safety, security and good order at the place where you are confined. This includes sharing information that is necessary to protect the health and safety of other inmates or persons involved in supervising or transporting inmates.
- Workers’ Compensation: We may disclose your health information for workers’ compensation or similar programs that provide benefits for work-related injuries.
- Coroners, Medical Examiners and Funeral Directors. In the event of your death, we may disclose your health information to a coroner or medical examiner. We may also release this information to funeral directors as necessary to carry out their duties.
- Organ and Tissue Donation: In the event of your death or impending death, we may disclose your health information to organizations that procure or store organs, eyes or other tissues so that these organizations may investigate whether donation or transplantation is possible under applicable laws.
Completely De-identified or Partially De-identified Information: We may use and disclose your health information if we have removed any information that has the potential to identify you so that the health information is “completely de-identified.” We may also use and disclose “partially de-identified” health information about you if the person who will receive the information signs an agreement to protect the privacy of the information as required by federal and state law. Partially de-identified health information will not contain any information that would directly identify you (such as your name, street address, social security number, phone number, fax number, electronic mail address, website address, or license number).
Incidental Disclosures: While we will take reasonable steps to safeguard the privacy of your health information, certain disclosures of your health information may occur during or as an unavoidable result of our otherwise permissible uses or disclosures of your health information. For example, during the course of a treatment session, other patients in the treatment area may see, or overhear discussion of, your health information.
Fundraising: We may use or disclose your demographic information, including, name, address, other contact information, age, gender, and date of birth, dates of health service information, department of service information, treating physician, outcome information, and health insurance status for fundraising purposes. With each fundraising communication made to you, you will have the opportunity to opt-out of receiving any further fundraising communications. We will also provide you with an opportunity to opt back in to receive such communications if you should choose to do so.
Changes to This Notice: We reserve the right to change this notice at any time and to make the revised or changed notice effective in the future.
YOUR RIGHTS TO ACCESS AND CONTROL YOUR HEALTH INFORMATION
You have the following rights to access and control your health information:
- Right to Inspect and Copy Records: You have the right to inspect and obtain a copy of any of your health information that may be used to make decisions about you and your treatment for as long as we maintain this information in our records, including medical and billing records. To inspect or obtain a copy of your health information, please submit your request in writing to the Privacy Officer. If you request a copy of the information, we may charge a fee for the costs of copying, mailing or other supplies we use to fulfill your request. If you would like an electronic copy of your health information, we will provide you a copy in electronic form and format as requested as long as we can readily produce such information in the form requested. Otherwise, we will cooperate with you to provide a readable electronic form and format as agreed. In some limited circumstances, we may deny the request.
- Right to Amend Records. If you believe that the health information we have about you is incorrect or incomplete, you may ask us to amend the information for as long as the information is kept in our records by writing to us. Your request should include the reasons why you think we should make the amendment. If we deny any part of or your entire request, we will provide a written notice that explains our reasons for doing so. You will have the right to have certain information related to your requested amendment included in your records.
- Right to an Accounting of Disclosures: You have a right to request an “accounting of disclosures,” which is a list with information about how we have shared your health information with others. To obtain a request form for an accounting of disclosures, please write to the Privacy Officer. You have a right to receive one list every 12-month period for free. However, we may charge you for the cost of providing any additional lists in that same 12-month period.
- Right to Receive Notification of a Breach: You have the right to be notified within sixty (60) days of the discovery of a breach of your unsecured protected health information if there is more than a low probability the information has been compromised. The notice will include a description of what happened, including the date, the type of information involved in the breach, steps you should take to protect yourself from potential harm, a brief description of the investigation into the breach, mitigation of harm to you and protection against further breaches and contact procedures to answer your questions.
Right to Request Restrictions: You have the right to request that we further restrict the way we use and disclose your health information to treat your condition, collect payment for that treatment, run our normal business operations or disclose information about you to family or friends involved in your care. You also have the right to request that your health information not be disclosed to a health plan if you have paid for the services out of pocket and in full, and the disclosure is not otherwise required by law. The request for restriction will only be applicable to that particular service. You will have to request a restriction for each service thereafter. To request restrictions, please write to the Privacy Officer. We are not required to agree to your request for a restriction, and in some cases the restriction you request may not be permitted under law. However, if we do agree, we will be bound by our agreement unless the information is needed to provide you with emergency treatment or comply with the law. Once we have agreed to a restriction, you have the
- Right to revoke the restriction at any time. Under some circumstances, we will also have the right to revoke the restriction as long as we notify you before doing so.
- Right to Request Confidential Communications: You have the right to request that we contact you about your medical matters in a more confidential way, such as calling you at work instead of at home, by notifying the registration associate who is assisting you. We will not ask you the reason for your request, and we will try to accommodate all reasonable requests.
- Right to Have Someone Act on Your Behalf: You have the right to name a personal representative who may act on your behalf to control the privacy of your health information. Parents and guardians will generally have the right to control the privacy of health information about minors unless the minors are permitted by law to act on their own behalf.
- Right to Obtain a Copy of Notices: If you are receiving this Notice electronically, you have the right to a paper copy of this Notice. We may change our privacy practices from time to time. If we do, we will revise this Notice and post any revised Notice in our registration area and on our website.
- Right to File a Complaint: If you believe your privacy rights have been violated, you may file a complaint with us by contacting the Privacy Officer or with the Secretary of the Department of Health and Human Services.
- Use and Disclosures Where Special Protections May Apply: Some kinds of information, such as HIV-related information, alcohol and substance abuse treatment information, mental health information, psychotherapy information, and genetic information, are considered so sensitive that state or federal laws provide special protections for them. Therefore, some parts of this general Notice of Privacy Practices may not apply to these types of information. If you have questions or concerns about the ways these types of information may be used or disclosed, please speak with your health care provider.