| |
Notice of Privacy Policies
Updated:
September 1, 2004
This notice describes how medical information about you may be used
and disclosed and how you can get access to this information.
Please review it carefully. For
purposes of this Notice “us”, “we” and “our” refers to the practice
of John A. Lindsay, DDS, PA and “you” or “your” refers to our patients
(or their legal representatives as determined by us in accordance
with Florida informed consent law). When you receive health-care
services from us, we will obtain access to your medical information
(e.g., your health history). We are committed to maintaining the
privacy of your health information and we have implemented numerous
procedures to ensure that we do so.
Florida
law and the Health Insurance Portability & Accountability Act of
1996 (HIPAA) require us to maintain the confidentiality of all of
your health-care records and other individually identifiable health
information used by or disclosed to us in any form, whether electronically,
on paper or orally (“PHI” or Protected Health Information). HIPAA
is a federal law that gives you significant new rights to understand
and control how your health information is used. HIPAA and Florida
law provide penalties for covered entities and records owners, respectively,
that misuse or improperly disclose PHI.
Starting
April 14, 2003, HIPAA requires us to provide you with this Notice
of our legal duties and the privacy practices we are required to
follow when you first come into our office for health-care services.
If you have any questions about this Notice, please ask to speak
to our Privacy Officer, Ms. Rebecca Johnson-Clements at 561-997-4080
or rclements@implantsperio.com.
Our
doctors, clinical staff, Business Associates (outside contractors
we hire), employees and other office personnel follow the policies
and procedures set forth in this Notice. If your regular doctor
is unavailable to assist you (e.g. illness, on-call coverage, vacation,
etc.), we may provide you with the name of another health-care provider
outside our practice for you to consult with by telephone. If we
do so, that provider will follow the policies and procedures set
forth in this Notice or those established for his or her practice,
so long as they substantially conform to those for our practice.
Our
Rules on How We May Use and Disclose Your Protected Health Information
Under
the law (§456.074, Fla. Stats., and HIPAA), we must have your signature
on a written, dated Consent form and/or an Authorization form (not
an Acknowledgement form) before we will use and disclose your PHI
for certain purposes as detailed in the rules below.
Documentation
– You will be asked to sign a Consent form and/or an Authorization
form when you receive this Notice of Privacy Practices. If you did
not sign such a form or need a copy of the one you signed, please
contact our Privacy Officer. You may take back or revoke your Consent
or Authorization at any time (unless we have already acted based
on it) by submitting a Revocation form in writing to us at our address.
Your revocation will take effect, when we actually receive it. We
cannot give it retroactive effect, so it will not affect any use
or disclosure that occurred in our reliance on your Consent or Authorization
prior to revocation (e.g., if after we provide services to you,
you revoke your Authorization or Consent in order to prevent us
billing or collecting for those service, your revocation will have
no effect because we relied on your Authorization or Consent to
provide services before you revoked it).
General
Rule – If you do not sign our Consent form or if you revoke
it, as a general rule (subject to exceptions described below under
“Healthcare Treatment, Payment and Operations Rule” and “Special
Rules”), we cannot in any manner use or disclose to anyone (excluding
you, but including payers and Business Associates) your PHI or any
other information in your medical record. Under Florida law, we
are unable to submit claims to payers under assignment of benefits
without your signature on our Consent form. We will not condition
treatment on your signing an Authorization, but we may be forced
to decline you as a new patient or discontinue you as an active
patient if you choose not to sign the Consent or revoke it.
Health-care
Treatment, Payment and Operations Rule – With your signed Consent,
we may use or disclose your PHI in order:
- To
provide you with or coordinate health-care treatment and services.
For example, we may review your health history form to form a
diagnosis and treatment plan, consult with other doctors about
your care, delegate tasks to ancillary staff, call in prescriptions
to your pharmacy, disclose needed information to your family or
others so they may assist you in home care, arrange appointments
with other health-care providers, schedule lab work for you, etc,;
- To
bill or collect payment from you, an insurance company, a managed-care
organization, a health-benefits plan or another third party. For
example, we may need to verify your insurance coverage, submit
your PHI on claim forms in order to get reimbursed for our services,
obtain pre-treatment estimates or prior authorizations from your
health plan or provide your X-rays because your health plan requires
them for payment; or
- To
run our office, assess the quality of care our patients receive
and provide you with customer service. For example, to improve
efficiency and reduce costs associated with missed appointments,
we may contact you by telephone, mail or otherwise remind you
of scheduled appointments, we may leave messages with whomever
answers your telephone or e-mail to contact us (but we will not
give out detailed PHI), we may call you by name from the waiting
room, we may ask you to put your name on a sign-in sheet, we may
tell you about or recommend health-related products and complementary
or alternative treatments that may interest you, we may review
your PHI to evaluate our staff’s performance, or our Privacy Officer
may review your records to assist you with complaints. If you
prefer that we do not contact you with information about treatment
alternatives or health-related products and services, please notify
us in writing at our address listed above and we will not use
or disclose your PHI for these purposes.
Special
Rules – Notwithstanding anything else contained in this Notice,
only in accordance with applicable law, and under strictly limited
circumstances, we may use or disclose your PHI without your permission,
Consent or Authorization for the following purposes:
- When
required under federal, state or local law;
- When
necessary in emergencies to prevent a serious threat to your health
and safety or the health and safety of other persons;
- When
necessary for public health reasons (e.g., prevention or control
of disease, injury or disability; reporting information such as
adverse reactions to anesthesia; ineffective or dangerous medications
or products; suspected abuse, neglect or exploitation of children,
disabled adults or the elderly; or domestic violence);
- For
federal or state government health-care oversight activities (e.g.,
civil rights laws, fraud and abuse investigations, audits, investigations,
inspections, licensure or permitting, government programs, etc.);
- For
judicial or administrative proceedings and law enforcement purposes
(e.g., in response to a warrant, subpoena or court order; by providing
PHI to coroners, medical examiners and funeral directors to locate
missing persons, identify deceased persons or determine cause
of death);
- For
workers’ compensation purposes (e.g., we may disclose your PHI
if you have claimed health benefits for a work-related injury
or illness);
- For
intelligence, counterintelligence or other national security purposes
(e.g., Veterans Affairs, U.S. military command, other government
authorities or foreign military authorities may require us to
release PHI about you);
- For
organ and tissue donation (e.g., if you are an organ donor we
may release your PHI to organizations that handle organ, eye or
tissue procurement, donation and transplantation);
- For
research projects approved by an Institutional Review Board or
a privacy board to ensure confidentiality (e.g., if the researcher
will have access to your PHI because of involvement in your clinical
care, we will ask you to sign an Authorization);
- To
create a collection of information that is “de-identified” (e.g.,
it does not personally identify you by name, distinguishing marks
or otherwise and no longer can be connected to you);
- To
family members, friends and others, but only if you verbally give
permission; we give you an opportunity to object and you do not;
we reasonably assume, based on our professional judgment and the
surrounding circumstances, that you do not object (e.g., you bring
someone with you into the operatory or exam room during treatment
or into the conference area when we are discussing your PHI);
we reasonably infer that it is in your best interest (e.g., to
allow someone to pick up your records because they knew you were
our patient and you asked them in writing with your signature
to do so); or it is an emergency situation involving you or another
person (e.g, your minor child or ward) and, respectively, you
cannot consent to your care because you are incapable of doing
so or you cannot consent to the other person’s care because after
a reasonable attempt, we have been unable to locate you. In these
emergency situations, we may, based on our professional judgment
and the surrounding circumstances, determine that disclosure is
in the best interests of you or the other person, in which case
we will disclose PHI, but only as it pertains to the care being
provided and we will notify you of the disclosure as soon as possible
after the care is completed.
Minimum
Necessary Rule – Our staff will not use or access your PHI unless
it is necessary to do their jobs (e.g., doctors uninvolved in your
care will not access your PHI; ancillary clinical staff caring for
you will not access your billing information; billing staff will
not access your PHI except as needed to complete the claim form
for the latest visit; janitorial staff will not access your PHI).
Also, we disclose to others outside our staff only as much of your
PHI as is necessary to accomplish the recipient’s lawful purposes.
For example, we may use and disclose the entire contents of your
medical record:
- To
you (and your legal representatives as stated above) and any one
else you list on a Consent or Authorization to receive a copy
of your records;
- To
health-care providers for treatment purposes (e.g., making diagnosis
and treatment decisions or agreeing with prior recommendations
in the medical record);
- To
the U.S. Department of Health and Human Services (e.g., in connection
with a HIPAA complaint);
- To
others as required under federal or Florida law;
- To
our Privacy Officer and others as necessary to resolve your complaint
or accomplish your request under HIPAA (e.g., clerks who copy
records need access to your entire medical record).
In
accordance with the law, we presume that requests for disclosure
of PHI from another Covered Entity (as defined in HIPAA) are for
the minimum necessary amount of PHI to accomplish the requester’s
purpose. Our Privacy Officer will individually review unusual or
non-recurring requests for PHI to determine the minimum necessary
amount of PHI and disclose only that. For non-routine requests of
disclosures, the Plan’s Privacy Officer will make a minimum necessary
determination based on, but not limited to, the following factors:
- The
amount of information being disclosed;
- The
number of individuals or entities to whom the information is being
disclosed;
- The
importance or use of the disclosure;
- The
likelihood of further disclosure;
- Whether
the same result could be achieved with de-identified information;
- The
technology available to protect confidentiality of the information;
and
- The
cost to implement administrative, technical and security procedures
to protect confidentiality.
If
we believe that a request from others for disclosure of your entire
medical record is unnecessary, we will ask the requester to document
why this is needed, retain that documentation and make it available
to you upon request.
Incidental
Disclosure Rule – We will take reasonable administrative, technical
and security safeguards to ensure the privacy of your PHI when we
use or disclose (e.g., we require employees to talk softly when
discussing PHI with you, we use computer passwords and change them
periodically [e.g., when an employee leaves us], we allow access
to areas where PHI is stored or filed only when we are present to
supervise and prevent unauthorized access).
Business
Associate Rule – Business Associates and other third parties
(if any) that receive your PHI from us will be prohibited from re-disclosing
it unless required to do so by law or you give prior express written
consent to the re-disclosure. Nothing in our Business Associate
agreement will allow our Business Associate to violate this re-disclosure
prohibition.
Super-confidential
Information Rule – If we have PHI about you regarding HIV testing,
alcohol- or substance-abuse diagnosis and treatment, or psychotherapy
and mental-health records (super-confidential information under
the law), we will not disclose it under the General or Health-care
Treatment, Payment and Operations Rules (see above) without you
first signing and properly completing our Consent form (i.e., you
specifically must initial the type of super-confidential information
we are allowed to disclose). If you do not specifically authorize
disclosure by initialing the super-confidential information, we
will not disclose it unless authorized under the Special Rules (see
above) (e.g., we are required by law to disclose it). If we disclose
super-confidential information (either because you have initialed
the Consent form or the Special Rules authorize us to do so), we
will comply with state and federal law that requires us to warn
the recipient in writing that re-disclosure is prohibited.
Faxing,
E-mailing and Website Rules – When you request us to fax or
e-mail your PHI as an alternative communication and we agree to
do so, we may fax or e-mail super-confidential information; we will
not use fax or e-mail for emergency communication without knowing
that the recipient is expecting the message; have only our Privacy
Officer or your treating doctor fax or e-mail your PHI; have our
Privacy Officer confirm that the fax number or e-mail address is
correct before sending the message and ensure that the intended
recipient has sole access to the fax machine or computer before
sending the message; confirm receipt; locate our fax machine or
computer in a secure location so unauthorized access and viewing
is prevented; use a fax cover sheet so the PHI is not the first
page to print out (because unauthorized persons may view the top
page); and attach an appropriate privacy notice to the message.
When viewing our website statistics in aggregate, that is, non-identifiable
statistics will become available to us. These statistics will not
be linked to you specifically. When submitting information via our
website of a personally identifiable nature, that information will
remain subject to this Notice’s provisions in other areas. Access
to the website may be interrupted at any time and patients must
not rely solely on its availability for access of practice information
or access to this Notice.
Inactive
Patient Records – We will retain your records for seven years
from your last treatment or examination, at which point you will
become an inactive patient in our practice and we may destroy your
records at that time (but records of inactive minor patients will
not be destroyed before the child’s eight birthday). We will do
so only in accordance with the law (e.g., in a confidential manner,
with a Business Associate agreement prohibiting re-disclosure if
necessary).
Collections
and Marketing – If we use or disclose your PHI for marketing
(i.e., communications that encourage recipients to purchase or use
a product or service) or collections purposes, we will do so only
in accordance with the law.
Changes
to Privacy Policies Rule – We reserve the right to change our
privacy practices (by changing the terms of this Notice) at any
time as authorized by law. The changes will be effective immediately
upon us making them. They will apply to all PHI we create or receive
in the future, as well as to all PHI created or received by us in
the past (i.e., to PHI about you that we had before the changes
took effect). If we make changes, we will post the changed Notice,
along with its effective date, on our website. Also, upon request,
you will be given a copy of our current Notice.
Authorization
Rule – We will not use or disclose your PHI for any purpose
or to any person other than as stated in the rules above without
your signature on a specifically worded, written Authorization form
(not a Consent or any Acknowledgement). If we need your Authorization,
we must obtain it on our Authorization form, which is separate from
any Consent or Acknowledgement we may have obtained from you. We
will not condition treatment on whether you sign the Authorization
(or not).
Your
Rights Regarding Your Protected Health Information
If
you got this Notice via e-mail or a Website, you have the right
to get, at any time, a paper copy by asking our Privacy Officer.
Also, you have the following additional rights regarding PHI we
maintain about you:
To
Inspect and Copy – You have the right to see and get a copy
of your PHI including, but not limited to, medical and billing records
by submitting a written request to our Privacy Officer on our Request
to Inspect, Copy or Summarize form. Original records will not leave
the premises, will be available for inspection only during our regular
business hours, and only if our Privacy Officer is present at all
times. You may ask us to give you the copies in a format other than
photocopies (and we will do so unless we determine that it is impracticable)
or ask us to prepare a summary in lieu of the copies. We may charge
you a fee not to exceed Florida law to recover our costs (including
postage, supplies and staff time as applicable, but excluding staff
time for search and retrieval) to duplicate or summarize your PHI.
We will respond to requests in a timely manner, without delay for
legal review, in less than 30 days if submitted in writing on our
form or otherwise, and in 10 business days or less if malpractice
litigation or pre-suit production is involved. We may deny your
request in certain limited circumstances (i.e., we do not have the
PHI, it came from a confidential source, etc). If we deny your request,
you may ask for a review of that decision. If required by law, we
will select a licensed health-care professional (other than the
person who denied your request initially) to review the denial and
we will follow his or her decision. If we select a licensed health-care
professional who is not affiliated with us, we will ensure a Business
Associate agreement is executed that prevents re-disclosure of your
PHI without your consent by the outside professional.
To
Request Amendment/Correction – If another doctor involved in
your care tells us in writing to change your PHI, we will do so
as expeditiously as possible upon receipt of the changes and will
send you written confirmation that we have made the changes. If
you think PHI we have about you is incorrect, or that something
important is missing from your records, you may ask us to amend
or correct it (so long as we have it) by submitting a Request for
Amendment/Correction form to our Privacy Officer. We normally will
act on your request within 60 days from receipt, but we may extend
our response time (within the 60-day period) no more than once and
by no more than 30 days, in which case we will notify you in writing
why and when we will be able to respond. If we grant your request,
we will let you know within five business days, make the changes
by noting (not deleting) what is incorrect or incomplete and adding
to it the changed language, and send the changes within five business
days to persons you ask us to and persons we know may rely on incorrect
or incomplete PHI to your detriment (or already have). We may deny
your request under certain circumstances (e.g., it is not in wirting,
it does not give a reason why you want the change, we did not create
the PHI you want changed and the entity that did cannot be contacted,
it was compiled for the use in litigation, or we determine it is
accurate and complete). If we deny your request, we will (in writing
within five business days) tell you: why and how to file a complaint
with us if you disagree, that you may submit a written disagreement
with our denial (and we may submit a written rebuttal and give you
a copy of it), that you may ask us to disclose your initial request
and our denial when we make future disclosures of PHI pertaining
to your request, and that you may complain to us and the U.S. Department
of Health and Human Services.
To
an Accounting of Disclosures – You may ask us for a list of
those who got your PHI from us by submitting a Request for Accounting
of Disclosures form to us. The list will not cover some disclosures
(e.g., PHI given to you, given to your legal representative, given
to others for treatment, payment for healthcare operations purposes).
Your request must state in what form you want the list (e.g., paper
or electronically) and the time period you want us to cover, which
may be up to but no more than the last six years (excluding dates
before April 14, 2003). If you ask us for this list more than once
in a 12-month period, we may charge you a reasonable, cost-based
fee to respond, in which case we will tell you the cost before we
incur it and let you choose if you want to withdraw or modify your
request to avoid the cost.
To
Request Restrictions – You may ask us to limit how your PHI
is used and disclosed (i.e. in addition to our rules as set forth
in this Notice) by submitting a written Request for Restrictions
on Use/Disclosure form to us (e.g., you may not want us to disclose
your surgery to family members or friends involved in paying for
our services or providing your home care). If we agree to these
additional limitations, we will follow them except in an emergency
where we will not have time to check for limitations. Also, in some
circumstances we may be unable to grant your request (e.g., we are
required by law to use or disclose your PHI in a manner that you
want restricted; you signed an Authorization form, which you may
revoke, that allows us to use or disclose your PHI in the manner
you want restricted; in an emergency).
These
privacy practices will be effective September 1, 2004, and will
remain in effect until we replace them as specified above.
|
|
