HIPAA

  1. What Is HIPAA?

 

HIPAA is the federal Health Insurance Portability and Accountability Act of 1996. The primary goal of the law is to make it easier for people to keep health insurance, protect the confidentiality and security of health care information, and help the health care industry control administrative costs.

 

  1. How Will Core 1 Chiropractic Use or Disclose My Health Information?

 

This medical practice collects health information about you and stores it in a chart and on a computer. This is your medical record. The medical record is the property of this medical practice, but the information in the medical record belongs to you.

The law permits us to use or disclose your health information for the following purposes:

  1. We use medical information about you to provide your medical care. We disclose medical information to our employees and others who are involved in providing the care you need. For example, we may share your medical information with other physicians or other health care providers who will provide services that we do not provide. Or we may share this information with a pharmacist who needs it to dispense a prescription to you, or a laboratory that performs a test. We may also disclose medical information to members of your family or others who can help you when you are sick or injured, or after you die.
  2. We use and disclose medical information about you to obtain payment for the services we provide. For example, we give your health plan the information it requires before it will pay us. We may also disclose information to other health care providers to assist them in obtaining payment for services they have provided to you.
  • Health Care Operations. We may use and disclose medical information about you to operate this medical practice. For example, we may use and disclose this information to review and improve the quality of care we provide, or the competence and qualifications of our professional staff. Or we may use and disclose this information to get your health plan to authorize services or referrals. We may also use and disclose this information as necessary for medical reviews, legal services and audits, including fraud and abuse detection and compliance programs and business planning and management. We may also share your medical information with our “business associates,” such as our billing service, that perform administrative services for us. We have a written contract with each of these business associates that contains terms requiring them and their subcontractors to protect the confidentiality and security of your protected health information. We may also share your information with other health care providers, health care clearinghouses or health plans that have a relationship with you, when they request this information to help them with their quality assessment and improvement activities, their patient-safety activities, their population-based efforts to improve health or reduce health care costs, their protocol development, case management or care-coordination activities, their review of competence, qualifications and performance of health care professionals, their training programs, their accreditation, certification or licensing activities, or their health care fraud and abuse detection and compliance efforts. We may also share medical information about you with the other health care providers, health care clearinghouses and health plans that participate with us in “organized health care arrangements” (OHCAs) for any of the OHCAs’ health care operations. OHCAs include hospitals, physician organizations, health plans, and other entities which collectively provide health care services. A listing of the OHCAs we participate in is available from the Privacy Official.
  1. Appointment Reminders. We may use and disclose medical information to contact and remind you about appointments. If you are not home, we may leave this information on your answering machine or in a message left with the person answering the phone.
  2. Sign In Sheet. We may use and disclose medical information about you by having you sign in when you arrive at our office. We may also call out your name when we are ready to see you.
  3. Notification and Communication With Family. We may disclose your health information to notify or assist in notifying a family member, your personal representative or another person responsible for your care about your location, your general condition or, unless you had instructed us otherwise, in the event of your death. In the event of a disaster, we may disclose information to a relief organization so that they may coordinate these notification efforts. We may also disclose information to someone who is involved with your care or helps pay for your care. If you are able and available to agree or object, we will give you the opportunity to object prior to making these disclosures, although we may disclose this information in a disaster even over your objection if we believe it is necessary to respond to the emergency circumstances. If you are unable or unavailable to agree or object, our health professionals will use their best judgment in communication with your family and others.
  • Provided we do not receive any payment for making these communications, we may contact you to give you information about products or services related to your treatment, case management or care coordination, or to direct or recommend other treatments, therapies, health care providers or settings of care that may be of interest to you. We may similarly describe products or services provided by this practice and tell you which health plans this practice participates in. We may also encourage you to maintain a healthy lifestyle and get recommended tests, participate in a disease management program, provide you with small gifts, tell you about government sponsored health programs or encourage you to purchase a product or service when we see you, for which we may be paid. Finally, we may receive compensation which covers our cost of reminding you to take and refill your medication, or otherwise communicate about a drug or biologic that is currently prescribed for you. We will not otherwise use or disclose your medical information for marketing purposes or accept any payment for other marketing communications without your prior written authorization. The authorization will disclose whether we receive any compensation for any marketing activity you authorize, and we will stop any future marketing activity to the extent you revoke that authorization.
  • Sale of Health Information. We will not sell your health information without your prior written authorization. The authorization will disclose that we will receive compensation for your health information if you authorize us to sell it, and we will stop any future sales of your information to the extent that you revoke that authorization required by law. As required by law, we will use and disclose your health information, but we will limit our use or disclosure to the relevant requirements of the law. When the law requires us to report abuse, neglect or domestic violence, or respond to judicial or administrative proceedings, or to law enforcement officials, we will further comply with the requirement set forth below concerning those activities.
  1. Public Health. We may, and are sometimes required by law, to disclose your health information to public health authorities for purposes related to: preventing or controlling disease, injury or disability; reporting child, elder or dependent adult abuse or neglect; reporting domestic violence; reporting to the Food and Drug Administration problems with products and reactions to medications; and reporting disease or infection exposure. When we report suspected elder or dependent adult abuse or domestic violence, we will inform you or your personal representative promptly unless in our best professional judgment, we believe the notification would place you at risk of serious harm or would require informing a personal representative we believe is responsible for the abuse or harm.
  2. Health Oversight Activities. We may, and are sometimes required by law, to disclose your health information to health oversight agencies during the course of audits, investigations, inspections, licensure and other proceedings, subject to the limitations imposed by law.
  3. Judicial and Administrative Proceedings. We may, and are sometimes required by law, to disclose your health information in the course of any administrative or judicial proceeding to the extent expressly authorized by a court or administrative order. We may also disclose information about you in response to a subpoena, discovery request or other lawful process if reasonable efforts have been made to notify you of the request and you have not objected, or if your objections have been resolved by a court or administrative order.
  • Law Enforcement. We may, and are sometimes required by law, to disclose your health information to a law enforcement official for purposes such as identifying or locating a suspect, fugitive, material witness or missing person, complying with a court order, warrant, grand jury subpoena and other law enforcement purposes.
  • We may, and are often required by law, to disclose your health information to coroners in connection with their investigations of deaths.
  • Organ or Tissue Donation. We may disclose your health information to organizations involved in procuring, banking or transplanting organs and tissues.
  1. Public Safety. We may, and are sometimes required by law, to disclose your health information to appropriate persons in order to prevent or lessen a serious and imminent threat to the health or safety of a particular person or the general public.
  • Proof of Immunization. We will disclose proof of immunization to a school that is required to have it before admitting a student where you have agreed to the disclosure on behalf of yourself or your dependent.
  • Specialized Government Functions. We may disclose your health information for military or national security purposes or to correctional institutions or law enforcement officers that have you in their lawful custody.
  • Workers’ Compensation. We may disclose your health information as necessary to comply with workers’ compensation laws. For example, to the extent your care is covered by workers’ compensation, we will make periodic reports to your employer about your condition. We are also required by law to report cases of occupational injury or occupational illness to the employer or workers’ compensation insurer.
  • Change of Ownership. In the event that this medical practice is sold or merged with another organization, your health information/record will become the property of the new owner, although you will maintain the right to request that copies of your health information be transferred to another physician or medical group.
  1. Breach Notification. In the case of a breach of unsecured protected health information, we will notify you as required by law. If you have provided us with a current e-mail address, we may use e-mail to communicate information related to the breach. In some circumstances our business associate may provide the notification. We may also provide notification by other methods as appropriate.
  2. What Personal Information Will Core 1 Chiropractic Share?

 

We do not share Protected Health information (PHI) is any information about health status, provision of health care, or payment for health care that can be linked to a specific person. This includes any part of a patient’s medical record or payment history. PHI must be de-identified before the dataset may be shared publicly to preserve patient privacy. Except as described in this Notice of Privacy Practices, this medical practice will, consistent with its legal obligations, not use or disclose health information which identifies you without your written authorization. If you do authorize this medical practice to use or disclose your health information for another purpose, you may revoke your authorization in writing at any time.

De-identified health information neither identifies nor provides a reasonable basis to identify an individual. To create a de-identified record according to HIPAA, all of the following information about a patient, as well as similar information about the patient’s relatives, employer, and household members, must be removed:

  • Name
  • Street address, city, county, precinct, and ZIP Code
  • Dates directly related to any individual, including birth date, admission date, discharge date, date of death
  • Telephone and fax numbers
  • Email addresses
  • Social Security number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers including license plate numbers
  • Device identifiers and serial numbers
  • Web Universal Resource Locators (URLs)
  • Internet protocol (IP) address numbers
  • Biometric identifiers, including finger and voice prints
  • Full-face photographic images and any comparable images
  • Any other unique identifying number, characteristic or code
  1. Can I Request Special Privacy Protections?

 

You have the right to request restrictions on certain uses and disclosures of your health information by a written request specifying what information you want to limit, and what limitations on our use or disclosure of that information you wish to have imposed. If you tell us not to disclose information to your commercial health plan concerning health care items or services for which you paid for in full out-of-pocket, we will abide by your request, unless we must disclose the information for treatment or legal reasons. We reserve the right to accept or reject any other request, and will notify you of our decision.

  1. Do I Have the Right to Request Confidential Communications?

 

You have the right to request that you receive your health information in a specific way or at a specific location. For example, you may ask that we send information to a particular e-mail account or to your work address. We will comply with all reasonable requests submitted in writing which specify how or where you wish to receive these communications.

  1. What Are My Rights to Inspect & Copy?


You have the right to inspect and copy your health information, with limited exceptions. To access your medical information, you must submit a written request detailing what information you want access to, whether you want to inspect it or get a copy of it, and if you want a copy, your preferred form and format. We will provide copies in your requested form and format if it is readily producible, or we will provide you with an alternative format you find acceptable, or if we can’t agree and we maintain the record in an electronic format, your choice of a readable electronic or hardcopy format. We will also send a copy to any other person you designate in writing. We will charge a reasonable fee which covers our costs for labor, supplies, postage, and if requested and agreed to in advance, the cost of preparing an explanation or summary. We may deny your request under limited circumstances. If we deny your request to access your child’s records or the records of an incapacitated adult you are representing because we believe allowing access would be reasonably likely to cause substantial harm to the patient, you will have a right to appeal our decision. If we deny your request to access your psychotherapy notes, you will have the right to have them transferred to another mental health professional.

  1. Your Rights to Amend or Supplement


You have a right to request that we amend your health information that you believe is incorrect or incomplete. You must make a request to amend in writing, and include the reasons you believe the information is inaccurate or incomplete. We are not required to change your health information, and will provide you with information about this medical practice’s denial and how you can disagree with the denial. We may deny your request if we do not have the information, if we did not create the information (unless the person or entity that created the information is no longer available to make the amendment), if you would not be permitted to inspect or copy the information at issue, or if the information is accurate and complete as is. If we deny your request, you may submit a written statement of your disagreement with that decision, and we may, in turn, prepare a written rebuttal. All information related to any request to amend will be maintained and disclosed in conjunction with any subsequent disclosure of the disputed information.

  1. What Are My Rights to Accounting Disclosures?


You have a right to receive an accounting of disclosures of your health information made by this medical practice, except that this medical practice does not have to account for the disclosures provided to you or pursuant to your written authorization, or as described in paragraphs 1 (treatment), 2 (payment), 3 (health care operations), 6 (notification and communication with family) and 18 (specialized government functions) of Section A of this Notice of Privacy Practices or disclosures for purposes of research or public health which exclude direct patient identifiers, or which are incident to a use or disclosure otherwise permitted or authorized by law, or the disclosures to a health oversight agency or law enforcement official to the extent this medical practice has received notice from that agency or official that providing this accounting would be reasonably likely to impede their activities.

  1. What Are My Rights Regarding Paper & Electronic Copies of This Notice?

You have a right to notice of our legal duties and privacy practices with respect to your health information, including a right to a paper copy of this Notice of Privacy Practices, even if you have previously requested its receipt by e-mail.

  1. Am I a Covered Entity?


Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which U.S. Department of Health and Human Services (HHS) has adopted standards.

  1. What is a Minimum Necessity?


HIPAA Privacy Rules require that reasonable efforts be made to limit the amount of PHI to the minimum amount that is necessary to accomplish the purpose of the use or disclosure. This requirement does not apply when a health care provider discloses information to another provider for treatment purposes, or when a health care provider requests information from another provider for treatment purposes. Accordingly, the minimum necessary standard should not interfere with a doctor’s ability to provide appropriate treatment to patients. The minimum necessary standard also does not apply when the health care provider releases information: (1) directly to the patient, (2) pursuant to a patient’s authorization, or (3) for disclosures that are required by law or are necessary to comply with the Privacy Rules.

  1. What is a Business Associate Agreement?


HIPAA defines those organizations or people, other than a member of a covered entity’s workforce, hired to handle PHI client information—e.g. billing services, IT support, online data backup services, etc.—as “Business Associates.” The law states that health care providers can work with such services if they “…obtain satisfactory assurances that the business associate will appropriately safeguard [personally-identifying client information].” That “satisfactory assurance,” as a standard, takes the form of a contract called a Business Associate Agreement, or “BAA” for short.

Note: The “HIPAA Omnibus Rule” modified the Health Insurance Portability and Accountability Act (HIPAA) making business associates and subcontractors of business associates of covered entities directly liable for compliance with certain provisions of the HIPAA Privacy and Security rule.

  1. What is a Notice of Privacy Practices?


The HIPAA Privacy Rule gives patients a right to be informed of the Privacy Practices of health care providers and health plans and of their privacy rights regarding their protected health information. Health care providers and health plans that are subject to HIPAA are required to develop and distribute a notice containing certain elements that provides a clear, user-friendly explanation of these rights and practices. Pre-approved model notices of privacy practices are available through healthIT.gov.

  1. Can a Chiropractor send out appointment-reminder postcards? Leave messages on answering machines/voicemail?


Yes. The Privacy Rules allow this type of patient communication, but precautions must be taken to safeguard the patient’s privacy. For example, answering machine messages should be limited to the appointment time or to request that the patient return the call. The Privacy Rules also allow messages to be left directly with the patient’s family member or companion.

Doctors are allowed to disclose information about the patient’s care to the patient’s family members and friends, even if the patient is not present or has not affirmatively given the physician permission to do so, as long as the doctor believes that the disclosure is in the patient’s best interest. If the patient has expressly directed that there be no disclosure to specific family members or friends, however, the patient’s wishes must be respected.

Also, if a patient requests confidential communications, the request must be accommodated if it is reasonable. For example, it would be reasonable for a patient to request that all mailings be sent to a specific address (e.g., to the patient’s office instead of home, or vice versa), or be sent in a closed envelope instead of on a postcard.

  1. Does the HIPAA Privacy Rule allow parents to see their minor child’s medical records?

Yes. The Privacy Rule generally allows a parent to have access to a child’s medical records as the minor child’s personal representative when such access is not inconsistent with state or other law. There are three situations when the parent would not be the minor’s personal representative under the Privacy Rule. These exceptions are:

  1. When the minor is the one who consents to care and the consent of the parent is not required under state or other applicable law.
  2. When the minor obtains care at the direction of a court of a person appointed by the court.
  • When, and to the extent that, the parent agrees that the minor and the health care provider may have a confidential relationship.
  1. Can a chiropractor use sign-in sheets? Call patient names in waiting areas? Place charts outside examination/treatment rooms?


Yes. To the extent these activities result in other people learning a patient’s name or other information, the disclosure would be considered “incidental” to patient treatment, and, therefore, acceptable under HIPAA. Appropriate precautions should be taken to limit the amount of information that might be incidentally disclosed in this manner. For example, “reason for visit” should not be included on a sign-in sheet. With respect to placing charts outside of an examination room, the front of the chart should be turned toward the wall.

  1. Can Core 1 Chiropractic send identified data to the insurance companies? If so, how do I do so safely? E-mail? Fax? Flash Drive? Mail?


You may use or disclose PHI for treatment, payment and health care operations activities. Disclosure of data to insurance companies for treatment, payment or operations must include data safeguards. Individually identifiable health information should be protected with reasonable administrative, technical and physical safeguards to ensure its confidentiality, integrity and availability, and to prevent unauthorized or inappropriate access, use or disclosure. It is important to assess your practice and organization to understand all modes of transmission of PHI and develop standard processes and training for all data. Note: The HIPAA Security Rule establishes standards for protecting information that is held or transferred in electronic form.

Email: The Privacy Rule allows sharing of PHI electronically (or in any other form) for treatment or payment purposes, as long as reasonable safeguards are applied. The Security Rule does not expressly prohibit the use of email for sending electronic PHI. However, the standards for access control, integrity and transmission security require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against the unauthorized access to electronic PHI sent and received over email communications. A covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected. For example, if you don’t use a secure, HIPAA compliant email application, avoid including PHI in the text of email, and encrypt any files containing PHI.

Flash drive: If you use flash drives, or other movable media such as CDs, use password protection and encrypt the file. Protocol, training and tracking of who can use removable storage devices represent additional best practices for ensuring appropriate safeguards.

Fax: You must have in place reasonable and appropriate administrative, technical and physical safeguards to protect the privacy of protected health information that is disclosed using a fax machine. Examples of measures that could be reasonable and appropriate include confirming that the fax number to be used is the correct one, using a fax cover-sheet that does not contain PHI, and placing the fax machine in a secure location to prevent unauthorized access to the information. Additional safeguards should be considered when faxing highly confidential information.

Mail: Like other forms of PHI, you must have in place reasonable and appropriate safeguards to protect the privacy of PHI that is disclosed via mail. One of the biggest problems with mailing medical records is human error. Ensure that staff is well trained and measures such as verifying addresses are included. Note: If you are mailing movable media such as flash drives, the files on the flash drive should be encrypted.

 

  1. What is Core 1 Chiropractic’s Notice of Privacy Practices?


We reserve the right to amend this Notice of Privacy Practices at any time in the future. Until such amendment is made, we are required by law to comply with the terms of this Notice currently in effect. After an amendment is made, the revised Notice of Privacy Protections will apply to all protected health information that we maintain, regardless of when it was created or received. We will keep a copy of the current notice posted in our reception area, and a copy will be available at each appointment. We will also post the current notice on our website.

  1. How Do I Make a Complaint?


Complaints about this Notice of Privacy Practices or how this medical practice handles your health information should be directed to our Privacy Officer listed at the top of this Notice of Privacy Practices.
If you are not satisfied with the manner in which this office handles a complaint, you may submit a formal complaint to: OCR@hhs.gov

 

The complaint form may be found at: www.hhs.gov/ocr/privacy/hipaa/complaints/hipcomplaint.pdf.

You will not be penalized in any way for filing a complaint.