top of page

HIPAA Privacy Policy

NOTICE OF PRIVACY PRACTICES

This Notice is Effective as of: March 17, 2017

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

We understand the importance of privacy and confidentiality and are committed to taking the steps necessary to safeguard any medical or other individually identifiable health information that is created by or provided to us. The Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) requires us to: (i) maintain the privacy of protected health information (“PHI”); (ii) provide notice of our legal duties and privacy practices with respect to protected health information; (iii) abide by the terms of our Notice of Privacy Practices currently in effect; and (iv) notify affected individuals following a breach of unsecured PHI. This Notice describes how we may use and disclose your PHI. It also outlines your rights and our legal obligations with respect to this PHI. 

 

WHO WILL FOLLOW THIS NOTICE

 

This notice describes the practices of our employees and staff as well as affiliated entities, entities associated as organized health care arrangements, or any other individuals or entities that will be following this notice. Organized health care arrangements (“OHCAs”) include hospitals, physician organizations, health plans, and other entities that collectively provide health care services. A listing of the OHCAs we participate in is available from the Privacy Officer. This notice applies to each of these individuals, entities, sites and locations. In addition, these individuals, entities, sites, and locations may share PHI with each other for the treatment, payment, and health care operation purposes described in this notice.

 

INFORMATION COLLECTED ABOUT YOU

In the ordinary course of receiving treatment and health care services from us, you will be providing us with personal information such as:

  • Your name, address, and phone number.

  • Information relating to your medical history.

  • Your insurance information and coverage.

  • Information concerning your doctor, nurse, or other medical providers.

 

In addition, we will gather certain medical information about you and will create a medical record of the care provided to you. This information is stored in electronically. This medical record is the property of our ophthalmic practice, but the information in the medical record belongs to you. 

Some information also may be provided to us by other individuals or organizations that are part of your “circle of care,” such as your primary care provider, a referring physician, your other doctors, your health plan, and your close friends or family members.

 

HOW WE MAY USE AND DISCLOSE INFORMATION ABOUT YOU

The law permits us to use and disclose personal and identifiable health information about you for the following purposes:

 

Treatment. We may use your PHI in order to provide your medical care. For example, we may use your medical history, such as any presence or absence of diabetes, to assess the health of your eyes. We may disclose information to others who are involved in providing your care. For example, we may share your medical information with other health care providers who will perform services that we do not (such as your primary care physician or eye subspecialists); a pharmacist who needs your medical information to dispense a prescription to you; or a laboratory that performs a test we order for you.  

 

Payment. We may use and disclose your PHI to bill for our services and to collect payment from you or your insurance company. For example, we may need to give a payer information about your current medical condition so that it will pay us for the eye examinations or other services that we have furnished you. We may also need to inform your payer of the treatment you are going to receive in order to obtain prior approval or to determine whether the service is covered.  

 

Health Care Operations. We may use and disclose your PHI for the general operation of our business. For example, we sometimes arrange for auditors or other consultants to review our practices, evaluate our operations, and tell us how to improve our services. Or, for example, we may use and disclose your health information to review the quality of services provided to you.

 

Required by Law. As required by law, we will use and disclose your PHI, but we will limit our use or disclosure to the relevant requirements of the law. 

 

Public Health. We may disclose your PHI to a public health authority authorized to collect or receive PHI for the purpose of preventing or controlling disease, injury, or disability. We may also use and disclose your PHI in order to notify persons who may have been exposed to a disease or who are at risk of contracting or spreading a disease.

 

Abuse or Neglect. As required or authorized by law, we may disclose PHI to a public health authority or other government authority authorized by law to receive reports of child, elder, or dependent abuse or neglect or domestic violence.  

 

Food and Drug Administration. We may disclose PHI to a person subject to the jurisdiction of the Food and Drug Administration for the following activities: to report adverse events, product defects or problems, or biological product deviations; to track products; to enable product recalls, repairs, or replacements; or to conduct post-marketing surveillance.  

 

Serious Threat. Consistent with applicable law, we may disclose your PHI when necessary to prevent a serious threat to the health and safety of you or others.

 

Health Oversight Activities. We may disclose your PHI to health oversight agencies as authorized or required by law for health oversight activities such as audits, investigations, inspections, licensure or disciplinary actions, and civil, criminal, or administrative proceedings or actions.

 

Judicial and Administrative Proceedings. We may disclose your PHI in the course of administrative or judicial proceedings (a) to the extent expressly authorized by order of a court or administrative tribunal or (b) in response to a subpoena, discovery request, or other lawful process that is not accompanied by a court or administrative order if reasonable efforts have been made to (i) notify you of the request and you have not objected or your objections have been resolved by a court or administrative tribunal or (ii) secure a qualified protective order.

 

Law Enforcement. We may disclose your PHI as required by law to assist law enforcement to identify or locate a suspect, fugitive, material witness, or missing person, or for purposes of complying with a court order, warrant, or grand jury subpoena.

 

Coroners and Funeral Directors. We may disclose a patient’s health information (1) to a coroner or medical examiner to identify a deceased person or determine the cause of death and (2) to funeral directors as necessary to carry out their duties. 

Organ Donation. As authorized by law, we may disclose your PHI to organ procurement organizations, transplant centers, and eye or tissue banks.

 

Worker’s Compensation. We may disclose your PHI as necessary to comply with workers’ compensation laws. For example, to the extent your care is covered by workers’ compensation, we will make periodic reports to your employer about your condition. We are also required by law to report cases of occupational injury or occupational illness to the employer or worker’s compensation insurer.

 

Employers. We may disclose your PHI to your employer if we provide health care services to you at the request of your employer, and the health care services are provided either to conduct an evaluation relating to medical surveillance of the workplace or to evaluate whether you have a work-related illness or injury. 

Armed Forces. If you are a member of the Armed Forces, we may disclose your PHI for activities deemed necessary by military command authorities. We also may disclose health information about foreign military personnel to their appropriate foreign military authority.

 

Correctional Institutions. If you are an inmate, we may release your PHI to a correctional institution where you are incarcerated or to law enforcement officials in certain situations such as where the information is necessary for your treatment, health, or safety, or the health or safety of others.

 

National Security. We may disclose your PHI for national security and intelligence activities and for the provision of protective services to the President of the United States and other officials or foreign heads of state.

 

Business Associates. We sometimes work with outside individuals and businesses that help us operate our business successfully, such as by providing billing services. We may disclose your PHI to these business associates so that they can perform the tasks that we hire them to do. We have written contracts with our business associates that require them and their subcontractors to protect the confidentiality and security of your PHI. 

 

Notification and Communication with Family. We may disclose your PHI to notify persons responsible for your care about your location, general condition, or death. We may disclose information to public or private entities authorized to coordinate such notifications for disaster relief purposes. We may also disclose your PHI to someone who is involved with your care or helps pay for your care. Generally, we will obtain your oral agreement before using or disclosing health information in these ways. However, under certain circumstances, such as in an emergency situation, we may make these uses and disclosures without your agreement. If you are unable or unavailable to agree or object, we will use our best judgment in communicating with your family and others. 

 

Facility Directories. We may use your PHI to maintain a directory of individuals in our facility unless you object. 

 

Change of Ownership. In the event that this medical practice is sold or merged with another organization, your medical record will become the property of the new owner, although you will maintain the right to request that copies of your health information be transferred to another physician or medical group. 

Research. In compliance with governing law, we may use or disclose certain information about your condition and treatment for research purposes where your written authorization is not required and an Institutional Review Board or a similar body referred to as a Privacy Board determines that your privacy interests will be adequately protected in the study. We may also use and disclose your PHI to prepare or analyze a research protocol and for other research purposes.   

De-indentified Information. We may create or distribute de-identified health information by removing all reference to individually identifiable information. 

Marketing. 

 

We will obtain your prior written authorization before communicating with you (except face-to-face) about products or services related to your treatment or alternative treatments or therapies offered by a third party if we will receive any payment by such third party for this communication. The authorization will disclose whether we receive any compensation for any marketing activity you authorize, and we will stop any future marketing activity if you revoke that authorization. 

 

We do not need your authorization to send you reminders or information about appointments, treatment, or medication that you are currently prescribed, even if we receive compensation from a third party for doing so, as long as the compensation only covers the costs reasonably related to making the communication. 

 

We may communicate with you without your prior authorization:

  • about government or government-sponsored public benefit programs such as Medicare or Medicaid; 

  • about promotional gifts of nominal value; 

  • and to encourage you to maintain a healthy lifestyle, get routine tests, or participate in a disease management program.

 

Appointment Reminders. We may use and disclose medical information to contact you as a reminder that you have an appointment or that you should schedule an appointment. If you are not home, we may leave this information in a telephone message or a message left with the person answering the phone.

 

Sale of Health Information. We will not sell your health information without your prior written authorization. The authorization will disclose that we will receive compensation for your health information if you authorize us to sell it, and we will stop any future sales of your information if you revoke that authorization. 

 

Fundraising. We may use or disclose your demographic information in order to contact you for our fundraising activities. For example, we may use the dates that you received treatment, the department of service, your treating physician, outcome information, and health insurance status to identify individuals that may be interested in participating in fundraising activities. If you do not want to receive these materials, notify the Privacy Officer listed in this Notice and we will stop any further fundraising communications. Similarly, you should notify the Privacy Officer if you decide you want to start receiving these solicitations again. 

 

Psychotherapy Notes. If we have received your psychotherapy notes, we will not use or disclose them without your prior written authorization except for a few exceptions as provided by law.

 

Immunization Records. We may disclose PHI, limited to proof of immunization, to a school about an individual who is a student or prospective student if the school is required by law to have such proof and we obtain the agreement of the parent or guardian of the unemancipated minor or, if the student is an adult or emancipated minor, that individual. 

OTHER USES AND DISCLOSURES OF PERSONAL HEALTH INFORMATION

We are required to obtain written authorization from you for any uses and disclosures of PHI other than those described above. If you provide us with such permission, you may revoke that permission, in writing, at any time. If you revoke your permission, we will no longer use or disclose your PHI for the reasons covered by your written authorization, except to the extent we have already relied on your original permission.

 

INDIVIDUAL RIGHTS

 

To exercise any of your rights listed below, please contact our Privacy Officer in writing at the address listed below and include the details necessary for us to consider your request.

 

Restriction Requests. You have the right to ask for restrictions on certain uses and disclosures of PHI, including disclosure made to persons assisting with your care or payment for your care. We will consider your requests and notify you of the outcome, but are not required to accept such requests. If we do agree to a restriction, we must abide by it unless you agree in writing to remove it.

 

Restricted Disclosures to Health Plans. If you have paid for services “out of pocket” and in full, we will accommodate your request not disclose PHI related solely to those services to a health plan, unless we must disclose the information for treatment or as required by law.

 

Specific Communications. You have the right to request that you receive communications containing your PHI from us by specific means or at specific locations. For example, you may ask that we only contact you at home or by email. We will comply with all reasonable requests.

 

Inspect and Copy. With limited exceptions, you have the right to inspect and copy medical, billing, and other records used to make decisions about you. Within 30 days, we will provide copies in the form and format you request if it is readily producible. If not, we will provide you with an alternative form and format you find acceptable. If we maintain records electronically and you request copies in an electronic form and format that is not readily producible, we will provide copies in a readable electronic form and format that you agree to. We will send a copy to any other person you designate in writing. We may charge you a reasonable fee for the cost of copying and mailing. If we deny your request to access your child’s records or the records of an incapacitated adult you are representing because we believe allowing access would be reasonably likely to cause substantial harm to the patient, you will have a right to appeal our decision. 

 

Amend or Supplement. If you believe that information in your records is incorrect or incomplete, you have the right to ask us to correct the existing information or add missing information within 60 days. When making a request for amendment, you must state the reason for making such request. Under certain circumstances, we may deny your request, such as when we do not have the information, the information was not created by us (unless the person or entity that created it is no longer available to make the amendment), you would not be permitted to inspect and copy the information, or the information is accurate and complete. If we deny your request we will tell you why. You may submit a written statement of your disagreement with that decision. We may then prepare a written rebuttal. All information related to any request to amend will be maintained and disclosed in conjunction with any subsequent disclosure of the disputed information. 

Accounting of Disclosures. You have the right to receive an accounting of disclosures of your PHI by our practice for the six years prior to your request date. We will tell you who we shared your PHI with and why. We are not required to include in the list disclosures for your treatment, payment, our health care operations, and several other types of disclosures, such as those you authorize us to make, notifications and communications with family, and various government function and public health related disclosures. If you ask for this information from us more than once every twelve months, we may charge you a fee.

 

Breach Notification. In the case of a breach of unsecured PHI, you have the right to be notified, as provided by law. If you have given us a current email address, we may use it to communicate information related to the breach. In some circumstances our Business Associate may provide the notification. We may also provide notification by other methods as appropriate. 

 

Copy of Notice. You have the right to a copy of this notice in paper form, even if you agreed to receive notice electronically. You may ask us for a copy at any time.

 

CHANGES TO THIS NOTICE

 

We reserve the right to make changes to this notice at any time. We reserve the right to make the revised notice effective for all PHI we maintain and any we may receive in the future. In the event there is a material change to this Notice, the revised notice will be posted in our reception area and on our website. In addition, you may request a copy of the revised notice at any time. 

 

COMPLAINTS

If you feel that your privacy protections have been violated by our office, you have the right to file a complaint with the Secretary of the Department of Health and Human Services, Office of Civil Rights by sending a letter to 200 Independence Avenue, SW, Washington, DC 20201 calling (877) 696-6775, or visiting www.hhs.gov/ocr/privacy/hipaa/complaints/

 

YOU WILL NOT BE RETALIATED AGAINST OR PENALIZED BY US FOR FILING A COMPLAINT.

 

CONTACT US

Contact our Privacy Officer with any questions, comments, or complaints or to exercise any of your rights at info@wliumd.com.

bottom of page