ThreeHealth is committed to maintaining the privacy of your PHI. We are required by law to: (a) provide you with this Notice of our legal duties and privacy practices with respect to your PHI; (b) follow the terms of the Notice currently in effect; and (c) notify you if there is a breach of your PHI. We must also provide you with information regarding: (i) how we may use and disclose your PHI; (ii) your privacy rights; and (iii) our obligations concerning the use and disclosure of your PHI.
This Notice is NOT an authorization. Rather it describes how we, our business associates, and their subcontractors may use and disclose your PHI to carry out treatment, payment, or health care operations, and for other purposes as permitted or required by law. It also describes your rights to access and control your PHI.
I. USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION
A. Routine Uses and Disclosures of Protected Health Information
ThreeHealth is permitted under federal law to use and disclose PHI for certain purposes, including treatment, payment, and health care operations. Generally, we do not need your permission for these uses or disclosures under applicable laws. The following are examples of the types of routine uses and disclosures of PHI that we are permitted to make without your permission. Although this list is not exhaustive, it should give you an idea of the routine uses and disclosures we are permitted to make without your permission.
For Treatment: We keep a record of your PHI, which may include lab results, diagnoses, medications, your response to medications or other therapies, and information we learn about your health by providing the Services. We may use and disclose this information and other PHI to provide, coordinate, and/or manage your treatment and inform you of treatment alternatives and other health related benefits, products and services that may be of interest to you. We may use and disclose this information and other PHI to health care professionals (including without limitation Providers) and/or other third parties to provide, coordinate, and manage the delivery of your health care. For example, we may disclose your PHI to a pharmacy to fill a prescription, to a laboratory to order a test, or to another specialist for consultation.
For Payment: We may use and disclose your PHI, as needed, to bill and obtain payment for the health care services provided to you. We may disclose your PHI to health care providers (including without limitation Providers), health plans, and health care clearinghouses for their payment activities. For example, we may use and disclose PHI about you to receive payment for our services, manage your account, and fulfill our responsibilities under your health plan.
For Health Care Operations: We may use or disclose your PHI in order to support the business activities of the Practices. These activities may include, but are not limited to, reviewing our treatment and services, improving the services we provide, training and evaluating the performance of our staff in providing services, and providing customer service. We may also use your PHI to evaluate and improve services provided by our business associates, including those that provide data assessment and management and other services for or on our behalf, such as ThreeHealth Inc.
B. Uses and Disclosures That May Be Made Without Your Authorization or Opportunity to Object
ThreeHealth may use or disclose your PHI in the following situations without your authorization and without providing you an opportunity to object.
Required by the Secretary of Health and Human Services: We may be required to disclose your PHI to the Secretary of Health and Human Services to investigate or determine our compliance with the requirements of the HIPAA Privacy Rule.
Required By Law: We may use or disclose your PHI to the extent that the use or disclosure is required by federal, state, or local law.
Public Health: We may disclose your PHI for public health activities, such as tracking diseases and/or medical devices, which may include making disclosures to a public health authority or other government agency that is permitted by law to collect or receive the information (e.g., the Food and Drug Administration). These activities generally include the following: (a) to prevent or control disease, injury or disability; (b) to report births and deaths; (c) to report child abuse or neglect; (d) to report reactions to medications or problems with products; (e) to notify people of recalls of products they may be using; or (f) to notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition. If we keep genetic testing information about you, we will release that information only to the state departments that monitor our work or if required by law to release that information.
Health Oversight: We may disclose PHI to a health oversight agency for oversight activities authorized by law, such as audits; civil, administrative or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative or criminal proceedings or actions; or other activities necessary for the oversight of the health care system, government benefit programs or entities subject to government regulations or civil rights laws. Oversight agencies include government agencies that oversee the health care system, government benefit programs, other government regulatory programs and civil rights laws.
Abuse or Neglect: If you have been a victim of abuse, neglect, or domestic violence, we may disclose your PHI to a government agency authorized to receive such information. In addition, we may disclose your PHI to a public health authority that is authorized by law to receive reports of child abuse or neglect.
Judicial and Administrative Proceedings: We may disclose your PHI in response to an order of a court or administrative tribunal, and, in certain conditions, in response to a subpoena, discovery request or other lawful process.
Law Enforcement: We may disclose your PHI, so long as applicable legal requirements are met, for law enforcement purposes, such as providing information to the police about the victim of a crime.
Coroners and Funeral Directors: We may disclose your PHI to a coroner, medical examiner, or funeral director if it is needed to perform their legally authorized duties – for example to identify a deceased person, determine a cause of death, or as authorized by law.
Organ Donation: If you are an organ donor, we may disclose your PHI to organ, eye or tissue donation or procurement organizations as necessary to facilitate organ, eye or tissue donation, procurement or transplantation.
Research: Under certain circumstances, we may use and disclose your PHI for internal and external research purposes to, among other things, develop and improve our services and products. Under certain circumstances, we may disclose your PHI to organizations that support medical research or that find, investigate, or cure diseases.
Serious Threat to Health or Safety: We may disclose your PHI if we believe it is necessary to prevent a serious threat to health or safety of a person or the public and it is to someone we reasonably believe is able to prevent or lessen the threat.
Specialized Government Functions: When the appropriate conditions apply, we may disclose PHI for purposes related to military or national security concerns, such as for the purpose of a determination by the Department of Veterans Affairs of your eligibility for benefits. If you are a member of the armed forces, we may release PHI about you as required by military command authorities. We may also release PHI about foreign military personnel to the appropriate foreign military authority.
National Security and Intelligence Activities: We may disclose your PHI to authorized federal officials for intelligence, counterintelligence, protection of the President, other authorized persons or foreign heads of state, for purpose of determining your own security clearance and other national security activities authorized by law.
Workers’ Compensation: We may disclose your PHI to workers’ compensation carriers or your employer if you are injured at work, as authorized by, or to the extent necessary, to comply with workers’ compensation laws and other similar programs. If you do not want workers’ compensation notified, alternate insurance or payment information must be supplied.
For Appointment Reminders and Health-Related Benefits and Services: We may use your demographic PHI to contact you as a reminder that you have an appointment or to recommend possible treatment options or alternatives that may be of interest to you.
For Marketing Activities: We may use your PHI to contact you in an effort to encourage you to purchase or use a product or service. If we receive any direct or indirect payment for making such a communication, however, we would need your prior written permission to do so unless our communications (a) describes only a drug or medication that is currently being prescribed for you and our payment for the communication is reasonable in amount or (b) is made by one of our business partners consistent with our written agreement with such business partner.
Inmates: We may use or disclose your PHI to a correctional facility if you are an inmate of such correctional facility and we created or received your PHI in the course of providing care to you, which PHI may include information necessary for the correctional facility to provide you with health care or protect your health and safety, the health and safety of others, or the safety and security of the institution.
Business Associates: We may disclose your PHI to persons or entities who perform functions, activities or services to us or on our behalf that require the use or disclosure of PHI. To protect your health information, we require the business associate to appropriately safeguard your information.
De-identified Information: We may de-identify your PHI for any of the purposes described above. PHI that is de-identified in accordance with the HIPAA standards is no longer protected under HIPAA and may be used and disclosed for any lawful purpose, including certain research related purposes.
C. Uses and Disclosures That May Be Made either With Your Agreement or the Opportunity to Object
Unless you specifically object in whole or in part (which you may do at any time), ThreeHealth may disclose to a member of your family, a relative, a friend, or any other person you identify (orally or in writing) as being involved in your care or the payment for your health care, such PHI that directly relates to that person’s involvement in your health care. If you are unable to agree or object to such disclosure, we may disclose the information that we deem necessary and in your best interest, based on our professional judgment. In addition, we may use or disclose your PHI to notify or assist in notifying a family member, personal representative, or other person responsible for your care, of your location or general condition.
D. Uses and Disclosures of Protected Health Information Based upon Your Written Authorization
Psychotherapy Notes: We must obtain your written authorization for most uses and disclosures of psychotherapy notes.
Marketing: We must obtain your written authorization to use and disclose your PHI for most marketing purposes (as defined by HIPAA), except as noted above.
Sale of PHI: We must obtain your written authorization for any disclosure of your PHI which constitutes a sale of PHI.
Other Uses: Uses and disclosures of your PHI not described above, or otherwise permitted by HIPAA, will be made only with your written authorization unless otherwise permitted or required by law. If you sign an authorization to release your PHI, you may revoke that authorization in writing. Revocation will stop any future release of your PHI, but will not change what was released pursuant to the valid authorization.
To the extent required by law, when using or disclosing your PHI or when requesting your PHI from another covered entity, we will make reasonable efforts not to use, disclose or request more than a “limited data set” (as defined by HIPAA) of your medical information, or, if needed by us, no more than the minimum amount of medical information necessary to accomplish the intended purpose of the use, disclosure or request, taking into consideration practical and technological limitations.
E. We Use an Electronic Health Record to Create, Store and Maintain your Medical Record.
To help improve your medical care, ThreeHealth utilizes an electronic health record (“EHR”) to create, store and maintain your medical record. The EHR allows us to send and receive your PHI to and from other Providers who have treated you and who also use the EHR, but only if the reason we or another Provider seeks your PHI is also to provide you with treatment, obtain payment for your medical treatment, or to perform other administrative tasks permitted by the our privacy policies and law. Providers will not send or receive your PHI through the EHR for any other purposes.
II. YOUR RIGHTS REGARDING YOUR PROTECTED HEALTH INFORMATION
You have certain rights regarding your PHI as explained below. You may exercise these rights by submitting a request to firstname.lastname@example.org
A. You have the right to inspect and copy portions of your PHI. If you want to see or get a copy of your PHI that is contained in a designated record set (e.g., medical and billing records), you must make the request in writing. You have the right to request that we provide your PHI to you in either paper or electronic format. We are required to provide you with such PHI within 30 days after receipt of your written request (or less if directed by state law) (with up to a 30-day extension if needed). We may charge you a reasonable fee to cover duplication, mailing and other costs incurred by us in complying with your request. There are certain situations when we may deny your request for access to your PHI; if we do, we will inform you why we denied your request. For example, we may deny your request if we believe the disclosure will endanger your life or that of another person. Depending on the circumstances of the denial, you may have the right to have this decision reviewed.
B. You have the right to request that we restrict how we use or disclose your PHI. You have the right to request a restriction or limitation on the PHI we use or disclose about you for purposes of treatment, payment or health care operations. You also have the right to request a limit on the PHI we disclose about you to someone who is involved in your care or the payment of your care, like a family member or friend. Your request must state the specific restriction requested and to whom you want the restriction to apply. We are not required to agree to a requested restriction except that we must agree to not disclose your PHI to your health plan if the disclosure (a) is for payment or health care operations (and not treatment purposes) and is not otherwise required by law and (b) relates to a health care item or service for which we have been paid in full out-of-pocket. If we agree with (or are required to honor) your request, we will put any limits in writing and abide by them except in emergency situations. You may not restrict any use or disclosure of your PHI if we are legally required to release such PHI.
C. You have the right to request to receive confidential communications from us by alternative means or at an alternative location. You have the right to request that we communicate with you in a certain way (for example, email instead of regular mail) or at a certain location (for example, sending information to your work address rather than your home address). We will accommodate reasonable requests as long as we can easily provide it in the format you requested. Any additional expenses will be passed on to you for payment.
D. You have the right to request a correction or update of your PHI. If you believe there is a mistake in your PHI or that a piece of important information is missing, you have the right to request that we correct the existing or add the missing information.) We can do this for as long as we maintain the PHI. You must provide the request and your reason for the request in writing. We will respond to your request within 60 days (or less if directed by state law) of receiving your request (with up to a 30-day extension if needed). If we approve your request, we will make the change to your PHI, tell you that we have done it, and tell others who need to know about such change or amendment. If we determine that your PHI is accurate and complete, we may deny your request. If we deny your request, we will send you a written explanation stating our reasons and explain your right to file a written statement of disagreement. If you do not file a written statement of disagreement, you have the right to request that your request and our denial be attached to all future uses or releases of your PHI.
If you are a California resident, you have the right to submit a 250 word addendum about anything in your record you disagree with. If you tell us to, we will put this addendum in your medical record. We may add a written rebuttal to the addendum and we will supply you with a copy of this rebuttal.
E. You have the right to receive a list of when and to whom we have disclosed your PHI (an “accounting of certain disclosures”). This accounting will not include disclosures made for treatment, payment, and health care operations purposes or any disclosures we may have made directly to you. If you request an accounting, you must specify the time period, which may not be longer than 6 years. You have the right to one free request within any 12-month period and we may charge you for any additional requests in the same 12-month period. We will notify you of any such charges and you are free to withdraw or modify your request in writing before any charges are incurred. We will respond to your request within 60 days (with up to a 30 day extension if needed). In addition, we will notify you, as required by law, if there has been any breach of your PHI.
ThreeHealth will never require you to waive your rights under the HIPAA Privacy Rule or the HIPAA Breach Notification Rule as a condition for receiving services or treatment.
CHANGES TO THIS NOTICE
We reserve the right to modify this Notice and our privacy practices as described herein at any time. Any revision or amendment to this Notice will be effective for all of your records that we created or maintained in the past and for any of your records that we may create or maintain in the future. Our current Notice will always be available on our website at www.three.health and you can request a paper copy at any time by emailing email@example.com
If you have questions about this Notice of Privacy Practices, you believe that we have violated your privacy rights, or you disagree with a decision we made about access to your PHI, please contact ThreeHealth’s Privacy Officer at firstname.lastname@example.org
We will not retaliate against you in any way for filing a complaint with us, the Secretary or any state agency.