Notice of Privacy Practices
Effective Date: October 7, 2019
This Notice describes how protected health information about you may be used and disclosed and how you may obtain access to this information. Please review it carefully.
This Notice of Privacy Practices (the “Notice”) describes the commitment of PM Pediatrics (referred to as “we,” “us” or “our” in this Notice) to protect the privacy and confidentiality of our patients’ information. For purposes of this Notice, when we refer to “you” or “your,” we mean you as a patient or you as the provider of information about a minor patient. This Notice explains our confidentiality practices, the ways we may use and share patients’ information under the law and your right to access and control this information.
In this Notice, “protected health information” or “PHI” refers to any individually identifiable information that we obtain from you or another person that relates to your past, present or future physical or mental health conditions, the health care you have received or the payment for your care. Protected health information includes, but is not limited to:
• Demographic information (such as your age, gender, race, ethnicity, or marital status);
• Geographic information (such as where you live or work);
• Medical information about your health conditions (such as your test results);
• Information about the services you have or will receive (such as an X-ray or surgical procedure);
• Information about your health insurance plan (such as your insurer’s coverage policies);
• Information that may identify you (such as your Social Security number or a phone number);
• Biometric identifiers (such as fingerprints); and
• Full-face photographs.
The practices described in this Notice will be followed by all of our employees, healthcare professionals, trainees, students, volunteers, independent contractors and business associates (collectively referred to as “Personnel” in this Notice).
This Overview is a summary of the remainder of the Notice. This Overview summarizes the ways that we may use and share your PHI and your rights to access and control this information. For more details, please read sections IV through VII of this Notice.
We may use and disclose your PHI without your prior authorization for the following purposes:
o Provide you with medical treatment or other health care services;
o Request payment from you, your health insurance plan or other third party payor;
o Perform tasks necessary to operate our business and improve quality of care, including medical education and verification of physician qualifications;
o Coordinate your care, including reminding you of medical appointments and informing you of new medical services offered by us in which you might be interested;
o Contact you about our sponsored events;
o Comply with legal requirements, subpoenas, court orders, and other lawful instructions from a court or government entity;
o Engage in certain pre-approved research projects;
o Avert a risk or threat to public health or safety; and
o Other unique purposes described in Section V of this Notice.
• All of our patients have the following rights regarding their PHI. We may ask you to submit a written request to enforce any of these rights:
o Inspect and obtain a copy of your medical records in a written or electronic form, subject to certain restrictions;
o Request that we amend your records if you believe the PHI we have about you is incorrect or incomplete;
o Obtain a list of people and entities with whom we have shared your PHI, subject to certain exceptions under the law;
o Request that we limit to whom we disclose your PHI in the future;
o Request that we communicate PHI with you in a particular way, such as only by phone;
o Receive prompt notice in the event your PHI is improperly used or disclosed;
o Obtain a paper copy of this Notice; and
o File a complaint regarding the improper use or disclosure of your PHI.
We may use and share your PHI for certain purposes allowed by law. This section describes the purposes for which we may use or disclose your PHI without your prior specific authorization. Not every permissible use or disclosure is listed. However, every permitted use or disclosure will fall within at least one of the following categories:
• Treatment. We may use or disclose your PHI to provide, coordinate or manage your health care. We may disclose your PHI to nurses, physicians, technicians, students, and other Personnel involved in your care. We may also share your PHI with third-party providers, agencies and facilities in order to provide, coordinate or manage your health care, such as prescriptions, lab work and X-rays, or to facilitate continuing medical care for you after your treatment by us.
• Payment. In order to receive payment for the services we provide to you, we may use or disclose your PHI to certain entities, such as your health insurance company or other third party payor, such as Medicare or Medicaid. For example, to receive payment, we must submit a bill to your insurer with your diagnosis, treatment and identifying information, which may include your Social Security number as required. We may also share your PHI with another provider, agency or facility, such as an ambulance company or subcontractor working with us, who has provided you services so they may bill you, your health insurance company or third party payor.
• Healthcare Operations. We may use your PHI to perform tasks necessary to operate our business and improve quality of care. We may share your PHI with Personnel for review and educational purposes. We may also use or disclose your PHI for purposes of accreditation and licensing, resolution of patient grievances or lawsuits, and contracting related to operations.
• Appointment Reminders. We may use and share your PHI to remind you of appointments for treatment or care. For example, if a provider sends you for a test, we may give your phone number to the testing site to call to remind you of your appointment.
• Business Associates. We may share your PHI with a “business associate,” which is a person or entity that we hire to assist us with a task, such as billing or information technology services. Business associates have assured us in writing that they will protect your PHI as required by law.
• Treatment Options and Other Health-Related Benefits and Services. We may use your PHI to contact you about treatment options and other health-related services we offer that may interest you. However, we will not use your information to engage in marketing activities, other than face-to-face communications, without your written authorization. We will never sell your PHI to a third party without your written authorization. However, we may receive payments to disclose your PHI for certain limited purposes allowed by law, such as public health reporting, treatment or research.
• Individuals Involved in Your Care or Payment for Your Care. Unless you say otherwise, we may release your PHI to people involved in your care or payment for your care, such as family members or close friends. In addition, we may disclose your PHI to a “patient representative,” which is a person with legal authority to make health decisions for you. The parent or legal guardian of a minor is typically the minor’s patient representative, unless the minor is permitted by law to act independently and make his or her own medical decisions in certain circumstances. We may also allow your family and friends to act on your behalf to pick-up filled prescriptions, medical supplies, X-rays, and similar forms of PHI when we determine, in our professional judgment, such disclosures are in your best interest. If you do not want your PHI to be released to individuals involved in your care or payment for your care, please indicate your preference at the time the services are provided or contact the Compliance Department by calling 516-869-0650 or in writing to One Hollow Lane, Suite 301, Lake Success, NY 11042.
• Fundraising Activities. We may contact you to tell you about our fundraising programs and events. We may use your PHI, such as the location where you were seen, in order to contact you to ask for a charitable contribution to support research, teaching or patient care. If you do not wish to be contacted about fundraising activities, please contact the Compliance Department by calling 516-869-0650 or in writing to One Hollow Lane, Suite 301, Lake Success, NY 11042.
• Disaster Relief Efforts. We may disclose your PHI with public or private entities assisting with disaster relief efforts, such as the American Red Cross, so that your family can be notified about your condition and location. If reasonable while trying to respond to the emergency, we will try to find out whether you want us to share this information as indicated in our records.
• Research. We may use or disclose your PHI for certain research purposes in accordance with federal and state law. In most cases, researchers will contact you to ask if you are interested in participating in a research study only after receiving your authorization to contact you. In some cases, federal law allows us to use your PHI for research without your authorization if the research has been approved by an Institutional Review Board (IRB) or other special review board that ensures patient safety, welfare and confidentiality. Federal law also allows researchers to review your PHI while preparing for future research, so long as identifying information does not leave our possession. Research studies will not affect your treatment or welfare, and your PHI will continue to be protected. If you have any questions about how your PHI may be used in research, please contact the Compliance Department by calling 516-869-0650 or in writing to One Hollow Lane, Suite 301, Lake Success, NY 11042.
• As Required By Law. We will use and disclose PHI when federal, state or local law requires us to do so.
• Legal Proceedings, Lawsuits and Other Legal Action. We may share your PHI with attorneys, courts and others in response to a subpoena, court order, discovery request, warrant, summons, or other lawful instruction from a court, public body or lawful process, and in the course of other lawful, judicial or administrative proceedings, or to defend ourselves in any lawsuit against us.
• Law Enforcement. If asked to do so by law enforcement and as authorized and required by law, we may disclose your PHI: (i) to identify or locate a suspect, fugitive, material witness, or missing person; (ii) about a suspected victim of criminal conduct when we are unable to obtain the victim’s authorization; (iii) about a death suspected to be the result of criminal conduct; (iv) information about criminal conduct at our offices; and (v) in case of a medical emergency, to report a crime, the location of the crime or victims, or the identity, description or location of the person who committed the crime.
• To Prevent a Threat to Health or Safety. We may use or disclose your PHI to prevent or lessen a serious threat to the health or safety of you, another person or the public. Any disclosure made under this section will be for the purpose of providing assistance to stop or reduce the threat.
• Public Health Risks. We may disclose your PHI to public health officials in the following circumstances: (i) prevent or control disease, injury or disability; (ii) report births and deaths; (iii) report child abuse or neglect; (iv) report reactions to medications or problems with products; (v) notify a person possibly exposed to a disease or at risk for contracting or spreading a disease; and (vi) report to your employer information concerning a work-related illness or injury so your employer can monitor workplace safety.
• Workers’ Compensation. We may disclose your PHI to workers’ compensation or a similar program that provides benefits for work-related injuries or illnesses.
• Health Oversight Governance. We may disclose your PHI to federal, state or local government officials responsible for overseeing our medical activities, including agencies responsible for licensing, auditing and accreditation, and agencies that administer public health programs, such as Medicare and Medicaid.
• Special Government Functions. If you were or are a member of the armed forces of the United States or a foreign government, we may share your PHI as required by military authorities to carry out their duties. We may disclose your PHI to authorized federal officials for purposes of national security and intelligence services, or to protect the President of the United States or other officials, such as foreign heads of state.
• Coroners, Medical Examiners and Funeral Directors. We may release your PHI to coroners, medical examiners or funeral directors to carry out their duties. For example, disclosures to these individuals may be necessary for the identification of a deceased person or to determine the cause of death.
• Incidental Disclosures. Although we strive to protect the confidentiality of your PHI, disclosure of your PHI may occur during or as an unavoidable result of an otherwise permissible use or disclosure. For example, when you speak with personnel to facilitate medical care, another patient may overhear you. “Incidental disclosures” are permissible.
• Special Categories of Information. Certain categories of PHI, including HIV-related, mental health, genetic, and alcohol and substance abuse information, receive additional protections under the law. We will abide by any and all additional protections.
• Uses and Disclosures Not Covered in this Notice. Uses and disclosures of your PHI not covered in this Notice or applicable laws will be made only with your written authorization, which will be obtained before disclosure. You have the right to revoke your authorization in writing at any time. However, we will be unable to revoke any disclosures previously made in reliance on your authorization.
• Right to Inspect and Obtain a Copy of Records. You have the right to ask to obtain a copy of your PHI in records on which we rely to make decisions about your care. This right of access applies to your medical and billing records, but does not apply to psychotherapy notes. If we maintain a record electronically, you may obtain an electronic copy of the record if you ask for an electronic copy. To request a copy of your records, please send an executed “HIPAA Authorization” form to the Compliance Department. This form must specify the records you wish to obtain, including the time period for which records are sought, and an address to send the records. We may charge you a reasonable fee for copying and mailing these records. We may deny your request for records in certain circumstances. If we deny your request in whole or in part, we will provide a letter with the reason for the denial and you may request a review of the decision. This letter will include the review process and how to file a complaint with us or the Secretary of the U.S. Department of Health and Human Services.
• Right to Ask for an Amendment or Addendum. If you believe the PHI we have about you is incorrect or incomplete, you may ask us to amend your record. If we grant your request, the amendment will be included in addition to, and not in place of, the existing information in your record. To request an amendment of your records, you may submit a written request to the Compliance Department. Your request must include a reason to support the request. We may deny a request to amend records for any of the following reasons: (i) the request is not in writing or does not include a reason to support the request; (ii) the PHI to which the amendment is requested was not created by or for us, unless the original creator is not available to amend the record; (iii) the PHI is not part of a record used by us to make decisions about your care; (iv) the PHI is not covered by your right to obtain a copy of your records; or (v) we determine the PHI to be correct and complete. If we deny your request, you will receive a letter that explains the reason for denial. The letter will explain how to file a complaint with us or the Secretary of the U.S. Department of Health and Human Services. You may also have your disagreement with our denial included in your records.
• Right to an Accounting of Disclosures. You have the right to ask for a list of the people and entities with whom we have shared your PHI during the six years prior to your request. To request an accounting of disclosures, you may submit a written request to the Compliance Department. Your request must include the time period for which the accounting is sought. The first accounting within a 12-month period will be free. We may charge a reasonable fee for subsequent accountings within the same 12-month period. This listing of disclosures will not include disclosures made: (i) to you or your personal representative; (ii) to provide or arrange for your care; (iii) to carry out treatment, payment or healthcare operations; (iv) incident to a permitted use or disclosure; (v) to parties you authorized to receive your PHI; (vi) to your family members, relatives or friends who are involved in your care; (vii) for national security or intelligence services; (viii) to correctional institutions or law enforcement officials; and (ix) as part of a “limited data set” for research.
• Right to Request Restrictions of Disclosures. You have the right to request us to limit disclosures of your PHI. While we are not required to grant your request, we will consider all written requests. Should you request that we do not disclose your treatment to your health insurance company or other third party payor, and you pay in full for the treatment at the time of service, we must grant this request. However, should you need follow-up care to an undisclosed service, and you do not pay for the follow-up care when provided, we may tell your insurer about the previously undisclosed service to the extent disclosure is necessary to receive payment for the follow-up care. You may also request that we do not disclose your PHI to persons involved in your care or payment for your care. You have the right to control how we communicate your PHI with you. For example, you may request that we contact you only at a certain phone number or only at a certain mailing address. We will comply with all reasonable requests. If we are unable to contact you using the requested manner of communication, we may contact you at the address or phone number on file.
• Requesting Communication Restrictions. To request that communications be made to you in a certain manner, please indicate your preference during intake or contact the Compliance Department by calling 516-869-0650 or in writing to One Hollow Lane, Suite 301, Lake Success, NY 11042. Your request must include at least one way to contact you, such as an address to send bills. You do not need to provide a reason for the request.
• Right to Receive Notice of Breach. We will notify you in the unusual event of a breach of your PHI by us or one of our business associates if required under the Health Insurance Portability and Accountability Act of 1996 and its related regulations (“HIPAA”). Such notice may be communicated to you in writing or by e-mail. You will receive notice as soon as reasonably possible but no later than 60 days from the discovery of the breach. The notice will include a description of the type of PHI involved, the date the breach was discovered, our steps to investigate and remedy the breach, and contact information to call with any questions or for more information.
• Right to Receive a Paper Copy of this Notice. Upon request, you have the right to obtain a paper copy of this Notice, even if you previously agreed to receive the Notice electronically. Please ask at the front desk of any office location or call the Compliance Department to request a copy.
• How to File a Privacy Complaint. If you believe your privacy rights have been violated as explained in this Notice and in applicable laws, you may file a written complaint with the Compliance Department directly or anonymously. We will appropriately respond to your concern and take steps to ensure the violation does not occur again.
• Non-Retaliation. If you are dissatisfied with our response to your complaint, you may also file a complaint with the Secretary of the U.S. Department of Health and Human Services. You will not be retaliated against if you decide to file a complaint. The complaint must be in writing, describe the subject matter of the complaint and the person or entity you believe violated your privacy. The complaint must be filed within 180 days of when you knew or should have known the violation occurred. You can make a complaint by calling 1-877-696-6775, visiting www.hhs.gov/ocr/privacy/hipaa/complaints/ or by sending the complaint to the following address:
Centralized Case Management Operations
U.S. Department of Health and Human Services
Office for Civil Rights
200 Independence Avenue, S.W.
Room 509F HHH Bldg.
Washington D.C. 20201
We reserve the right to change this Notice and its practices without providing you notice. We reserve the right to make a revised Notice effective for the PHI we already have about you and any PHI we receive in the future. You may request a written copy of the current Notice of Privacy Practices at any time from the Compliance Department. The current Notice will also be posted on our website at www.pmpediatrics.com.