Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
This notice describes our privacy practices and tells you the ways we may use and disclose your protected health information (information in your health record that could identify you – hereafter referred to as “PHI”). It also describes your rights and our obligations regarding the use and disclosure of PHI. We may change our privacy policies and practices and have those revised policies and practices apply to all PHI that we maintain. If or when we change our notice, we will post the new notice in our office where it can be seen and on our website at www.SanBenitoMedical.com. You can request a paper copy of our notice of privacy practices at any time (even if you have allowed us to communicate with you by email). For more information about this notice or our privacy practices and policies, please contact the person listed at the end of this document.
A. NOTICE REGARDING ELECTRONIC DISCLOSURE OF PROTECTED HEALTH INFORMATION (PHI)
Please take notice that this office maintains our patients’ PHI in electronic form (hereafter referred to as “electronic health records” or “EHRs”). All EHRs maintained by this office, including your PHI, is subject to electronic disclosure. Please see Paragraph C below for electronic disclosures of PHI that require your authorization.
B. USES AND DISCLOSURES FOR TREATMENT, PAYMENT AND HEALTH CARE OPERATIONS
Except under limited circumstances, our providers may use or disclose your PHI for treatment, payment and health care operations purposes without your consent or authorization. To help clarify these terms, here are some definitions:
• “Use” applies only to activities within our practice such as sharing, applying, utilizing, examining and analyzing information that identifies you.
• “Disclosure” applies to activities outside of our practice such as releasing, transferring or providing access to information about you to other parties. We can also provide information to you. You have the option of allowing us to provide information to you, such as lab results, by mail, email (when we have received your written consent to communicate with you by email), fax, telephone (your choice of home, work or cell) or with registration and activation to a patient portal. You can make this choice by providing your preferred communications to our staff who will note your communication preferences in your records. Should you elect to receive email communications from this office, you must complete and sign San Benito Medical Associates, Inc.’s email consent form and provide us with your email address.
• “Covered Entity” means any person who engages in the practice of assembling, collecting, analyzing, using, evaluating, storing or transmitting PHI for commercial, financial or professional gain, or monetary fees or dues.
• “Business Associate” means any person or organization that creates, receives, maintains or transmits PHI on our behalf. There are some instances in which we contract with business associates to provide our office with certain services. Examples include maintenance and service contracts for x-ray equipment and laboratory analyzers or software support for our computer and billing systems. When these services are contracted, we may have a need to disclose your PHI to our business associates so that they can perform the job we have asked them to do. To protect your PHI, however, we require the business associates to appropriately safeguard your information.
Treatment: We are permitted to use and disclose your PHI to those involved in your treatment without your authorization except when such use and disclosure of your PHI is for marketing purposes. One example of treatment would be when we request that your cardiologist or other specialist share your medical information with us. Likewise, we may provide your cardiologist or other specialist with information about your particular condition so that he or she can appropriately treat you for other medical conditions, if any. Another example is when we contact you to provide appointment reminders that do not result in our receipt of any financial remuneration (compensation) either in writing, by email (when we have received your written consent to communicate with you by email), fax or by telephone (by talking to you personally or leaving messages on your answering machine or voice mail).
Payment: We are permitted to use and disclose your PHI to bill and collect payment for the services we provide to you. Examples of payment are when we disclose your PHI to your health insurer to obtain reimbursement for your health care or to determine eligibility coverage.
Health Care Operations: Except under limited circumstances, we are permitted to use and disclose your PHI for the purposes of health care operations without your authorization except when such uses and disclosures are for marketing purposes. Health Care Operations are activities that relate to the performance and operation of our practice and ensure that quality care is delivered. Examples of health care operations are the performance of quality assessment and improvement activities, business-related matters such as audits and administrative services and case management and care coordination. Persons participating in such processes will review billing and medical files to ensure we maintain our compliance with regulations and the law.
Sale of PHI: Under Texas law, we may not disclose your PHI to any other person in exchange for direct or indirect remuneration unless such disclosure is made to another covered entity for purposes of treatment or payment, or as otherwise authorized or required by state or federal law. In such instances, the remuneration we can receive for such disclosures may not exceed our reasonable costs for preparing or transmitting the PHI.
C. USES AND DISCLOSURES REQUIRING AUTHORIZATION
We may use or disclose your PHI for purposes outside of treatment, payment and health care operations when your authorization is obtained, and your authorization will also be obtained when your PHI is used for treatment and healthcare operations for marketing purposes. An “authorization” is written permission above and beyond the general consent that permits only specific disclosures. In those instances when we are asked for information for purposes outside of treatment, payment and health care operations and in the limited instances in which your PHI is used or disclosed for treatment and health care operations for marketing purposes, we will obtain an authorization before releasing this information. Further, to the extent practicable, we will limit the use and disclosure of your PHI to the minimum necessary to accomplish the intended purpose of such use, disclosure or request.
Marketing: We will not use or disclose your PHI for marketing purposes without your authorization. “Marketing” means to make a communication about a product or service that encourages you to purchase or use it for which we receive financial remuneration from a third party. We are permitted to use or disclose your PHI for marketing purposes without your authorization if (1) such disclosure is made during a face-to-face communication between you and someone in our office (2) the communication concerns a promotional gift of nominal value provided by our office, (3) the communication involves a refill reminder for which we receive financial remuneration in a reasonable amount in exchange for the communication, (4) the communication pertains to a drug or biologic you are currently taking, (5) the communication promotes health in general and does not promote a product or service, (6) the communication concerns a government-sponsored program and (7) the communication is made for treatment and healthcare operations purposes for which we do not receive remuneration for making the communication.
In those instances in which a marketing use or disclosure requires your authorization, we will advise you if we will receive direct or indirect remuneration from a third party for the marketing of your PHI.
Electronic Disclosure of PHI: Except under limited circumstances, we will not electronically disclose your PHI to any person without obtaining your authorization, or the authorization of your legally authorized representative, for each disclosure of your PHI. Your authorization for electronic disclosures of your PHI may be provided in written or electronic form or verbally if it is documented in writing by this office. An authorization for the electronic disclosure of PHI is not required if the disclosure is made to another covered entity for the purpose of treatment, payment, health care operations or for performing an insurance or health maintenance organization function or as otherwise authorized or required by Texas or federal law.
Other uses and disclosures not described in our Notice of Privacy Practices will be made only with your authorization. You may revoke an authorization at any time provided that it is in writing and we have not already relied on the authorization.
D. USES AND DISCLOSURES THAT DO NOT REQUIRE CONSENT OR AUTHORIZATION
We may also use or disclose your PHI without your consent or authorization in the following circumstances except as otherwise prohibited by law:
Child Abuse or Neglect: If we have cause to believe that a child has been or may be abused, neglected or sexually abused, we must make a report of such to the appropriate authorities in accordance with Texas and federal law.
Adult and Domestic Abuse: If we have cause to believe that an adult, elderly or disabled person is in a state of abuse, neglect, or exploitation, we must report such to the appropriate authorities in accordance with Texas and federal law.
Public Health and Health Oversight Activities: We may disclose your PHI for public health activities. Public health activities are mandated by federal, state or local government and involve the collection of information about disease, vital statistics (like births and deaths), or injury by a public health authority. For example, we may disclose PHI to prevent or control disease, injury or disability or to notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition. We may also disclose PHI to report reactions to medications, problems with products or to notify people of recalls of products they may be using. We will make all such disclosures in accordance with the requirements of Texas and federal laws and regulations.
We may disclose PHI to a health oversight agency for those activities authorized by law. Health oversight agencies include public and private agencies authorized by law to oversee the health care system, government programs and compliance with other laws such as civil rights laws. Examples of these activities are audits, civil, administrative or criminal investigations, licensure applications and inspections.
Parents: If you are a parent or guardian of a minor who cannot legally consent to treatment as an adult and are acting as the minor’s personal representative, we may disclose PHI to you under certain circumstances. An exception to this is if your child is legally authorized to consent to treatment (without separate consent from you), consents to such treatment and does not request that you be treated as his or her personal representative.
Personal Representative: If you are acting as the personal representative of an adult patient and have authority to act on behalf of such patient under applicable law in making decisions related to the adult patient’s healthcare, we may disclose PHI to you under certain circumstances.
Judicial or Administrative Proceedings: We may disclose your PHI in the course of judicial or administrative proceedings in response to an order of the court (or the administrative tribunal) or other appropriate legal process. Certain requirements must be met before the information is disclosed. If you are involved in a court proceeding and a request is made for information about your diagnosis and treatment and the records thereof, such information is privileged under state law, and we will not release information without (1) written authorization from you or your personal or legally appointed representative or (2) a court order. The privilege does not apply when you are being evaluated for a third party or where the evaluation is court ordered; in a judicial proceeding affecting the parent-child relationship; a judicial proceeding relating to a will if the patient’s physical or mental condition is relevant to the execution of the will; or in any criminal proceeding provided by law.
Law Enforcement Purposes: We may disclose your PHI for a law enforcement purpose to a law enforcement official under limited circumstances provided:
• The information is released pursuant to legal process, such as a warrant or subpoena;
• The information is released to identify or locate a suspect, fugitive, material witness or missing person.
• The information is about a victim of crime and we are unable to obtain the person’s agreement because the person is incapacitated;
• The information pertains to a person who has died under circumstances that may be related to criminal conduct; or
• The information is released because of a crime that has occurred on these premises.
Coroners, Medical Examiners and Funeral Directors: We may release your PHI to a coroner or medical examiner to identify a deceased person or determine the cause of death. Further, we may release your PHI to a funeral director when such a disclosure is necessary for the director to carry out his duties.
Research: We may use and disclose your PHI for research purposes under certain circumstances. All research projects must undergo a special approval process. Prior to the use or disclosure of your PHI for research purposes, the research project must be approved through the research process. When a research project and its privacy protections have been approved by an institutional review board or privacy board, we may release your PHI to researchers for research purposes.
Organ and Tissue Donation: We may also release your PHI to organizations that handle the procurement of organ, eye or tissue transplantations if you have formally indicated your desire to be an organ donor.
Serious Threat to Health or Safety: If we believe that the use or disclosure of your PHI is necessary to prevent or lessen a serious and imminent threat to your health or safety or the health or safety of others, we may disclose relevant PHI to a person or persons reasonably able to prevent or lessen the threat, including family members, medical or law enforcement personnel and the target of the threat.
Military, National Security, Intelligence Activities and Protection of the President: We may disclose your PHI for specialized government functions as authorized by law; determination of veteran’s benefits; requests as necessary by appropriate military commanding officers (if you are in the military); authorized national security and intelligence activities, as well as authorized activities for the provision of protective services for the President of the United States and other authorized government officials or foreign heads of state.
Correctional Institutions: If you are an inmate or under the custody of a law enforcement official, we may release your PHI to the correctional institution or law enforcement official. This release is permitted to allow the institution to provide you with medical care, to protect your health and safety or the health and safety of others, or for the safety and security of the institution.
Worker’s Compensation: If you file a worker’s compensation claim, we may disclose your PHI as required by workers’ compensation law.
Student Immunization Records: Under certain circumstances, we may disclose proof of immunization records to a school, at the request of a minor’s parent or guardian or at the request of a patient who is an adult or emancipated minor, without obtaining the written authorization of the minor’s parent or guardian or that of an adult patient or emancipated minor, where state law requires the school to have such information prior to admission of the student. However, we are required to obtain and document an agreement, which may include a verbal agreement, from the minor’s parent or guardian or the adult or emancipated minor prior to such disclosure. Texas law requires us to obtain an authorization prior to the disclosure of PHI in an electronic format. We will not disclose immunization records to a school without an authorization from the minor’s parent or guardian or from a patient who is an adult or emancipated minor when the request for such records is received directly from the school.
PHI of Decedents: Under certain circumstances, we may disclose a decedent’s PHI, without obtaining an authorization, to the decedent’s family members and others who were involved in the decedent’s care or payment for care of the decedent prior to death unless doing so is inconsistent with any prior expressed preference of the decedent that is known to us. Texas law requires us to obtain an authorization prior to the disclosure of PHI in an electronic format.
Required by Law: We may disclose PHI about you as required by Texas, federal or other applicable law.
E. PATIENT’S RIGHTS UNDER FEDERAL AND TEXAS LAW
The U.S. Department of Health and Human Services has created regulations intended to protect patient privacy as required by the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (hereafter referred to as “HITECH”). Texas has also enacted laws to protect patient privacy. These laws and regulations create several privileges that patients may exercise. We will not retaliate against patients who exercise their privacy rights under HIPAA, HITECH or Texas law.
Right to Request Restrictions on Disclosure of PHI to a Health Plan: Under HITECH, and unless otherwise required by law, you have the right to request restrictions on disclosures of PHI to a health plan that are made for payment purposes or health care operations if the PHI to be disclosed pertains solely to a health care item or service for which SAN BENITO MEDICAL ASSOCIATES, INC. has been paid out of pocket in full by you or someone on your behalf.
Right to Request Other Restrictions: You have the right to request other restrictions on certain uses and disclosures of PHI about you. However, we are NOT required to agree to such other restrictions you request.
You may request that we limit disclosure to family members, other relatives or close personal friends who may or may not be involved in your care or payment related to your healthcare.
To request a restriction, submit the following in writing: (a) the information to be restricted, (b) what kind of restriction you are requesting (i.e., on the use of information, disclosure of information or both) and (c) to whom the limits apply. Please send the request to the address and person listed at the end of this document.
Right to Receive Confidential Communications by Alternative Means and at Alternative Locations: You have the right to request and receive confidential communications from SAN BENITO MEDICAL ASSOCIATES, INC. about your PHI in a certain way or at a certain location. We are required to accommodate only reasonable requests. Please inform our staff exactly how you want us to communicate with you and, if you are directing us to send it to a particular place, the contact and address information. Our staff will document your specific communication preferences in your records. San Benito Medical Associates, Inc. uses email to communicate with its patients for the limited purposes of providing appointment reminders, lab results, payment invoices, receipt of San Benito Medical Associate, Inc.’s Notice of Privacy Practices and information related to Health-Related Benefits and Services that may be of benefit to its patients that do not result in San Benito Medical Associates, Inc.’s receipt of any financial remuneration (compensation). You will not receive email communications from San Benito Medical Associates, Inc. except for the limited purposes described above unless otherwise Required By Law. If you desire to receive any or all of the above communications from this office by email, you must sign San Benito Medical Associates, Inc.’s email consent form.
Right to Inspect and Copy: Except as otherwise prohibited by law, you have the right to inspect and/or obtain a copy or a summary of your PHI that is within a designated record set, which are records used to make decisions about your care, for as long as the PHI is maintained in the record. You have the right to receive your PHI, as set forth above, in electronic format, if readily available. Further, you may direct us to transmit a copy of your PHI, as described above, to an entity or person designated by you provided that you provide us with a clear, conspicuous and specific designation in writing which clearly identifies the designated entity or person and designates where the PHI is to be transmitted. Under Texas law, we will obtain your authorization prior to disclosing PHI to such designated entity or person in an electronic format.
Texas law requires that requests for copies be made in writing and we ask that requests for inspection of your health record also be made in writing. Please send your request to the person listed at the end of this document.
We can refuse to provide some of the information you ask to inspect or be copied, without providing you with an opportunity for a review of our decision, for the following reasons:
• The information is psychotherapy notes.
• The information reveals the identity of a person who provided information under a promise of confidentiality.
• The information is subject to the Clinical Laboratory Improvements Amendments of 1988.
• The information has been compiled in anticipation of litigation.
We may deny your access to PHI for other reasons. In these instances, you have a right to request a review of our decision to deny access to your PHI. If you request a review, we will arrange for a review of our decision by another licensed healthcare provider who was not involved in the prior decision to deny access. SAN BENITO MEDICAL ASSOCIATES, INC. will comply with the outcome of the review.
We will provide you with copies or a summary of your PHI or a written denial of access within 15 days of your request. We are permitted to charge a reasonable fee established by the Texas Medical Board for the costs of copying, mailing or summarizing your records. Should you desire a summary instead of a copy of your PHI, you must agree to receiving the summary and to the cost charged for the summary in advance.
Right to Amend: If you feel that your PHI maintained about you is incorrect or incomplete, you have the right to request an amendment of your PHI in the designated record set for as long as the PHI is maintained in the record. You must make your request in writing to the person listed at the end of this document. We will respond within 60 days of your request.
We may refuse to allow an amendment for the following reasons:
• The information was not created by this practice or the physicians in this practice.
• The information is not part of the designated record set.
• The information is not available for your inspection because of an appropriate denial.
• The information is accurate and complete.
Even if we refuse to allow an amendment, you are permitted to include a patient statement about the information at issue in your medical record. If we refuse to allow an amendment, we will inform you in writing.
If we approve the amendment, we will inform you in writing, allow the amendment to be made and inform others that we know have the incorrect information.
Right to an Accounting: Under HIPAA, you generally have the right to receive an accounting of disclosures of your PHI made by this office in the six (6) years prior to the date on which the accounting is requested unless such disclosures are made for treatment, payment, health care operations, made via an authorization signed by you or your representative and other limited purposes. However, in accordance with HITECH, since this office uses and maintains EHRs with respect to your PHI, you have a right to receive an accounting of disclosures of your PHI that are made for treatment, payment and health care operations but you are only entitled to receive an accounting of disclosures of your PHI made by this office in the three (3) years prior to the date on which the accounting is requested. All other exceptions to your right to an accounting described above still apply with respect to accounting of disclosures of your PHI made by this office to you.
Please submit any request for an accounting to the person at the end of this document. We will respond within 60 days of your request.
The first accounting of disclosures that you request within a 12-month period will be free. For additional requests received within that period, we are permitted to charge for the cost of providing the list. If there is a charge, we will notify you and you may choose to withdraw or modify your request before any costs are incurred.
Right to a Paper Copy: You have the right to obtain a paper copy of this Notice of Privacy Practices from us upon request.
Right to Breach Notification: You have the right to be notified and to receive notification following a breach of your unsecured PHI. “Unsecured PHI” means PHI that is not secured by technology that renders the information unusable, unreadable or indecipherable as required by law.
F. OUR RESPONSIBILITIES TO YOU
We understand that your PHI and your health are personal and we are committed to protecting this information. We are required by law to maintain the privacy of your PHI and to provide you with a notice of our legal duties and privacy practices with respect to PHI.
We reserve the right to change the privacy policies and practices described in this notice. Unless we notify you of such changes, however, we are required to abide by the terms currently in effect.
If we revise our policies and procedures, we will promptly revise our Notice, post the revised Notice in our office, post it on our website and make copies available to our patients and others.
G. APPOINTMENT REMINDERS, TREATMENT ALTERNATIVES AND OTHER BENEFITS
We may contact you by telephone, mail, email (when we have received your written consent to communicate with you by email) or fax to provide appointment reminders, information about treatment alternatives or other health-related benefits and services that may be of interest to you if we do not receive any financial remuneration from a third party for such communications.
If you are concerned that your privacy rights have been violated, you may contact the person listed below. Further, you may file a written complaint with the Secretary of the U.S. Department of Health & Human Services, Office for Civil Rights, U.S. Department of Health and Human Services, 200 Independence Avenue, S.W., Room 509F, HHH Building, Washington, D.C. 20201. Further, you may file a written complaint with the Texas Attorney General, by U.S. Mail to the Office of the Attorney General, P.O. Box 12548, Austin, Texas 78711-2548, or make inquiries by e-mail at firstname.lastname@example.org. We will not retaliate against you for filing a complaint with us or the federal or state government.
I. CONTACT PERSON FOR QUESTIONS FOR REQUESTS AND QUESTIONS
If you have any questions or want to make a request pursuant to the rights described above, please contact:
Michelle Williams, Privacy Officer
SAN BENITO MEDICAL ASSOCIATES, INC.
351 N. Sam Houston
San Benito Texas 78586
(956) 247-7000 (Telephone)
J. EFFECTIVE DATE
This revised notice is effective September 23, 2013.
We may change our policies and this notice at any time and have those revised policies apply to all the protected health information we maintain. If or when we change our notice, we will post the new notice in the office where it can be seen