____________________________________________________________________________________
THIS NOTICE (NOPPs) DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION under the HIPAA Omnibus Rule.
For the purposes of this Notice “us”, “we” and “our” refers to the Name of this practice: Russell Eyecare & Associates and “you” or “your” refers to our patients (or their legal representatives as determined by us in accordance with state informed consent law). When you receive healthcare services from us, we will obtain access to your medical information. We are committed to maintaining the privacy of your health information and have implemented numerous procedures to ensure that we do so.
The federal Health Insurance Portability & Accountability Act of 2013, HIPAA Omnibus Rule (formerly HIPAA 1996 & HI TECH of 2004) require us to maintain the confidentiality of all your healthcare records and other identifiable patient health information (PHI) used by or disclosed to us in any form, whether electronic, on paper, or spoken. HIPAA is a federal law that gives you significant new rights to understand and control how your health information is used. Federal and state law provide penalties for covered entities, business associates and subcontractors that misuse or improperly disclose PHI.
HIPAA requires us to provide you with the Notice of our legal duties and the privacy practices we are required to follow when you first come into our office for healthcare services. If you have any questions, please speak to our Privacy Practices officer.
Our doctors, clinical staff, opticians and business associates (including their subcontractors) all follow the polices and procedures set forth in this Notice. If your primary doctors is not available, we will give you the name of another doctor who also follows HIPAA Omnibus Rule Privacy Practices.
Under the law, we must have your signature on a written, dated Authorization Form of Acknowledgement of this Notice (referred to as “AoA” in this Notice), before we will use or disclose your PHI for certain purposes as detailed in the rules below.
Our staff will not use or access your PHI unless it is needed to do their jobs. All of our team members are trained in HIPAA Privacy rules and sign a strict Confidentiality Contract with regards to keeping private your PHI. So do our Business Associates and subcontractors. Know that your PHI is protected several layers deep with regard to our business relations. Also we disclose to outside staff, only as much of your PHI as is needed to accomplish the recipients' lawful purposes. Still in certain cases, we may use and disclose the entire contents of your medical record:
In accordance with HIPAA law, we presume that requests for disclosure of PHI from another Covered Entity (as defined in HIPAA) are for the minimum necessary amount of PHI to accomplish the requestor’s purposes. Our privacy officer determines ‘minimum necessary’ to disclose based on the following:
We will take reasonable administrative, technical and security safeguards to ensure the privacy of your PHI when we use or disclose it. We use a firewall and router to federal standards, change passwords periodically (i.e. when an employee leaves us), backup our PHI data off-site and is encrypted to federal standards, and do not allow unauthorized access to areas where PHI is stored or filed. We do not have any unsupervised business associates in PHI areas without a Business Associate Confidentiality Agreement.
In the even that there is a breach in protecting your PHI, we will follow Federal Guidelines to HIPAA Omnibus Rule Standard to first evaluate the breach situation using the Omnibus Rule, 4-Factor Formula for Breach Assessment. Then we will document the situation, retain copies of the situation on file, and report all breaches (other than low probability, as prescribed by the Omnibus Rule) to the US Dept of Health and Human Services at: www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html We will also notify you and other parties of significance as required by HIPAA Law.
Business associates are defined as: an entity, that in the course of their work will directly or indirectly use, transmit, view, transport, hear, interpret, process or offer PHI for this Facility.
Business associates and other 3rd parties that receive your PHI from us will be prohibited from re-disclosing that information. Business associates are required to sign a Confidentiality Agreement to Federal Omnibus Standards and follow Omnibus rules.
If we have PHI about you regarding communicable disease, disease testing, alcohol or substance abuse diagnosis and treatment, or psychotherapy and mental health records (superconfidential
information under the law), we will not disclose it under the General or Healthcare Treatment, Payment, and Operations Rules without your first signing and properly completing your AoA. If we disclose super-confidential information, we will comply with federal law that require us to warn the recipient that re-disclosure is prohibited.
We reserve the right to change our privacy practices at any time as authorized by law. The changes will be considered immediate and will apply to all PHI we create or receive in the future. If we make changes, we will post the changed notice on our website, and in our office. Upon request, you will be given a copy of our current Notice.
We will not use or disclose your PHI for any purpose other than as stated in the Notice above without your signature for consent.
Marketing is defined as communication about a product or service that encourages recipients to purchase or use the product or service. Under the HIPAA Omnibus Rule, we have
included a section on our AoA to obtain your authorization. In general, we use marketing to inform you about produces, services, or new technology that can benefit you. On occasion, we
may notify you of patient appreciation sales.
We generally do not participate in fundraising with our patient information.
We may seek authorizations from you for the use of your PHI for future research. However, we would make clear the research it is being used for.
If you got this Notice via email or website, you have the right to a paper copy by asking our privacy officer. You also have the right to see and get a copy of your PHI by submitting a request to our privacy officer or filling out a record request form. We may charge a fee for the copy, not to exceed $10. And we may charge a mailing fee if a paper copy is requested via mail, not to exceed $5. We will respond with a copy within 30 days as required by federal law. If we deny your request, you may as for a review of that decision, and we will have it reviewed by a licensed healthcare professional and follow their decision.
If we receive a correction to your PHI by another doctor or you, we will make the changes upon receipt of written notification. You may request a correction to your PHI by filling out a Request for Amendment/Correction form. We will act upon your request within 30 days. We will make the changes by noting, not deleting, and notify you within 5 days that the corrections have been made. We may deny your request under certain circumstances. If we do, we will notify you in writing within 5 days. You may lodge a complaint with our privacy officer or to DHHS if you do not agree with the denial.
You may ask us to limit how your PHI is used and disclosed by submitting a written Request for Restriction on Use, Disclosure form to our Privacy Officer. We will follow the request unless it is an emergency situation where we did not have time to check limitations or if we are unable to grant your request (i.e. required by law).
You may ask us to communicate with you in a different way or at a different place by submitting a written Request for Alternative Communication form to us. We will accommodate all reasonable requests.
We will follow the rules set forth in this Notice. If you want more information, or if you believe your privacy rights have been violated, we want to make it right. We never penalize you for filing a complaint. To do so, please file a formal written complaint within 180 days to our Privacy Officer at:
Russell Eyecare & Associates
15 E Minnesota Street, Ste 107
St. Joseph, MN 56374
Fax: (530)420-3693
Email: info@russelleyecare.com
You may get your HIPAA Complaint form from our Privacy Officer.
These privacy practices are in accordance with the original HIPPA enforcement effective April 14, 2003 and updated to the Omnibus Rule effective March 26, 2013 and will remain in
effect until we replace them as specified by Federal and State Law.
When you request us to fax, email or text your PHI as an alternative communication, we may agree to do so, but this may be reviewed by our Privacy Officer or treating doctor. By providing us with this information, you are guaranteeing that you have sole access to the fax, email or phone with text. We are not responsible for PHI viewed by others if it is a shared fax, email or phone, as you requested that it be sent there. We will include a cover sheet and attach an appropriate notice to the message. Our emails are encrypted per Federal Standard for your protection.
If we sell our practice, our patient records may be disclosed and physical custody may be transferred to the purchasing healthcare provider, but only in accordance with the law. The new record owner will be solely responsible for ensuring privacy of your PHI after the transfer and you agree that we will have no responsibility for transferred records there after. If the practice dies, our patient records will be transferred to another healthcare practitioner within 90 days or stay with the attending doctor at his/her new location. Before either of these 2 situations, our Privacy Officer will obtain a Business Associate Agreement from the purchaser and review your PHI.
We will retain your records fro 7 years from your last treatment or exam, at which point you will become an inactive patient in our practice and we may destroy your records at that time
(inactive minor patient records will not be destroyed before their 18th birthday). We destroy them in accordance with the law.
If we use or disclose your PHI for collections purposes, we will do so only in accordance with the law.