HIPAA Notice of Privacy Practices
Russell Eyecare & Associates

____________________________________________________________________________________

THIS NOTICE (NOPPs) DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION under the HIPAA Omnibus Rule.

Please Review the following carefully:

For the purposes of this Notice “us”, “we” and “our” refers to the Name of this practice: Russell Eyecare & Associates and “you” or “your” refers to our patients (or their legal representatives as determined by us in accordance with state informed consent law). When you receive healthcare services from us, we will obtain access to your medical information. We are committed to maintaining the privacy of your health information and have implemented numerous procedures to ensure that we do so.

The federal Health Insurance Portability & Accountability Act of 2013, HIPAA Omnibus Rule (formerly HIPAA 1996 & HI TECH of 2004) require us to maintain the confidentiality of all your healthcare records and other identifiable patient health information (PHI) used by or disclosed to us in any form, whether electronic, on paper, or spoken. HIPAA is a federal law that gives you significant new rights to understand and control how your health information is used. Federal and state law provide penalties for covered entities, business associates and subcontractors that misuse or improperly disclose PHI.

HIPAA requires us to provide you with the Notice of our legal duties and the privacy practices we are required to follow when you first come into our office for healthcare services. If you have any questions, please speak to our Privacy Practices officer.

Our doctors, clinical staff, opticians and business associates (including their subcontractors) all follow the polices and procedures set forth in this Notice. If your primary doctors is not available, we will give you the name of another doctor who also follows HIPAA Omnibus Rule Privacy Practices.

OUR RULES ON HOW WE MAY USE AND DISCLOSE YOUR PHI

Under the law, we must have your signature on a written, dated Authorization Form of Acknowledgement of this Notice (referred to as “AoA” in this Notice), before we will use or disclose your PHI for certain purposes as detailed in the rules below.

1. 1) Documentation: You will be asked to sign an AoA form when you receive this Notice of Privacy Practices. If you did not sign such a form or need a copy of the one you signed, please contact our privacy officer. You may revoke your consent at any time (unless we already have acted based on it) by submitting our Revocation Form in writing to us at our address listed above (It will take effect when we actually receive it). It will not affect any use or disclosure that occurred prior to revocation.
2. 
   
3. 2) General Rule: If you do not sign our AoA, or if you revoke it, as a general rule (subject to exceptions described under “Healthcare Treatment, Payment and Operations Rule” and “Special Rules”), we cannot in any manner use or disclose to anyone (except you) your PHI or any other information in your medical record. By law, we are unable to submit claims to payers under assignment of benefits without your signature on our AoA form. You can restrict disclosure to your insurance company for any services you pay for ‘out of pocket’ under the 2013 Omnibus Rule. We will not condition treatment on you signing an AoA, but we may be forced to decline you as a new patient or discontinue you as an active patient if you choose not to sign the AoA or you revoke it.

HEALTHCARE TREATMENT, PAYMENT AND OPERATIONS RULE

With your signed consent (on our AoA), we may use or disclose your PHI in order:

• To provide you with or coordinate healthcare treatments and services. For example, this includes consulting with other doctors about your care, delegating tasks to ancillary staff, calling in prescriptions to your pharmacy, disclosing information to family or others so that they may assist you with home care, arrange appointments with other healthcare providers, schedule ancillary testing or lab work for you, etc.
• To bill or collect payment from you, an insurance company, a managed care organization, a health benefit plan or another 3rd party.
• To run our office, assess the quality of care our patients receive and provide you with customer service. For example, this includes contacting you to remind you of appointments or missed appointments, we may leave messages (not giving out detailed PHI) with whom ever answers your phone or on your answering machine, etc. This includes the mailing of exam reminder postcards and optical dispense postcards.
• New HIPAA Omnibus Rule does not require that we provide the above notice of “Healthcare Treatment, Payment and Operations Rule”, but we are including it as a courtesy, so that you may understand our use of your PHI with our business practices.
• Our doctor(s) are also instructors for other healthcare professionals. Parts of your healthcare record (i.e. imaging, ancillary testing, exam records) may be used during lecture. There will be NO identifying information (i.e. name, DOB, address, etc.) used.
• FYI: Under the new Omnibus Rule, health insurance plans cannot use or disclose genetic information for underwriting purposes (excluding long-term care plans). Also, psychotherapy notes maintained by a healthcare provider, must state in their NOPPs that they can allow “use and disclosure” of such notes only with your written authorization. We allow use and disclosure of psychotherapy notes with your written consent, AoA signature will be accepted for this.

SPECIAL RULES

Not withstanding anything else contained in this Notice, only in accordance with applicable HIPAA Omnibus Rule, under strictly limited circumstances, we may use or disclose your PHI without you permission, consent or authorization for the following purposes:

• When required under federal, state or local law.
• When necessary for public health reasons (i.e. disease control, disability, adverse reactions to medications, suspected abuse, etc.)
• When necessary in emergencies to prevent a serious threat to your health/safety or health/safety of other persons.
• For federal or state government health care oversight activities.
• For judicial and administrative proceedings and law enforcement purposes.
• For Worker’s Compensation purposes.
• For intelligence, counterintelligence and national security.
• For organ or tissue donation.
• For research projects approved by an Institutional Review Board or a privacy board.
• To create a collection of information that is ‘de-identified’.
• To family members, friends, and other, but only if you are present and verbally give permission. This includes, if you bring someone into the exam room or conference area where we are discussing your PHI. Or, if we reasonably infer that it is in your best interest because they know you are a patient and asked you to pick up records, DME, or prescriptions. Or, if it is an emergency situation involving you and we determine it is in your best interest to disclose you PHI, in which case only pertinent information will be disclosed and you will be notified as soon as possible. As per HIPAA law 164.512(j) (A) is necessary to prevent or lessen a serious or imminent threat to the health and safety or a person or the public and (B) Is to person or persons reasonable able to prevent to lessen that threat.

MINIMUM NECESSARY RULE

Our staff will not use or access your PHI unless it is needed to do their jobs. All of our team members are trained in HIPAA Privacy rules and sign a strict Confidentiality Contract with regards to keeping private your PHI. So do our Business Associates and subcontractors. Know that your PHI is protected several layers deep with regard to our business relations. Also we disclose to outside staff, only as much of your PHI as is needed to accomplish the recipients' lawful purposes. Still in certain cases, we may use and disclose the entire contents of your medical record:

1. 1) To you (or legal representatives as stated above) and anyone else you list on your AoA to receive a copy of your records.
2. 2) To healthcare providers for treatment purposes (this includes referrals to other doctors or reports requested by another of your doctors).
3. 3) To the US Dept of Health and Human Services.
4. 4) To others as required under federal and state law.
5. 5) To our privacy officer and others as needed to resolve a complaint or accomplish your request under HIPAA.

In accordance with HIPAA law, we presume that requests for disclosure of PHI from another Covered Entity (as defined in HIPAA) are for the minimum necessary amount of PHI to accomplish the requestor’s purposes. Our privacy officer determines ‘minimum necessary’ to disclose based on the following:

• Amount of information being disclosed.
• Number of individuals or entities to whom it is being disclosed.
• Importance of use or disclosure.
• Likelihood of further disclosure.
• Whether the same result can be achieved with ‘de-identified’ information.
• Technology available to protect confidentiality of information.
• Cost to implement administrative, technical and security procedures to protect confidentiality.
• If we believe a request is unclear, or we feel is not needed, we will ask the requester to document why this is needed.

INCIDENTAL DISCLOSURE RULE

We will take reasonable administrative, technical and security safeguards to ensure the privacy of your PHI when we use or disclose it. We use a firewall and router to federal standards, change passwords periodically (i.e. when an employee leaves us), backup our PHI data off-site and is encrypted to federal standards, and do not allow unauthorized access to areas where PHI is stored or filed. We do not have any unsupervised business associates in PHI areas without a Business Associate Confidentiality Agreement.


In the even that there is a breach in protecting your PHI, we will follow Federal Guidelines to HIPAA Omnibus Rule Standard to first evaluate the breach situation using the Omnibus Rule, 4-Factor Formula for Breach Assessment. Then we will document the situation, retain copies of the situation on file, and report all breaches (other than low probability, as prescribed by the Omnibus Rule) to the US Dept of Health and Human Services at: www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html We will also notify you and other parties of significance as required by HIPAA Law.

BUSINESS ASSOCIATE RULE

Business associates are defined as: an entity, that in the course of their work will directly or indirectly use, transmit, view, transport, hear, interpret, process or offer PHI for this Facility.

Business associates and other 3rd parties that receive your PHI from us will be prohibited from re-disclosing that information. Business associates are required to sign a Confidentiality Agreement to Federal Omnibus Standards and follow Omnibus rules.

SUPER-CONFIDENTIAL INFORMATION RULE

If we have PHI about you regarding communicable disease, disease testing, alcohol or substance abuse diagnosis and treatment, or psychotherapy and mental health records (superconfidential
information under the law), we will not disclose it under the General or Healthcare Treatment, Payment, and Operations Rules without your first signing and properly completing your AoA. If we disclose super-confidential information, we will comply with federal law that require us to warn the recipient that re-disclosure is prohibited.

CHANGES TO PRIVACY POLICY RULES

We reserve the right to change our privacy practices at any time as authorized by law. The changes will be considered immediate and will apply to all PHI we create or receive in the future. If we make changes, we will post the changed notice on our website, and in our office. Upon request, you will be given a copy of our current Notice.

AUTHORIZATION RULE

We will not use or disclose your PHI for any purpose other than as stated in the Notice above without your signature for consent.

MARKETING RULES

Marketing is defined as communication about a product or service that encourages recipients to purchase or use the product or service. Under the HIPAA Omnibus Rule, we have
included a section on our AoA to obtain your authorization. In general, we use marketing to inform you about produces, services, or new technology that can benefit you. On occasion, we
may notify you of patient appreciation sales.

FUNDRAISING RULES

We generally do not participate in fundraising with our patient information.

AUTHORIZATIONS RELATED TO RESEARCH

We may seek authorizations from you for the use of your PHI for future research. However, we would make clear the research it is being used for.

YOUR RIGHTS REGARDING YOUR PHI

If you got this Notice via email or website, you have the right to a paper copy by asking our privacy officer. You also have the right to see and get a copy of your PHI by submitting a request to our privacy officer or filling out a record request form. We may charge a fee for the copy, not to exceed $10. And we may charge a mailing fee if a paper copy is requested via mail, not to exceed $5. We will respond with a copy within 30 days as required by federal law. If we deny your request, you may as for a review of that decision, and we will have it reviewed by a licensed healthcare professional and follow their decision.

REQUEST FOR CORRECTION TO PHI

If we receive a correction to your PHI by another doctor or you, we will make the changes upon receipt of written notification. You may request a correction to your PHI by filling out a Request for Amendment/Correction form. We will act upon your request within 30 days. We will make the changes by noting, not deleting, and notify you within 5 days that the corrections have been made. We may deny your request under certain circumstances. If we do, we will notify you in writing within 5 days. You may lodge a complaint with our privacy officer or to DHHS if you do not agree with the denial.

TO REQUEST RESTRICTIONS

You may ask us to limit how your PHI is used and disclosed by submitting a written Request for Restriction on Use, Disclosure form to our Privacy Officer. We will follow the request unless it is an emergency situation where we did not have time to check limitations or if we are unable to grant your request (i.e. required by law).

TO REQUEST ALTERNATIVE COMMUNICATIONS

You may ask us to communicate with you in a different way or at a different place by submitting a written Request for Alternative Communication form to us. We will accommodate all reasonable requests.

TO COMPLAIN OR GET MORE INFORMATION

We will follow the rules set forth in this Notice. If you want more information, or if you believe your privacy rights have been violated, we want to make it right. We never penalize you for filing a complaint. To do so, please file a formal written complaint within 180 days to our Privacy Officer at:

Russell Eyecare & Associates
15 E Minnesota Street, Ste 107
St. Joseph, MN 56374
Fax: (530)420-3693
Email: info@russelleyecare.com

You may get your HIPAA Complaint form from our Privacy Officer.

These privacy practices are in accordance with the original HIPPA enforcement effective April 14, 2003 and updated to the Omnibus Rule effective March 26, 2013 and will remain in
effect until we replace them as specified by Federal and State Law.

FAXING, EMAILING, AND TEXTING RULE

When you request us to fax, email or text your PHI as an alternative communication, we may agree to do so, but this may be reviewed by our Privacy Officer or treating doctor. By providing us with this information, you are guaranteeing that you have sole access to the fax, email or phone with text. We are not responsible for PHI viewed by others if it is a shared fax, email or phone, as you requested that it be sent there. We will include a cover sheet and attach an appropriate notice to the message. Our emails are encrypted per Federal Standard for your protection.

PRACTICE TRANSITION RULE

If we sell our practice, our patient records may be disclosed and physical custody may be transferred to the purchasing healthcare provider, but only in accordance with the law. The new record owner will be solely responsible for ensuring privacy of your PHI after the transfer and you agree that we will have no responsibility for transferred records there after. If the practice dies, our patient records will be transferred to another healthcare practitioner within 90 days or stay with the attending doctor at his/her new location. Before either of these 2 situations, our Privacy Officer will obtain a Business Associate Agreement from the purchaser and review your PHI.

INACTIVE PATIENT RECORDS

We will retain your records fro 7 years from your last treatment or exam, at which point you will become an inactive patient in our practice and we may destroy your records at that time

(inactive minor patient records will not be destroyed before their 18th birthday). We destroy them in accordance with the law.

COLLECTIONS

If we use or disclose your PHI for collections purposes, we will do so only in accordance with the law.