The Center is permitted, but not required, to use and disclose PHI, without an individual’s authorization, for the following purposes or situations:

 

1). To the Individual.  We may disclose PHI to the individual who is the subject of the information.

 

2.) Treatment, Payment, and Health Care Operations.  Except with respect to uses or disclosures that require an authorization or are prohibited under the HIPAA Regulations, we may use or disclose your PHI for treatment, payment, or health care operations as described below. 

a. Treatment:  While we are providing you with health care services, we may share your protected health information (PHI) including electronic protected health information (ePHI) with our employees, other health care providers, business associates and their subcontractors and other individuals who are involved in your treatment, billing, administrative support or data analysis. These business associates and subcontractors through signed contracts are required by Federal law to protect your health information. We may disclose and/or share protected health information (PHI) including electronic disclosure with other health care professionals outside of this practice who provide treatment and/or service to you.  These professionals will have a privacy and confidentiality policy like this one.  Health information about you may also be disclosed to your family, friends, personal representative and/or other persons you choose to involve in your care, only if you agree that we may do so.  For example we may disclose your PHI to others who may assist in your care, such as a family member, a referring or consulting physician, a pharmacist when ordering a prescription for you, or to a laboratory when ordering lab or pathology tests. 

 

b. Payment:  We may use and disclose your PHI to another covered entity or a health care provider to seek payment for services we provide to you.  This disclosure involves our business office staff and may include insurance organizations, collections or other third parties that may be responsible for such costs, such as family members. For example we may contact your health insurer to certify that you are eligible for benefits and we may disclose your treatment plan to determine if your insurer will pay for your treatment.  Our practice may submit an itemized billing statement to your insurance carrier for the purpose of payment for health care services rendered.  If you pay for your health care services personally, we may provide an itemized billing to your insurance carrier for the purpose of reimbursement to you, unless you request otherwise.  The billing statement contains medical information, including diagnosis, date of injury or condition, and codes which describe the health care services you received.  If you request that your insurance not be notified of services that you have paid for out of pocket, we take every reasonable precaution to avoid their notification. 

 

c. Healthcare Operations:  We will use and disclose your PHI as part of our business operations including conducting quality assessment and improvement activities, patient safety activities, improving health or reducing health care costs, reviewing the competence or qualifications of health care professionals, health care provider training, accreditation, certification, licensing, or credentialing activities, activities related to health insurance contracting, conducting reviews, audits, fraud and abuse detection and compliance programs, business planning, development and management.   We may also disclose your PHI to another covered entity for health care operations activities of the entity that receives the information, if each entity either has or had a relationship with you, the PHI pertains to such relationship, and the disclosure is for the purpose of treatment, payment or detection of health care fraud and abuse or compliance.  Examples of personnel who may have access to this information include, but are not limited to, outside health or management reviewers, our consulting pharmacist, accreditation surveyors, and individuals performing similar activities.

 

3.) Business Associates.  We may disclose your PHI to a business associate and may allow a business associate to create, receive, maintain, or transmit PHI on its behalf, if we obtain satisfactory assurance that the business associate will appropriately safeguard the information.  Similarly, our business associates may disclose PHI to a business associate that is a subcontractor with assurance that the subcontractor will safeguard the information.  This satisfactory assurance will be documented in a written contract between the Center and our business associates.  This contract is called a Business Associate Agreement and will establish required uses and disclosures of PHI by the business associate.  The contract will (a) notify the business associate not to use or further disclose the information other than as permitted by the contract, (b) specify that they use appropriate safeguards and protect electronic health information, (c) require them to report any use or disclosure of information not provided for by its contract including breaches of unsecured PHI, (d) ensure that any subcontractors agree to the same restrictions and conditions that apply to them with respect to PHI,(e) make available PHI according to the HIPAA Regulations, (f) make PHI available for amendment, (g) provide an accounting of disclosures, (h) comply with the HIPAA Regulations, (i) make their internal records available to HHS for the purposes of determining compliance with the HIPAA Regulations, (j) at the termination of the contract, return or destroy all PHI received from, or created or received by them on behalf of the Center, and (k) authorize termination of our contract with them if we determine that they have violated the terms of our business associate contact.  Our business associates may use or disclose your PHI for their proper management and administration and to carry out their legal responsibilities.  Any subcontractors of our business associates are subject to the same requirements that apply between the Center and that business associate.  Examples of business associates are providers of our electronic medical records, call reminder services, and patient satisfaction survey providers.

 

4.) Uses or Disclosures with Opportunity to Agree or Object.  Informal permission to use or disclose PHI may be obtained by asking you outright, or by circumstances that clearly give you the opportunity to agree or object.   Except when an objection is expressed, we may use the following PHI to maintain a directory in the Center; your name, location in the Center, and your condition in general terms that does not communicate specific medical information about you.  We will ask your permission to disclose your PHI to the person(s) who accompanies you to your procedure or someone else who may inquire about you.  We will also use your PHI to give you reminders of recommended services, treatment, or scheduled appointments.  We will use the contact information you provide us unless you request otherwise.  For example, we will ask your permission for your responsible driver to be with you after your procedure and receive information about your health and procedure results.  You will also receive written and phone reminders regarding your treatment and scheduled appointments.  If you are not home we may leave a message on your answering machine or in a message left with the person answering the phone.  We will also have you sign in when you arrive for your appointments and will call out your name when we are ready to see you.

Emergencies:  If the opportunity to object to uses or disclosures discussed in this section cannot practically be provided to you because you are incapacitated, receiving emergency treatment, or deceased, we may use or disclose your PHI to notify, or assist in the notification of a family member, a personal representative, or other person involved in your health care or payment.  We may also disclose your PHI for disaster relief purposes.  We may disclose your name, location, general condition or death, and religious affiliation consistent with your prior expressed preference if known.  Under emergency conditions or if you are incapacitated we will use our professional judgment to disclose only that information directly relevant to your care.  If you are present and it is at all possible, we will give you the opportunity to agree or object prior to making a disclosure discussed in this paragraph.

 

5.) Incidental Use and Disclosure.  We will adopt reasonable safeguards as required by the HIPAA Regulations to prevent the risk of an incidental use or disclosure of your PHI that may occur as a result of an otherwise permitted use or disclosure.  We will follow the “minimum necessary” principle regarding use and disclosure of your PHI.  We will make reasonable efforts to use, disclose, and request only the minimum amount of PHI needed to accomplish the intended purpose of the use, disclosure, or request.  Staff access to your PHI is limited to such persons or classes of person who need access to PHI to carry out their duties.  Everyone on our staff is required to sign a confidentiality statement.   The minimum necessary requirement is not imposed in any of the following circumstances: (a) disclosure to a request by a health care provider for treatment; (b) disclosure to the individual or personal representative of the subject of the information; (c) use or disclosure that has been authorized; (d) disclosure to HHS for a compliance investigation, review or enforcement; (e) use or disclosure required by law; or (f) use or disclosure required for compliance with HIPAA Regulations. 

 

6.) Public Interest and Benefit Activities.  For the purposes of public interest and benefit, we are permitted to use or disclose your PHI as described below:

a. Uses and disclosures required by law.  We may use or disclose your PHI without authorization when we are required to do so by law including by statute, regulation, or court orders. 

 

b. Uses and disclosures for public health activities. We may use or disclose your PHI to a public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority.    We may disclose your health information to appropriate authorities any report of child abuse or neglect. We are required to report to the Food and Drug Administration (FDA) any concerns related to the quality, safety, or effectiveness of any FDA-regulated product or activity.  This includes adverse events with respect to food or dietary supplements, product defects or problems, or biological product deviations.  We may also have to participate in the tracking of FDA-regulated products, enable product recalls, repairs, replacement or look-back including locating and notifying individuals who have received affected products, and conduct post-marketing surveillance. We are required to report a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition.  We may disclose PHI about you if you are a student or prospective student of a school if the PHI is limited to proof of immunization and the school is required by law to have such proof of immunization prior to admitting you.  Agreement with this disclosure will be obtained from the parent, guardian, or other person acting in loco parentis, or the individual if the individual is an adult or emancipated minor. 

 

c. Uses and disclosures about victims of abuse, neglect or domestic violence.  Except for reports of child abuse or neglect, we may disclose PHI about you if we reasonably believe you to be a victim of abuse, neglect, or domestic violence to a government authority, including a social service or protective agency, authorized by law to receive reports of such.  The disclosure must be limited to the relevant requirements of the law; you must agree to the disclosure; and in our professional judgment we must believe that the disclosure is necessary to prevent serious harm to you or other potential victims.  We will inform you that such a report has been or will be made unless in our professional judgment, we believe that informing you would place you at risk of serious harm, or we would be informing your personal representative that we reasonably believe is responsible for the abuse, neglect, or other injury and that informing such person would not be in your best interest.

 

d. Uses and disclosures for health oversight activities.  We may disclose your PHI to a health oversight agency for the activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or other activities necessary for appropriate oversight of:  the health care system; government benefit programs; entities subject to government regulatory programs or civil rights laws; for which health information is necessary for determining compliance.  We are not permitted to make disclosures for health oversight in which you are the subject or which are not directly related to health care, health benefits or services.

 

e. Disclosures for judicial and administrative proceedings.  We may disclose your PHI in the course of any judicial or administrative proceeding in response to an order of a court or administrative tribunal, provided we disclose only the PHI expressly authorized by such order, or in response to a subpoena, discovery request, or other lawful process.  We will ask for assurance that you have been notified of the request for PHI; the reason for request of PHI; that you have been given the opportunity to object to the disclosure; the time frame to object has elapsed; and no objections are pending. 

 

f. Disclosures for law enforcement purposes.  We may disclose your PHI to a law enforcement official’s request if any of the following conditions are met; (1) pursuant to process and as otherwise required by law; (2) limited for the purpose of identifying and locating a suspect, fugitive, material witness, or missing person by disclosure of name, address, date and place of birth, social security number, blood type, type of injury, date and time of treatment, date and time of death, and description of distinguishing physical characteristics. We may not disclose DNA analysis, dental records, samples or analysis of body fluids or tissue; (3) the request is about you as a victim of a crime if you agree to the disclosure.  We may disclose  your PHI without your permission if you are incapacitated if the information is not to be used against you, law enforcement activity depends on prompt disclosure, and in our professional judgment disclosure is in your best interest; (4) law enforcement is requesting your PHI after you are deceased if we have a suspicion that such death may have resulted from criminal conduct; (5) we are disclosing PHI to a law enforcement official that we believe constitutes evidence of criminal conduct that occurred on the premises of the Center; or (6) we are reporting crime in an emergency situation to alert law enforcement of the commission, nature and location of a crime, the location of a victim, or the identity, descriptions and location of a perpetrator. 

 

g. Uses and disclosures about decedents.  We may disclose your PHI to a coroner or medical examiner for the purpose of identifying you, determining a cause of death, or other duties as authorized by law.  We may also disclose your PHI to a funeral director as necessary to carry out their duties after or in reasonable anticipation of your death.  After your death, we may disclose your PHI to a family member or individual involved in your care or payment prior to death.

 

h. Uses and disclosures for cadaveric organ, eye or tissues donation purposes.  We may use or disclose PHI for organ procurement organizations for the purpose of facilitating organ, eye, or tissue donation and transplantation. 

 

i. Uses and disclosures for research purposes.  We may use or disclose your PHI for research provided that the Center Management Board has approved a waiver of authorization, the PHI is necessary for research and not removed from the Center, the waiver specifies how PHI will be protected, there is a description of what PHI is needed, and the waiver has been reviewed, approved and signed. 

 

j. Uses and disclosures to avert a serious threat to health or safety.  Consistent with applicable law and standards of ethical conduct, we may disclose your PHI if in good faith we believe that doing so is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public and is necessary for law enforcement to identify or apprehend an individual.  We cannot disclose your PHI learned in the course of treatment, referral to treatment, or counseling for the criminal conduct which is the basis for the disclosure. 

 

k. Uses and disclosures for specialized government functions. We may use and disclose your PHI if you are Armed Forces personnel for activities deemed necessary for appropriate military command authorities to assure the proper execution of the military mission.  We may also disclose your PHI to authorized federal officials for the conduct of lawful intelligence, counter-intelligence, and other national security activities, and for the provision of protective services to the President or other foreign heads of state.  If you are an inmate we may also disclose your PHI to correctional institutions or law enforcement officials having lawful custody of you if that PHI is necessary for: (1) the provision of your care; (2)  the health and safety of you or other inmates; (3) the health and safety of the officers, employees or others at the correctional institution; (4) the health and safety of such individuals and officers transporting the inmates; (5) law enforcement on the premises of the correctional institution; or (6) the administration and maintenance of the safety, security, and good order of the correctional  institution. 

 

l. Disclosures for workers’ compensation.  We may disclose your PHI as authorized by and to the extent necessary to comply with state laws relating to worker’s compensation that provided benefits for work-related injuries or illness without regard to fault.  We may use or disclose PHI to your employer about you if we provide health care to you at the request of your employer.  Information disclosed would be for the purpose of your employer conducting an evaluation relating to medical surveillance of the workplace or evaluating whether you have a work-related illness or injury. 

 

m. Change of Ownership.  In the event that this Center is sold or merged with another organization, you health information will become the property of the new owner, although you will maintain the right to request that copies of your health information be transferred to another physician or medical group.

 

7.) Limited Data Set.  Health information which does not identify an individual, and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual, is not considered to be individually identifiable health information.  Information is not individually identifiable if the risk is very small that the information could be used alone or in combination with other available information by an anticipated recipient to identify you.  Your PHI is considered to be de-identified if the following identifiers of  you or of relatives, employers, or household members of yours are removed: names; geographic subdivisions smaller that a state; all elements of dates except for year; telephone numbers; fax numbers; electronic email addresses; social security numbers; medical record numbers; account numbers; certificate/license numbers; vehicle identifiers and serial numbers; device identifiers and serial numbers; URLs; IP address numbers; biometric identifiers; full face photographic images; and any other unique identifying numbers, characteristics, or codes.  We may disclose your de-identified information only for the purposes of research, public health, or health care operations.  We will do this only after obtaining a data use agreement with the recipient that establishes permitted uses and disclosures of such information and specifies how the information will be safeguarded.  We may assign a code or other means of record identification as long as it is not derived from or related to information about you, is not otherwise capable of being translated as to your identity, and we do not disclose the identification code. 

 

8.) Fundraising.  The Center may at times participate in a charitable event.  During these times, we may contact you to invite you to participate in the charitable activity.  We may use or disclose to a business associate or to a institutionally related foundation, the following information about you for the purpose of raising funds for its own benefit, without your authorization: demographic information relating to you including name, address, other contact information, age, gender, and date of birth; dates of health care provided; department of service; treating physician; outcome information; and health insurance status.  Effective March 26, 2013, PHI that requires a written patient authorization prior to fundraising communication include: diagnosis, nature of services and treatment.  It is not our practice to disclose PHI about your condition for the purpose of fundraising events.  We must provide you with this notice about fundraising and with each communication made to you regarding fundraising we will give you a clear and conspicuous opportunity to elect not to receive any further fundraising communications.  If you have elected to opt out we are prohibited from making fundraising communication under the HIPAA Privacy Rule. Opting out of fundraising communications will not cause you to incur an undue burden and will not affect your treatment or payment status.  We may supply you with a way to opt back in to receive fundraising communications. 

 

 

1.)  General Rule:  Except as otherwise permitted or required by this Notice, we may not use or disclose your PHI without a valid written authorization.  The authorization must be current, true, and filled out completely.  We will supply you with a copy of the authorization.  You may revoke an authorization in writing except to the extent that we have taken action in reliance thereon.

 

2.) Marketing Health-Related Services:  We will not use your PHI for marketing purposes unless we have your written authorization to do so.  Marketing is defined as a communication about a product or service that encourages you to purchase or use the product or service.  Effective March 26, 2013, we are required to obtain an authorization for marketing purposes if communication about a product or service is provided and we receive financial remuneration (getting paid in exchange for making the communication) from a third party whose products or services are being marketed.  No authorization is required if communication is made face-to-face, for promotional gifts of a nominal value, or for treatment recommendations made as part of your care coordination. 

 

3.) Sale of PHI:  We must obtain your authorization for any disclosure of your PHI which is a sale of PHI.  Such authorization must state that the disclosure will result in remuneration to the Center.  We will stop any future sales of your information to the extent that you revoke that authorization.   “Sale of PHI” does not include disclosures for public health, certain research purposes, treatment and payment, and for any other purpose permitted by the Privacy Rule, where the only remuneration received is “a reasonable cost-based fee” to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by law. Corporate transactions (i.e., sale, transfer, merger, consolidation) are also excluded from the definition of “sale.”

 

4.) Disclosure of genetic test information, psychotherapy notes, substance abuse treatment, HIV or Aids testing or treatment, except as required by law.  Your written authorization is required before genetic test results, psychotherapy notes, substance abuse treatment information of treatment of HIV or AIDS is disclosed.  The Center does not perform any of these tests or treatments with one exception.  If a staff member is exposed to your blood and/or body fluid, you will be asked to provide us with a blood sample in order to determine if the staff member has been exposed to HIV or another blood borne infection.  As per Delaware Code, the results of this test may be disclosed without your consent to the health care provider who needs the test results for emergency treatment.

 

 

1.) You have the right to request restrictions on certain uses and disclosures of your PHI:    You have the right to request that we place additional restrictions on our use or disclosure of your health information for the purposes of treatment, payment, or health care operations. For example, you can ask that your PHI not be shared with certain individuals, groups or companies.   We must agree to your request not to disclose your PHI to a health plan if the disclosure is for the purpose of carrying out payment or health care operations, is not otherwise required by law, and the PHI pertains solely to a health care item or service for which you have paid us in full.  We do not have to agree to other restrictions, but if we do, we will abide by our agreement.  These restrictions may not be honored in the case of an emergency.  This request must be submitted in writing.  A restriction may be terminated if you agree to or request the termination in writing.  A restriction may be terminated orally if the agreement is documented.  We may inform you that the restriction is terminated except in the case of notifying your health plan for services you have paid for in full, and only for PHI created or received after we have so informed you of the termination.  Please contact our Privacy Officer if you want to further restrict access to your health care information. 

 

2.) You have the right to receive confidential communications of your PHI: You have the right to make reasonable requests to receive communications of your PHI from us by alternative means or at alternative locations.  We will not require you to explain your request.  We will ask you to specify an alternative address or method of contact and how payment will be handled.

 

3.) You have the right to access your PHI: You have the right of access to inspect and obtain a copy of your PHI with the following exceptions: access to psychotherapy notes; information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding; or PHI that is subject to CLIA laws.  We may require you to request access in writing and we must act on this request within 30 days after receiving your request.  If we are unable to comply with your request within 30 days, we will notify you of the reasons for the delay and the date by which we will allow access.  This extension of time will be no more than an additional 30 days. Access will be provided in the form and format you request if it is readily producible in such form and format.  If not, a readable hard copy form or such other form and format as agreed to by you and the Center will be supplied. 

 

Requesting copies. If you request a copy of your PHI that is stored electronically, the Center must provide you with access to your PHI in the electronic form and format if it is readily producible in such form and format.  If not, your PHI will be given to you in a readable electronic form and format as agreed to by you and the Center.  We may also provide you with a summary of your PHI in lieu of providing access to PHI if you agree to this in advance. We will arrange with you a time and place to inspect or obtain a copy of your PHI or mail it as you request.  If you request that a copy of your PHI is transmitted to another person, your request must be in writing, signed, and clearly identify the designated person and where to send the copy of PHI.  We may impose a reasonable, cost-based fee for a copy or summary of your PHI as determined by Delaware State Code.  This fee will cover labor and supply costs for copying your PHI and postage if mailed. You may request from us a copy of our fee schedule for copying medical records.  If the Center does not maintain the PHI that is the subject of your request, we will inform you where to direct the request for access.

 

Denial of access. We may deny your access to your PHI without providing the opportunity for review under the above situations: if we are acting under the direction of a correctional institution; if the PHI was created or obtained in the course of research; if required by other sections of the HIPAA Regulations; or if the PHI was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information.  We may deny access to PHI with the right to review the denial if access is likely to endanger the life or safety of you or another person, or the PHI makes reference to another person and access is likely to cause substantial harm to that person.  If access is denied for the above reasons, you have the right to have the decision reviewed by a licensed health care professional whom we will designate.  This person will review your request and promptly notify you in writing of the decision.   If access to your PHI is denied, we will notify you in writing within 30 days of receipt of the request.  The written denial will state the basis for the denial, how you may exercise your review rights, and the name and contact information of someone at the Center to which you can make a complaint.  When access to some PHI is denied, access to other PHI will be made available after excluded PHI is removed. 

 

If you wish to examine your health information, you will need to complete and submit an appropriate request form.  Contact our Privacy Officer for a copy of the Request Form.    You may also request access by sending us a letter to the address at the end of this Notice.  Once approved, an appointment can be made to review your records. 

 

4.) You have the right to make amendment to your PHI:  You have the right to ask us to amend your PHI or a record about you in a designated record set for as long as the PHI is maintained in the designated record, if you feel it is inaccurate or incomplete.  Your request must be in writing and must include an explanation of why the information should be amended.  We must act on your request for an amendment no later than 60 days after receipt of the request.  If we accept the requested amendment, in whole or in part, we will comply with the following requirements: (a) we must make the appropriate amendment to your PHI or record, identifying the records that are affected by the amendment or providing a link to the location of the amendment; (b) we must inform you in a timely fashion that the amendment is accepted and obtain your identification of an agreement to have us notify the relevant persons with which the amendment needs to be shared; (c) we must make reasonable efforts to inform and provide the amendment to persons identified by you as having received the PHI and needing the amendment; and (d) we must inform other persons, including business associates, that  we know as having received the PHI that is subject of the amendment and that may have relied on the information to your detriment.  

 

Denial of amendment. Under certain circumstances, your request to amend your PHI may be denied.  We may deny your request if the PHI or record was not created by us, it is not part of the record set, it is unavailable for inspections as described under “access” above, or it is accurate and complete.  If we deny the requested amendment, in whole or in part, we must provide you with a timely, written denial which: (a) explains the basis for the denial; (b) informs you of the right to submit a written statement disagreeing with the denial; (c) states that if a statement of disagreement is not submitted, you may request that we provide your request for amendment and the denial with any future disclosures of the PHI that is the subject of the amendment; and (d) provide a description of how you may complain to us or the Secretary of HHS.  We may prepare a written rebuttal to your statement of disagreement and provide a copy to the individual who submitted the statement of disagreement.  If we are informed by another covered entity of an amendment to your PHI, we must amend the PHI in our record set as per the request. 

 

5.) You have the right to an accounting of Non-routine Disclosures of your PHI:  You have the right to request an accounting of non-routine disclosures of your PHI made by us in the six years prior to the date on which the accounting is requested.  The accounting must include disclosures of PHI including disclosures to or by our business associates.  The accounting will include the date of the disclosure, the name of the person who received the PHI, their address if known, a brief description of the PHI disclosed, and a brief statement of the purpose of the disclosure.  We must act on your request for an accounting no later than 60 days after the receipt of such a request.  If we are unable to provide the accounting within the time required, we may extend the time by no more then 30 days provided we inform you in writing of the reasons for the delay and the date by which we will provide the accounting.  This right of accounting does not apply to the following: (a) disclosures made to carry out treatment, payment and health care operations; (b) disclosures made to you; (c) other permitted disclosures; (d) disclosures where authorization was obtained; (e) disclosures made for the Center’s directory or to persons involved in your care or other notification purposes; (f) disclosures made for national security or intelligence purposes; (g) disclosures made to correctional institutions or law enforcement officials; (h) disclosures as part of a limited date set; or (i) disclosures that occurred prior to our compliance date.   

 

We must temporarily suspend your right to receive an accounting of disclosures we made to a health oversight agency or law enforcement official for the time specified by such agency or official, if they provide us with a written or oral statement to do so.  The written statement must have a time frame for the suspension, and a temporary suspension will be no longer then 30 days from the date of the oral statement. 

 

To request this list or accounting of disclosures, you must submit your request in writing to our Privacy Officer.  The first accounting to an individual in any 12 month period will be free of charge.  After this, there will be a reasonable, cost-based fee for each subsequent request for an accounting by the same individual within the 12 month period. 

 

6.) You have the right to be notified of a breach of your PHI:  A breach of PHI means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI.  If there is reason to believe that your PHI has been breached, we will conduct a thorough investigation and risk assessment.  A breach excludes unintentional acquisition, access, or use of PHI by an employee or business associate of the Center if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further  use or disclosure in a manner not permitted.  It is not considered a breach if we believe that the unauthorized person to whom the disclosure was made would not reasonably have been able to retain the information or if we demonstrate that there is low probability that the PHI has been compromised based on a four factor risk assessment.  Beginning September 23, 2009, following the discovery of a breach of unsecured PHI, we will notify each individual whose PHI has been, or is reasonably believed by us to have been accessed, acquired, used, or disclosed by such breach.  Written notification will take place within 60 days of discovery and shall include: (a) a brief description of what happened; (b)  the date of the breach; (c) the type of PHI that was involved; (d) any steps that you should take to protect yourself from potential harm resulting from the breach; (e) a brief description of what we are going to do to investigate the breach, mitigate harm to you and to protect against future breaches; and (f)  contact procedures for you to ask questions or learn additional information.  If the breach involves more than 500 residents of the state, we will notify media outlets serving the state, and the Secretary of HHS. If one of our business associates discovers a breach, they are required to notify us within 60 days.  They will then make notification to you as described above. 

 

 

You have the right to file a complaint with us concerning our policies and procedures required by the HIPAA Regulations or if you feel we have not complied with our policies and procedures as stated in this Notice.  Your complaint should be directed to our Privacy Officer.  If you feel we may have violated your privacy rights, or if you disagree with a decision we made regarding your access to your health information, you can complain to us in writing at the address below. You also have the right to file a complaint with the HHS Office of Civil Rights (OCR) if you believe that the Center or one of our business associates has not complied with the provisions of HIPAA Regulations or this Notice.  A complaint to the OCR must be filed in writing, either on paper or electronically.  The complaint must name the person that is the subject of the complaint, describe the acts or omission believed to be in violation of these provisions, and be filed within 180 days of when you knew or should have known that the act occurred.   You may request a Complaint Form from our Privacy Officer or find it online at http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html.   Complaints to OCR may be filed at the address below.  We support your right to the privacy of your information and will not retaliate in any way if you choose to file a complaint with us or with the OCR.