TMC is pleased to provide an example of an updated NPP, which includes verbiage required by the recently published Omnibus HIPAA Rules. Please review the NPP carefully to ensure it reflects the current process of your facility. This NPP can be located in electronic format on our website in the Client Portal under HIPAA Forms.
∙ Be sure to insert the name of your practice or facility.
∙ Contact information of the Privacy Officer should be included. The actual name of the person can be included, but PRIVACY OFFICER and contact information is sufficient. The rationale behind not including the actual name of the person is that if they should leave your organization, the NPP would need to be updated to include the current person holding the title.
∙ The effective date is the original date your facility adopted a NPP, which for many will be the April 2003 date. The revision date is the date you adopt the updated Notice.
∙ Review these pages carefully deleting any activities in which your facility does not participate, for instance fundraising activities, or providing appointment reminders. ∙ On page 4 in the section which outlines disclosures requiring a signed authorization, carefully review the definition of psychotherapy notes. If your facility does not create or receive this type of protected health information you may delete this statement from your Notice. The statement about marketing and disclosures for sale of PHI must remain.
Providing the updated Notice of Privacy Practices
∙ Direct care providers are not required to print and hand out a revised NPP to all individuals seeking treatment. Providers are only required to give a copy of the NPP to, and obtain a good faith acknowledgment of receipt from, NEW patients.
Posting of the updated Notice of Privacy Practices
∙ Providers must post the revised NPP in a clear and prominent location and have copies of the NPP at the delivery site for individuals to request to take with them. ∙ Health care providers are required to post the NPP in a clear and prominent location at the delivery site, however providers may post a summary of the Notice in such a location as long as the full notice is immediately available (such as on a table directly under the posted summary) for individuals to pick up without any additional burden on their part. It would not be appropriate, however, to require the individual to have to ask the receptionist for a copy of the full NPP.
∙ If the facility has a website, the updated NPP must be posted on the website.
[David B Gaddis, DDS PA]
Notice of Privacy Practices
This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.
If you have any questions about this Notice please contact the Privacy Officer. [Privacy Officer 828 464 1732]
Effective Date: February 9, 2004 Revised: June 1, 2013
We are committed to protect the privacy of your personal health information (PHI).
This Notice of Privacy Practices (Notice) describes how we may use within our practice or network and disclose (share outside of our practice or network) your PHI to carry out treatment, payment or health care operations. We may also share your information for other purposes that are permitted or required by law. This Notice also describes your rights to access and control your PHI.
We are required by law to maintain the privacy of your PHI. We will follow the terms outlined in this Notice.
We may change our Notice, at any time. Any changes will apply to all PHI. Upon your request, we will provide you with any revised Notice by:
∙ Posting the new Notice in our office.
∙ If requested, making copies of the new Notice available in our office or by mail. ∙ Posting the revised Notice on our website: davidgaddisdds.com.
Uses and Disclosures of Protected Health Information
We may use or disclose (share) your PHI to provide health care treatment for you.
Your PHI may be used and disclosed by your physician, our office staff and others outside of our office that are involved in your care and treatment for the purpose of providing health care services to you.
EXAMPLE: Your PHI may be provided to a physician to whom you have been referred for evaluation to ensure that the physician has the necessary information to diagnose or treat you. We may also share your PHI from time-to-time to another physician or health care provider (e.g., a specialist or laboratory) who, at the request of your physician, becomes involved in your care by providing assistance with your health care diagnosis or treatment to your physician.
We may also share your PHI with people outside of our practice that may provide medical care for you such as home health agencies.
We may use and disclose your PHI to obtain payment for services. We may provide your PHI to others in order to bill or collect payment for services. There may be services for which we share information with your health plan to determine if the service will be paid for.
PHI may be shared with the following:
∙ Billing companies
∙ Insurance companies, health plans
∙ Government agencies in order to assist with qualification of benefits
∙ Collection agencies
EXAMPLE: You are seen at our practice for a procedure. We will need to provide a listing of services such as x-rays to your insurance company so that we can get paid for the procedure. We may at times contact your health care plan to receive approval PRIOR to performing certain procedures to ensure the services will be paid for. This will require sharing of your PHI.
We may use or disclose, as-needed, your PHI in order to support the business activities of this practice which are called health care operations.
∙ Training students, other health care providers, or ancillary staff such as billing personnel to help them learn or improve their skills.
∙ Quality improvement processes which look at delivery of health care and for improvement in processes which will provide safer, more effective care for you.
∙ Use of information to assist in resolving problems or complaints within the practice. We may use and disclosure your PHI in other situations without your permission:
∙ If required by law: The use or disclosure will be made in compliance with the law and will be limited to the relevant requirements of the law. For example, we may be required to report gunshot wounds or suspected abuse or neglect.
∙ Public health activities: The disclosure will be made for the purpose of controlling disease, injury or disability and only to public health authorities permitted by law to collect or receive information. We may also notify individuals who may have been exposed to a disease or may be at risk of contracting or spreading a disease or condition.
∙ Health oversight agencies: We may disclose protected health information to a health oversight agency for activities authorized by law, such as audits, investigations, and inspections. Oversight agencies seeking this information include government agencies that oversee the health care system, government benefit programs, other government regulatory programs and civil rights laws.
∙ Legal proceedings: To assist in any legal proceeding or in response to a court order, in certain conditions in response to a subpoena, or other lawful process.
∙ Police or other law enforcement purposes: The release of PHI will meet all applicable legal requirements for release.
∙ Coroners, funeral directors: We may disclose protected health information to a coroner or medical examiner for identification purposes, determining cause of death or for the coroner or medical examiner to perform other duties authorized by law
∙ Medical research: We may disclose your protected health information to researchers when their research has been approved by an institutional review board that has reviewed the research proposal and established protocols to ensure the privacy of your protected health information.
∙ Special government purposes: Information may be shared for national security purposes, or if you are a member of the military, to the military under limited circumstances. ∙ Correctional institutions: Information may be shared if you are an inmate or under custody of law which is necessary for your health or the health and safety of other individuals. ∙ Workers’ Compensation: Your protected health information may be disclosed by us as authorized to comply with workers’ compensation laws and other similar legally-established programs.
Other uses and disclosures of your health information.
Business Associates: Some services are provided through the use of contracted entities called “business associates”. We will always release only the minimum amount of PHI necessary so that the business associate can perform the identified services. We require the business associate(s) to appropriately safeguard your information. Examples of business associates include billing companies or transcription services.
Health Information Exchange: We may make your health information available electronically to other healthcare providers outside of our facility who are involved in your care.
Treatment alternatives: We may provide you notice of treatment options or other health related services that may improve your overall health.
Appointment reminders: We may contact you as a reminder about upcoming appointments or treatment.
We may use or disclose your PHI in the following situations UNLESS you object.
∙ We may share your information with friends or family members, or other persons directly identified by you at the level they are involved in your care or payment of services. If you are not present or able to agree/object, the healthcare provider using professional judgment will determine if it is in your best interest to share the information. For example, we may discuss post procedure instructions with the person who drove you to the facility unless you tell us specifically not to share the information.
∙ We may use or disclose protected health information to notify or assist in notifying a family member, personal representative or any other person that is responsible for your care of your location, general condition or death.
∙ We may use or disclose your protected health information to an authorized public or private entity to assist in disaster relief efforts.
The following uses and disclosures of PHI require your written authorization:
∙ Disclosures of for any purposes which require the sale of your information
All other uses and disclosures not recorded in this Notice will require a written authorization from you or your personal representative.
Written authorization simply explains how you want your information used and disclosed. Your written authorization may be revoked at any time, in writing. Except to the extent that your doctor or this practice has used or released information based on the direction provided in the authorization, no further use or disclosure will occur.
Your Privacy Rights
You have certain rights related to your protected health information. All requests to exercise your rights must be made in writing. [Requests for written documents should be addressed to the Privacy Officer.]
You have the right to see and obtain a copy of your protected health information.
This means you may inspect and obtain a copy of protected health information about you that is contained in a designated record set for as long as we maintain the protected health information. If requested we will provide you a copy of your records in an electronic format. There are some exceptions to records which may be copied and the request may be denied. We may charge you a reasonable cost based fee for a copy of the records.
You have the right to request a restriction of your protected health information.
You may request for this practice not to use or disclose any part of your protected health information for the purposes of treatment, payment or healthcare operations. We are not required to agree with these requests. If we agree to a restriction request we will honor the restriction request unless the information is needed to provide emergency treatment.
There is one exception: we must accept a restriction request to restrict disclosure of information to a health plan if you pay out of pocket in full for a service or product unless it is otherwise required by law.
You have the right to request for us to communicate in different ways or in different locations.
We will agree to reasonable requests. We may also request alternative address or other method of contact such as mailing information to a post office box. We will not ask for an explanation from you about the request.
You may have the right to request an amendment of your health information.
You may request an amendment of your health information if you feel that the information is not correct along with an explanation of the reason for the request. In certain cases, we may deny your request for an amendment at which time you will have an opportunity to disagree.
You have the right to a list of people or organizations who have received your health information from us.
This right applies to disclosures for purposes other than treatment, payment or healthcare operations. You have the right to obtain a listing of these disclosures that occurred after April 14, 2003. You may request them for the previous six years or a shorter timeframe. If you request more than one list within a 12 month period you may be charged a reasonable fee.
Additional Privacy Rights
∙ You have the right to obtain a paper copy of this notice from us, upon request. We will provide you a copy of this Notice the first day we treat you at our facility. In an emergency situation we will give you this Notice as soon as possible.
∙ You have a right to receive notification of any breach of your protected health information. Complaints
If you think we have violated your rights or you have a complaint about our privacy practices you can contact:
[Privacy Officer 828 464 1732]
You may also complain to the United States Secretary of Health and Human Services if you believe your privacy rights have been violated by us.
If you file a complaint we will not retaliate against you for filing a complaint.
This notice was published and becomes effective on April 13, 2003 or date practice adopted the Notice
©TMC all rights reserved