MEDICAL PRIVACY POLICY AT NCA MEDICAL ASSOCIATES
North Central Arkansas Medical Associates Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW INFORMATION ABOUT YOU MAY BE USED AND RELEASED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
1. Introduction North Central Arkansas Medical Associates is required by law to maintain the privacy of your health information and to provide individuals with notice of its legal duties and privacy practices with respect to health information. North Central Arkansas Medical Associates is required to abide by the terms of the Notice currently in effect. North Central Arkansas Medical Associates reserves the right to change the terms of its notice and to make the new notice provisions effective for all PHI that it maintains.
This Notice of Privacy Practices and Policies outlines our practices, policies and legal duties to maintain confidentiality and protect against prohibited disclosure of protected health information (“PHI”) under the privacy regulations mandated by the Health Insurance Portability and Accountability Act (“HIPAA”) and further expanded by the Health Information Technology for Economic Clinical Health Act (“HITECH”).
PHI includes your demographic information such as name, address, telephone number, and family; past, present, or future information about your physical or mental health or condition; and information about the medical services provided to you, including payment information, if any of that information may be used to identify you. Your PHI may be maintained by us electronically and/or on paper.
This Notice describes uses and disclosures of PHI to which you have consented, that you may be asked to authorize in the future, and that are permitted or required by state or federal law. Also, it advises you of your rights to access and control your PHI.
We may amend this Notice of Privacy Practices periodically. The new notice will be effective for all PHI that we maintain at that time. Upon your request, we will provide you with any revised Notice of Privacy Practices or you may obtain a copy by accessing our website at <website>, by calling the office, (870)425-3131 and requesting that a revised copy be sent to you in the mail, or asking for one at the time of your next appointment.
We regard the safeguarding of your PHI as an important duty. The elements of this Notice and any authorizations you may sign are required by state and federal law for your protection and to ensure your informed consent to the use and disclosure of PHI necessary to support your relationship with North Central Arkansas Medical Associates.
If you have any questions about North Central Arkansas Medical Associates’s Notice of Privacy Practices, please contact the Privacy Officer at (870)425-3131.
2. Safeguarding PHI Within our Practice We have in place appropriate administrative, technical, and physical safeguards to protect and to secure your PHI. We orient our staff to the regulations and policies developed to protect the privacy of your PHI, and review their obligation to maintain privacy and security annually. We hold medical records in a secure area within our practice, and our electronic medical record system is monitored and updated to address security risks in compliance with the HIPAA Security Rule. Only staff members who have a legitimate “need to know” are permitted access to your medical records and other PHI. Our staff understands the legal and ethical obligation to protect your PHI and that a violation of this Notice of Privacy Practices may result in disciplinary action in accordance with our Human Resource policies.
3. Uses and Disclosures of PHI How we may use and disclose protected health information about you:
Treatment. We may use your PHI for treatment. Treatment means the provision, coordination, or management of your health care and related services by North Central Arkansas Medical Associates and health care providers involved in your care. Students may be a member of the health care team. It includes the coordination or management of health care by a provider with a third party insurance carrier, communication with lab or imaging providers for test results, consultation between our clinical staff and other health care providers relating to your care, or our referral of you to a specialist physician or facility. For example: Information obtained by a nurse, doctor, or other member of your healthcare team will be recorded in your medical record and used to determine the course of treatment that should work best for you.
Payment. We may use your PHI for payment. Payment means our activities to obtain reimbursement for the medical services provided to you, including billing, claims management, and collection activities. Payment also may include your insurance carrier’s efforts in determining eligibility, claims processing, assessing medical necessity, and utilization review. Payment may also include activities carried out on our behalf by one or more of our collection agencies or agents in order to secure payment on delinquent bills. For example: A bill will be sent to you or your insurance company.
Health Care Operations. We may use your PHI for health care operations. Health care operations mean the legitimate business activities of our practice. These activities may include quality assessment & improvement activities, fraud & abuse compliance, business planning & development, and business management & general administrative activities. For example: Using a translation service if we need to communicate with you in person, or on the telephone, in a language other than English. When we involve third parties in our business activities, we will have them sign a Business Associate Agreement obligating them to safeguard your PHI according to the same legal standards we follow.
4. Electronic Exchange of PHI We may transfer your PHI to other treating health care providers electronically. We may also transmit your information to your insurance carrier electronically.
5. Uses and Disclosures of PHI Based Upon Your Written Authorization Other uses and disclosures of your PHI will be made only with your specific written authorization. This allows you to request that North Central Arkansas Medical Associates disclose limited PHI to specified individuals or companies for a defined purpose and timeframe.
Other Disclosures: Other uses and disclosures not described in our Notice of Privacy Practices will be made only with authorization from the individual.
6. Uses and Disclosures of PHI Permitted or Required by Law In some circumstances, we may be legally bound to use or disclose your PHI without your consent or authorization. State and federal privacy law permit or require such use or disclosure regardless of your consent or authorization in certain situations, including, but not limited to:
Emergencies: If you are incapacitated and require emergency medical treatment, we will use and disclose your PHI to ensure you receive the necessary medical services. We will attempt to obtain your consent as soon as practical following your treatment.
Others Involved in Your Healthcare: Upon your verbal authorization, we may disclose to a family member, close friend or other person you designate only that PHI that directly relates to that individual’s involvement in your healthcare and treatment. We may also need to use PHI to notify a family member, personal representative or someone else responsible for your care or your location and general condition.
Communication barriers: If we try but cannot obtain your consent to use or disclose your PHI because of substantial communication barriers and your physician, using his or her professional judgment, infers that you consent to the use or disclosure, or the physician determines that a limited disclosure is in your best interests, North Central Arkansas Medical Associates may permit the use or disclosure.
Required by Law: We may disclose your PHI to the extent that its use or disclosure is required by law. This disclosure will be made in compliance with the law and will be limited to the relevant requirements of the law.
Public Health/Regulatory Activities: We may disclose your PHI to an authorized public health authority to prevent or control disease, injury, or disability or to comply with state child or adult abuse or neglect law. We are obligated to report suspicion of abuse and neglect to the appropriate regulatory agency.
Registry: As required by law, we may release your medical information to state and national registries. For example: Immunization or Cancer registries.
Food and Drug Administration: We may disclose your PHI to a person or company as required by the Food and Drug Administration to report adverse events, product defects or problems, biologic product deviations as well as to track product usage, enable product recalls, make repairs or replacements or to conduct post-marketing surveillance.
Health oversight activities: We may disclose your PHI to a health oversight agency for audits, investigations, inspections, and other activities necessary for the appropriate oversight of the health care system and government benefit programs such as Medicare and Medicaid.
Judicial and administrative proceedings: We may only disclose your PHI in the course of any judicial or administrative proceeding in response to a court order expressly directing disclosure, or in accordance with specific statutory obligation compelling us to do so, or with your permission.
Law enforcement activities: We may release medical information for law enforcement purposes as required by law or in response to a valid subpoena. For example: to locate a suspect in a crime or a missing person.
Coroners, medical examiners, funeral directors and organ donation organizations: We may disclose your PHI to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other lawful duties. We also may disclose your PHI to enable a funeral director to carry out his or her lawful duties. PHI may also be disclosed to organ banks for cadaveric organ, eye, bone, tissue and other donation purposes.
Research: We may disclose your PHI for certain medical or scientific research where approved by an institutional review board and where the researchers have a protocol to ensure the privacy of your PHI. Serious threats to health or safety: We may disclose your PHI to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.
Military activity & national security: We may disclose the PHI of members of the armed forces for activities deemed necessary by appropriate military command authorities to assure proper execution of the military mission. We also may disclose your PHI to certain federal officials for lawful intelligence and other national security activities.
Worker’s Compensation: We may disclose your PHI as authorized to comply with worker’s compensation law.
Inmates of a Correctional Facility: We may use or disclose PHI if you are an inmate of a correctional facility and our practice created or received your PHI in the course of providing care to you while in custody.
US Department of Health and Human Services: We must disclose your PHI to you upon request and to the Secretary of the United States Department of Health & Human Services to investigate or determine our compliance with the privacy laws.
Disaster Relief Activities: We may disclose your PHI to local, state or federal agencies engaged in disaster relief and to private disaster relief assistance organizations (such as the Red Cross if authorized to assist in disaster relief efforts).
7. Your Rights Regarding PHI
Right to request restriction of uses and disclosures: You have the right to request a restriction or limitation on the medical information we use or release about you for treatment, payment or health care operations. You also have the right to request a limit on the medical information we release about you to someone who is involved in your care or the payment of your care, like a family member or friend. For example, you could ask that we not mail your bill to your home but use your PO Box address.
We are not required to agree to your restriction request, with one exception*, but if we do agree to the request, we will not use or disclose the restricted PHI unless it is necessary for emergency treatment. In that case, we will ask that the recipient not further use or disclose the restricted PHI. You may request restrictions and identify the parties to be restricted in writing to the Privacy Officer.
*If you request that access be restricted to your PHI for services for which you have fully paid yourself out-of-pocket and not be made available to your insurance carrier, we must agree to your request.
Right of access to PHI: You have the right to inspect and obtain a copy of your PHI upon your written request. If your medical record is in an electronic format you have the right to ask for a copy of it in an electronic form. Under very limited circumstances, we may deny access to your medical records. To request access to your medical record call the North Central Arkansas Medical Associates during business hours. We will respond to your request as soon as possible, but no later than 30 days from the date of your request. If access is denied you may appeal. We have the right to charge a reasonable fee for providing copies of your PHI.
Right to confidential communications: You have the right to reasonable accommodation of a request to receive communication of PHI by alternative means or at alternative locations. For example, you may ask us to call you at your work number instead of your home number. Please make your request in writing to the North Central Arkansas Medical Associates. We will not require an explanation of your reasons for the request, and will attempt to comply with reasonable requests
Right to amend PHI: You have the right to request that we amend your PHI. Your request must be made in writing to us. We will respond to your request as soon as possible, but no later than 30 days from the date of your request. If we deny your request for amendment, you have the right to submit a written statement disagreeing with the denial; North Central Arkansas Medical Associates also has the right to submit a rebuttal statement. A record of any disagreement about amendment will become part of your medical record and may be included in subsequent disclosures of your PHI.
Right to accounting of disclosures: Subject to certain limitations, you have the right to a written accounting of disclosures by us of your PHI for not more than 6 years prior to the date of your request. Your right to an accounting applies to disclosures other than those for treatment, payment, or health care operations. Please make your request in writing to us. We will respond to your request as soon as possible, but no later than 60 days from the date of your request. We will provide you with one accounting every 12 months free of charge. We will charge a reasonable fee based upon our costs for any subsequent accounting requests.
Right to notice of breach: An individual has a right to or will receive notifications of breaches of his or her unsecured protected health information. The notice will be in writing.
Right to a copy of our Notice of Privacy Practices: We may ask you to sign a written acknowledgement of receipt of our Notice of Privacy Practices. We may periodically amend this Notice of Privacy Practices and you may obtain an updated Notice at any time.
8. Complaint Procedure Within our Practice: If you have a complaint about the denial of any of the specific rights listed in Section 7 above, about our Notice of Privacy Practices, or about our compliance with state and federal privacy law you may get more information about the complaint process by contacting the Privacy Officer at (870)425-3131. We will respond to your complaint in writing within the time-frames listed in Section 7 above or in any case within 30 days of the date of your complaint.
Outside our Practice: If you believe that North Central Arkansas Medical Associates is not complying with its legal obligations to protect the privacy of your PHI, you may file a complaint with the Secretary of the U.S. Department of Health & Human Services, Office of Civil Rights.
We will not retaliate against you for filing a complaint.
9. Fundraising
Fundraising Use: North Central Arkansas Medical Associates may use patient information for the express purpose of the organization’s own internal fundraising activities. The information used shall be limited to contact information and dates of services rendered.
Patients Right to “Opt Out : North Central Arkansas Medical Associates shall provide all patients with an opportunity to “opt out” of having such information used for fundraising purposes. In order to do so, we ask patients to contact our Office, (870)425-3131. Once “opt out” is requested the individual will no longer receive fundraising materials. This request will not affect the individual’s treatment or payment.
10. Effective Date This Notice is effective as of 09/23/2013.