Privacy Practices for Teter Orthotics & Prosthetics, Inc.
(referred to in this document as “the facility”)
This Notice of Privacy Practices is being provided to you as a requirement of the Health Insurance Portability and Accountability Act (HIPAA). This Notice describes how we may use and disclose your protected health information to carry out treatment, payment or health care operations and for other purposes that are permitted or required by law. It also describes your rights to access and control your protected health information in some cases. Your “protected health information” means any of your written and oral health information, including demographic data that can be used to identify you. This is information that is created or received by your health care provider, and that relates to your past, present or future physical or mental health condition.
I. Uses and Disclosures of Protected Health Information
The facility may use your protected health information for purposes of providing treatment, obtaining payment for treatment, and conducting health care operations. Your protected health information may be used to disclosed only for these purposes unless the facility has obtained your authorization or the use or disclosure is otherwise permitted by the HIPPAA Privacy Regulations or State law. Disclosures of your health information for the purposes described in this Notice may be made in writing, orally, or by facsimile.
A. Treatment. We will use and disclose your protected health information to provide, coordinate, or manage your health care and any related services. This includes the coordination or management of your health care with a third party for treatment purposes. For example, we may disclose your protected health information to a physician or physical therapist to coordinate your treatment. We may use your information within our facility to fit and manufacture your orthotic or prosthetic. In some cases, we may also disclose your protected health information to an outside treatment provider for purposes of the treatment activities of the other provider.
B. Payment. Your protected health information will be used, as needed, to obtain payment for the services that we provide. This may include certain communications to your health insurer or Medicare to get coverage approval for the orthotic or prosthetic device that we recommend. We may also disclose protected health information to your insurance company to determine whether you are eligible for benefits or whether a particular service is covered under your health plan. In order to get payment for your services, we may also need to disclose your protected health information to your insurance company to demonstrate the medical necessity of the services or, as required by your insurance company, for utilization review. We may also disclose patient information to another provider involved in your care for the other provider’s payment activities.
C. Operations. We may use or disclose your protected health information, as necessary, for our own health care operations in order to facilitate the function of the facility and to provide quality care to all patients. Health care operations include such activities as:
Quality assessment and improvement activities
Employee review activities.
Training programs including those in which students, trainees, or practitioners in health care learn under supervision.
Accreditation, certification, licensing or credentialing activities.
Review and audition, including compliance reviews, medical reviews, legal services and maintaining compliance programs.
Business management and general administrative activities.
In certain situations, we may also disclose patient information to another provider or health plan for their health care operations.
D. Other Uses and Disclosures. As part of the treatment, payment and healthcare operations, we may also use or disclose your protected health information for the following purposes:
To remind you of an appointment
To inform you of potential treatment alternatives or options.
To inform you of health-related benefits or services that may be of interest to you.
To contact you to raise funds for the facility or an institutional foundation related to the facility. If you do not wish to be contacted regarding fundraising, please contact our Privacy Officer.
II. Uses and Disclosures Beyond Treatment, Payment, and Health Care Operations Permitted Without Authorization or Opportunity to Object.
Federal privacy rules allow us to use or disclose your protected health information without your permission or authorization for a number of reasons including the following:
A. When Legally Required. We will disclose your protected health information when we are required to do so by any Federal, State or local law.
B. When There Are Risks to Public Health. We may disclose your protected health information for the following public activities and purposes.
To prevent, control, or report disease, injury or disability as permitted by law.
To report vital events such as birth or death as permitted required by law.
To conduct public health surveillance, investigations and interventions as permitted or required by law.
To collect or report adverse events and product defects, track FDA regulated products, enable product recalls, repairs or replacements to the FDA and to conduct post marketing surveillance.
To notify a person who has been exposed to a communicable disease or who may be at risk of contracting or spreading disease as authorized by law.
To report to an employer information about an individual who is a member of the workforce as legally permitted or required.
C. To Report Abuse, Neglect Or Domestic Violence. We may notify government authorities if we believe that a patient is the victim of abuse, neglect or domestic violence. We will make this disclosure only when specifically required or authorized by law or when the patient agrees to the disclosure.
D. To Conduct Health Oversight Activities. We may disclose your protected health information to a health oversight agency for activities including audits; civil, administrative or criminal investigations, proceedings, or actions; inspections; licensure or disciplinary actions. or other activities necessary for appropriate oversight as authorized by law. We will not disclose your health information if you are the subject of an investigation and your health information is not directly related to your receipt of heath care or public benefits.
E. In Connection With Judicial And Administrative Proceedings. We may disclose your protected health information in the course of any judicial or administrative proceeding in response to an order of a court or administrative tribunal as expressly authorized by such order or in response to a signed authorization (in a format approved by the Michigan Court Administrator).
F. For Law Enforcement Purposes. We may disclose your protected health information to a law enforcement official for law enforcement purposes as follows:
As required by law for reporting of certain types of wounds or other physical injuries.
Pursuant to court order, court-ordered warrant, subpoena, summons or similar process.
For the purpose of identifying or locating a suspect, fugitive, material witness or missing person.
Under certain limited circumstances, when you are the victim of a crime.
To a law enforcement official if the facility has a suspicion that your death was the result of criminal conduct.
In an emergency in order to report a crime.
G. To Coroners, Funeral Directors, and for Organ Donation. We may disclose protected health information to a coroner or medical examiner for identification purposes, to determine cause of death or for the coroner or medical examiner to perform other duties authorized by law. We may also disclose protected health information to a funeral director, as authorized by law, in order to permit the funeral director to carry out their duties. We may disclose such information in reasonable anticipation of death. Protected health information may be used and disclosed for cadaveric organ, eye or tissue donation purposes.
H. For Research Purposes. We may use or disclose your protected health information for research when the use or disclosure for research has been approved by an institutional review board or privacy board that has reviewed the research proposal and research protocols to address the privacy of your protected health information.
I. In the Event of a Serious Threat To Health Or Safety. We may consistent with applicable law and ethical standards of conduct, use or disclose your protected health information if we believe, in good faith, that such use or disclosure is necessary to prevent or lessen a serious and imminent threat to your health or safety or to the health and safety of the public.
J. For Specified Government Functions. In certain circumstances, the Federal regulations authorize the facility to use or disclose your protected heath information to facilitate specified government functions relating to military and veterans activities, national security and intelligence activities, protective services for the President and others, medical suitability determinations, correctional institutions, and law enforcement custodial situations.
K. For Worker’s Compensation. The facility may release your health information to comply with worker’s compensation laws or similar programs.
III. Uses and Disclosures Permitted Without Authorization But With Opportunity to Object
We may disclose your protected health information to your family member or a close personal friend if it is directly relevant to the person’s involvement in your care or payment related to your care. We can also disclose your information in connection with trying to locate or notify family members or others involved in your care concerning your location, condition or death.
You may object to these disclosures. If you do not object to these disclosures or we can infer fro the circumstances that you do not object or we determine, in the exercise of our professional judgment, that it is in your best interests for us to make disclosure of information that is directly relevant to the person’s involvement with your care, we may disclose your protected health information as described.
IV. Uses and Disclosures Which You Authorize
Other than as stated above, we will not disclose your health information other than with your written authorization. You may revoke your authorization in writing at any time except to the extent that we have taken action in reliance upon the authorization.
V. Your Rights
You have the following rights regarding your health information.
A. The right to inspect and copy your protected health information. You may inspect and obtain a copy of your protected health information that is contained in a designated record set for as long as we maintain the protected health information. A “designated record set” contains medical and billing records and any other records that your practitioner and the facility uses for making decisions about you.
Under Federal law, however, you may not inspect or copy the following records: psychotherapy notes; information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding; and protected health information that is subject to a law that prohibits access to protected health information. Depending on the circumstances, you may have the right to have a decision to deny access reviewed.
We may deny your request to inspect or copy your protected health information if, in our professional judgment, we determine that the access requested is likely to endanger your life or safety or that of another person, or that it is likely to cause substantial harm to another person referenced within the information. You have the right to request a review of this decision.
To inspect and copy your medical information, you must submit a written request to the Privacy Officer whose contact information is listed on the last pages of this Notice. If you request a copy of your information, we may charge you a fee for the costs of copying, mailing or other costs incurred by us in complying with your request.
Please contact our Privacy Officer if you have questions about access to your medical record.
B. The right to request a restriction on uses and disclosures of your protected health information. You may ask us not to use or disclose certain parts of your protected health information for the purposes of treatment, payment or health care operations. You may also request that we not disclose your health information to family members or friends who may be involved in your care or for notification purposes as described in the Notice of Privacy Practices. Your request must state the specific restriction requested and to whom you want the restriction to apply.
The facility is not required to agree to a restriction that you may request. We will notify you if we deny your request to a restriction. If the facility does agree to the requested restriction, we may not use or disclose your protected health information in violation of that restriction unless it is needed to provide emergency treatment. Under certain circumstances, we may terminate our agreement to a restriction. You may request a restriction by contacting the Privacy Officer.
C. The right to request to receive confidential communications from us by alternative means or at an alternative location. You have the right to request that we communicate with you in certain ways. We will accommodate reasonable requests. We may condition this accommodation by asking you for information as to how payment will be handled or specification of an alternative address or other method of contact. We will not require you to provide an explanation for your request. Requests must be made in writing to our Privacy Officer.
D. The right to have the facility amend your protected health information. You may request an amendment of protected health information about you in a designated record set for as long as we maintain this information. In certain cases, we may deny your requested for an amendment. If we deny your request for amendment, you have the right to file a statement of disagreement with us and we may prepare a rebuttal to your statement and will provide you with a copy of any such rebuttal. Requests for amendment must be in writing and must be directed to out Privacy Officer. In this written request, you must also provide a reason to support the requested amendments.
E. The right to receive an accounting. You have the right to request an accounting of certain disclosures of your protected health information made by the facility. This right applies to disclosures for purposes other than treatment, payment or health care operations as described in this Notice of Privacy Practices. We are also not required to account for disclosures that you requested, disclosures that you agreed to by signing an authorized form, disclosures for a facility directory, to friends or family members involved in your care, or certain other disclosures we are permitted to make without your authorization. The request for an accounting must be made in writing to our Privacy Officer. The request should specify the time period sought for the accounting. We are not required to provide an accounting for disclosures that take place prior to April 14, 2003. Accounting requests may not be made for periods of time in excess of six years. We will provide the first accounting you request during any 12-month period without charge. Subsequent accounting requests may be subject to a reasonable cost-based fee.
F. The right to obtain a paper copy of this notice. Upon request, we will provide a separate paper copy of this notice even if you have already received a copy of the notice or have agreed to accept this notice electronically.
VI. Our Duties
The facility is required by law to maintain the privacy of your health information and to provide you with this Notice of our duties and privacy practices. We are required to abide by terms of this Notice as may be amended from time to time. We reserve the right to change the terms of this Notice and to make the new Notice provisions effective for all protected health information that we maintain. If the facility changes its Notice, we will provide a copy of the revised Notice by sending a copy of the Revised Notice via regular mail or through in person contact.
You have the right to express complaints to the facility and to the Secretary of Health and Human Services if you believe that your privacy rights have been violated. You may complain to the facility by contacting the facility’s Privacy Officer verbally or in writing, using the contact information below. We encourage you to express any concerns you may have regarding the privacy of your information. You will not be retaliated against in any way for filing a complaint.
VIII. Contact Person
The facility’s contact person for all issues regarding patient privacy and your rights under the Federal privacy standards is the Privacy Officer. Information regarding matters covered by this Notice can be requested by contacting the Privacy Officer. Complaints against the facility, can be mailed to the Privacy Officer by sending it to:
Teter Orthotics & Prosthetics, Inc.
1225 West Front Street
Traverse City, MI 49684
Attn: Privacy Officer
The Privacy Officer can be contacted by telephone at 1-800-346-0161
IX. Effective Date
This Notice is effective April 14, 2003.
HIPAA Omnibus Changes
Breach notification requirements – The obligation to notify patients if there is a breach of their PHI is expanded and clarified under the new rules. Breaches are now presumed reportable unless, after completing a risk analysis applying four factors. It is determined, that there is a “low probability of PHI compromise.” The provider must consider all the following factors:
The nature and extent of the PHI involved = issues to be considered included the sensitivity of the information from a financial or clinical perspective and the likelihood the information can reidentified.
The person who obtained the unauthorized access and whether that person has an independent obligation to protect the confidentiality of the information.
Whether the PHI was actually acquired or accessed, determined after conducting a forensic analysis and the extent to which the risk has been mitigated, such as obtaining a signed confidentiality agreement form the recipient.
This rebuttable presumption of breach and four factor assessment of the “risk of PHI compromise” replaces the previous, more subjective “significant risk of financial, reputational, or other harm analysis for establishing a breach. The new rules further clarify that there is not need to have an independent entity conduct the risk assessment and indeed, no risk assessment need to be conducted at all if the breach notification is made (although, providers will want to undertake an appropriate review and steps to mitigate the harm and reduce the likelihood of future breaches in any case). The new rules further confirm that the breach notification requirement may be delegated to a BA, and providers are encouraged to coordinate with their BAs so that patients receive only one notification of the breach.
The new rules do not modify the actual reporting and timeframe requirements for Breach Notification; that is, covered entities must still adhere to requirements for individual notification, HHS notification and where applicable media posting of the breach.
Disclosures to health plans – At the patient’s request, providers may not disclose information about care the patient as paid for out-of-pocket to health plans, unless for treatment purposes or in the rare event the disclosure is required by law. This change updates the previous HIPAA Privacy Rule governing patient requests for restrictions on the use or disclosure of the PHI. Previously, while the physicians could refuse to abide by any such request, the new rule requires requests the restriction. Of all the changes made by the new rules, this change is likely to have the greatest impact on provider/physician practice workflow both in terms of documentation and follow up t ensure the restriction is adhered to.
Marketing communications – The new rules further limit the circumstances when providers/physicians may provide marketing communications to their patients in the absence of the patient’s written authorization. Generally speaking, the only time a provider/physician may tell a patient about a third-party’s product or service without the patient’s written authorization is when: 1) the provider/physician receives no compensation for the communication; 2) the communication is the face-to-face; 3) the communication involves a drug or biologic the patient is currently being prescribed and the payment is limited to reasonable reimbursement of the costs of the communication (no profit); 4) the communication involves general health promotion, rather than the promotion of a specific product or service; or 5) the communication involves government or government-sponsored programs. Providers/Physicians are still permitted to give patients promotional gifts of nominal value such as a pamphlet).
Copies of ePHI – Providers/Physicians will now have only 30 days to respond to a patient’s written request for his or her PHI with one 30-day extension, regardless of where the records are kept (eliminating the longer 60-day timeframe for records maintained offsite). They must provide access to her and other electronic records in the electronic form and format requested by the individual if the records are “readily reproducible” in the format. Otherwise, they must provide the records in another mutually agreeable electronic format. Hard copies are permitted only when the individual rejects all readily reproducible e-formats.
Emailing PHI – Providers/Physicians must consider transmission security, and may send PHI in unencrypted emails only if the requesting individual is advised of the risk and still requests that form of transmission.
Charging for copies of e-PHI or PHI – The new rules modify the costs that may be charged to the individual for copies to include labor costs (potentially to include billed technical labor costs for extracting electronic PHI and supply costs if the patient requests a paper copy, or if electronic, the cost of any portable media (such as a USB memory stick or a CD), assuming state law does not set a lower reimbursement rate. The rules also clarify that Providers/Physicians may impose a separate charge for creating an affidavit of completeness.
Research Authorizations – The new rules permit physicians to combine conditioned and unconditioned authorizations for research participation, provided individuals can opt-in to the unconditioned research activity. Moreover, these authorizations may encompass future research.
Decedents – The new rules allow physicians to make relevant disclosures to the deceased’s family and friends under essentially the same circumstances such disclosures were permitted when the patient was alive; that is, when these individuals were involved in the providing care or payment for care and the physician is unaware of any expressed preference to the contrary. The new rule also eliminates any HIPAA protection for PHI 50 years after a patient’s death.
Childhood Immunizations – Under the new rules, physicians may disclose immunizations to schools required to obtain proof of immunization prior to admitting the student so long as the physicians have and document the patient’s legal representative’s “informal agreement” to the disclosure.