Home Up

 

 

Patient Records Privacy

Use and Disclosure of PHI

When using, disclosing or requesting PHI, we make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request.  We recognize that the requirement also applies to covered entities that request my patients’ records and require that such entities meet the standard, as required by law.

The minimum necessary requirement does not apply to disclosures for treatment purposes or when we share information with a patient.  The requirement does not apply for uses and disclosures when patient authorization is given.  It does not apply for uses and disclosures as required by law or to uses and disclosures that are required for compliance with the Privacy Rule.

Protected Health Information (“PHI”) may not be used or disclosed in violation of the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule (45 C.F.R. parts 160 and 164) (hereinafter, the “Privacy Rule”) or in violation of state law.

We am permitted, but not mandated, under the Privacy Rule to use and disclose PHI without patient consent or authorization in limited circumstances.  However, state or federal law may supercede, limit, or prohibit these uses and disclosures.

Under the Privacy Rule, these permitted uses and disclosures include those made:

·        To the patient

·        For treatment, payment, or health care operations purposes, or

·        As authorized by the patient.

Additional permitted uses and disclosures include those related to or made pursuant to:

·        Reporting on victims of domestic violence or abuse, as required by law

·        Court orders

·        Workers’ compensation laws

·        Serious threats to health or safety

·        Government oversight (including disclosures to a public health authority, coroner or medical examiner, military or veterans’ affairs agencies, an agency for national security purposes, law enforcement)

·        Health research

·        Marketing or fundraising.  

We do not use or disclose PHI in ways that would be in violation of the Privacy Rule or state law.  We use and disclose PHI as permitted by the Privacy Rule and in accordance with state or other law.  In using or disclosing PHI, We meet the Privacy Rule’s “minimum necessary requirement,” as appropriate.

Use and Disclosure of PHI—Minimum Necessary Requirement

When using, disclosing or requesting PHI, we make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request.  We recognize that the requirement also applies to covered entities that request our patients’ records and require that such entities meet the standard, as required by law.

The minimum necessary requirement does not apply to disclosures for treatment purposes or when we share information with a patient.  The requirement does not apply for uses and disclosures when patient authorization is given.  It does not apply for uses and disclosures as required by law or to uses and disclosures that are required for compliance with the Privacy Rule.

 ·       Only the patient’s therapist has access to his or her PHI.  Psychotherapy Notes are kept in the therapist’s private office.  Clerical staff does not have access to Psychotherapy Notes.  All PHI is sequestered in the secretary’s office or in the attic, neither of which is accessible except to authorized personnel.

·        Routine disclosures are limited to those that the patient requests in writing on the appropriate Authorization Form.  Non-routine disclosure requests require review on an individual basis.

·        We will respond to your request for PHI to the minimum necessary.  You will inform us what information you wish us to release, to whom, and for what purpose.

·        We  may rely, if such reliance is reasonable under the circumstances, on a requested disclosure as the minimum necessary for the stated purpose, if the PHI is requested by another covered entity, by a public official (who represents that the information requested is the minimum necessary), or by a researcher (with appropriate documentation).

·        We may rely, if such reliance is reasonable under the circumstances, on a requested disclosure as the minimum necessary for the stated purpose, if the PHI is requested by a member of my staff or business associate.

·        We  will not use, disclose, or request an entire medical record, except when the entire medical record is justified as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure, or request.

 Use and Disclosure of PHI—Psychotherapy Notes Authorization

We abide by the Psychotherapy Notes authorization requirement of the Privacy Rule, unless otherwise required by law.  In addition, authorization is not required in the following circumstances:

·        For our use for treatment

·        For use or disclosure in supervised training programs where trainees learn to practice counseling

·        To defend ourselves in a legal action brought by the patient, who is the subject of the PHI

·        For purposes of HHS in determining our compliance with the Privacy Rule

·        By a health oversight agency for a lawful purpose related to oversight of our practice

·        To a coroner or medical examiner

·        In instances of permissible disclosure related to a serious or imminent threat to the health or safety of a person or the public.

·          We recognize that a patient may revoke an authorization at any time in writing, except to the extent that we have, or another entity has, taken action in reliance on the authorization.

·        Psychotherapy Notes are kept separate from other PHI in the therapist’s private office.

·         Patients sign an acknowledgement of receiving a copy of our Notice of Policy and Practices to Protect PHI.  In keeping with this document, if patients wish us to release information, they must fill out and sign an Authorization Form.

·        To confirm that we have received a valid authorization, we take the following steps.

A valid authorization:

·        Must be completely filled out with no false information.

·        May not be combined with another patient authorization.

·        Must be written in plain language.

·        Must contain a statement adequate to put the patient on notice of his or her right to revoke the authorization in writing and either exceptions to such right and a description of how to revoke, or a reference to revocation in the notice provided to the patient.

·        Must contain a statement adequate to put the patient on notice of the inability to condition treatment, payment, enrollment, or eligibility for benefits on the authorization.

·        Must contain a statement adequate to put the patient on notice of the potential for information to be redisclosed and no longer protected by the rule.

Further, a valid authorization must contain the following information:

·        A description of the information to be used and disclosed that identifies the information in a specific and meaningful fashion.

·        The name or other specific identification of the person(s), or class of persons, authorized to make the requested use and disclosure.

·        The name or other specific identification of the person(s), or class of persons, to whom the requested use and disclosure will be made.

·        A description of each purpose of the requested use or disclosure.  The statement “at the request of the individual” is a sufficient description of the purpose when a patient initiates the authorization and does not, or elects not to, provide a statement of the purpose.

·        An expiration date that relates to the individual or the purpose of the use or disclosure.

·        A signature (or if signed by a personal representative, a description of authority to sign) and date.

·        Patients are provided a copy of their signed authorization.

Patient Rights—Notice

 As required under the Privacy Rule, and in accordance with state law, we provide notice to patients of the uses and disclosures that may be made regarding their PHI and our duties and patient rights with respect to notice.  We make a good faith effort to obtain written acknowledgment that our patients receive this notice.

·        Daniel C. Biber, Ph.D. is the privacy officer of Dilworth Psychotherapy Associates.

·        We provide notice to our patients on the first date of treatment.  In an emergency situation, we provide notice “as soon as reasonably practicable.”

·        Except in emergency situations, we make a good faith effort to obtain from a patient written acknowledgement of receipt of the notice.  If the patient refuses or is unable to acknowledge receipt of notice, we document why acknowledgement was not obtained.

We promptly revise and distribute notice whenever there is a material change to uses and disclosures, patient’s rights, our legal duties, or other privacy practices stated in the notice.

·        We make notice available in our office for patients to take with them and post the notice in a clear and prominent location.

·        The notice is posted on the Dilworth Psychotherapy Associates website (www.dilworthpsychotherapy.com)

·          Notice may be made available by e-mail if agreed to by the patient.

 Patient Rights—Restrictions and Confidential Communications

The Privacy Rule permits patients to request restrictions on the use and disclosure of PHI for treatment, payment, and health care operations, or to family members.  While we are not required to agree to such restrictions, we will attempt to accommodate a reasonable request.  Once we have agreed to a restriction, we may not violate the restriction; however, restricted PHI may be provided to another health care provider in an emergency treatment situation.

A restriction is not effective to prevent uses and disclosures when a patient requests access to his or her records or requests an accounting of disclosures.  A restriction is not effective for any uses and disclosures authorized by the patient, or for any required or permitted uses recognized by law.

The Privacy Rule also permits patients to request receiving communications from us through alternative means or at alternative locations.  As required by the Privacy Rule, we will accommodate all reasonable requests.

 ·       Requests to restrict the use and disclosure of information handled must be made by completing the Request for Confidential Handling of Health Information.

·        The therapist will review the request.

·        We am not required to accommodate requests to restrict the use and disclosure of information, but once agreed upon, we may not violate the agreement.

·        Restricted PHI may be provided to another health care provider in an emergency treatment situation.

·        A restriction is not effective to prevent uses and disclosures when a patient requests access to his or her records or requests an accounting of disclosures. 

·        A restriction is not effective for any uses and disclosures authorized by the patient, or for any required or permitted uses recognized by law.

·        We permit patients to request receiving communications through alternative means or at alternative locations and we accommodate reasonable requests.  We may not require an explanation for a confidential communication request, and reasonable accommodation may be conditioned on information on how payment will be handled and specification of an alternative address or method of contact.

·        A patient request to terminate a restriction must be submitted in writing.  All such requests are documented and become a part of the patient’s PHI.

Patient Rights—Access to and Amendment of Records

In accordance with state law, the Privacy Rule, and other federal law, patients have access to and may obtain a copy of the medical and billing records that we maintain.  Patients are also permitted to amend their records in accordance with such law.  

Patient Rights—Accounting of Disclosures  

We provide our patients with an accounting of disclosures upon request, for disclosures made up to six years prior to the date of the request.  While we may, we do not have to provide an accounting for disclosures made for treatment, payment, or health care operations purposes, or pursuant to patient authorization.  We also do not have to provide an accounting for disclosures made for national security purposes, to correctional institutions or law enforcement officers, or that occurred prior to April 14, 2003 .

 ·        Patients may request an account of disclosures by submitting a request in writing. The request must state the time period for which the accounting is to be supplied, which may not be longer than six years. The request must state whether the patient wishes to be sent the accounting via postal or electronic mail.

·        A written accounting will be provided.  For each disclosure in the accounting — the date, name and address (if known) of the entity that received the PHI, a brief description of the PHI disclosed, and a brief statement of the purpose of the disclosure that “reasonably informs” the patient of the basis of the disclosure — is provided. 

·        In lieu of the statement of purpose, a copy of a written request for disclosure for any of the permitted disclosures in the Privacy Rule or by HHS for compliance purposes may be provided.

·        We keep a copy of the accounting and include the name of the person — most frequently the patient’s therapist —who is responsible for receiving and processing accounting requests.

·        If multiple disclosures have been made for a single purpose for various permitted disclosures under the Privacy Rule or to HHS for compliance purposes, the accounting also includes the frequency, periodicity, or number of disclosures made and the date of the last disclosure.

·        We provide an accounting within 60 days of a request.  We may extend this limit for up to 30 more days by providing the patient with a written statement of the reasons for the delay and the date that the accounting will be provided.

·        The first accounting is provided without charge. For each subsequent request, we may charge a reasonable, cost-based fee. We will inform the patient of this fee and provide the patient the option to withdraw or modify his or her request.

·        We must temporarily suspend providing an accounting of disclosures at the request of a health oversight agency or law enforcement official for a time specified by such agency or official.  The agency or official should provide a written statement that such an accounting would be “reasonably likely to impede” activities and the amount of time needed for suspension.  However, the agency or official statement may be made orally, in which case I will document the statement, temporarily suspend the accounting, and limit the temporary suspension to no longer than 30 days, unless a written statement is submitted.  

Business Associates  

We rely on certain persons or other entities, who or which are not my employees, to provide services on our behalf.  These persons or entities may include accountants, lawyers, billing services, and collection agencies.  Where these persons or entities perform services, which require the disclosure of individually identifiable health information, they are considered under the Privacy Rule to be our business associates.  

We enter into a written agreement with each of our business associates to obtain satisfactory assurance that the business associate will safeguard the privacy of the PHI of our patients.  We rely on our business associates to abide by the contract but will take reasonable steps to remedy any breaches of the agreement that we become aware of.  

·        We enter into and maintain a business associate contract with any person and entity that provides services on our behalf, which require the disclosure of individually identifiable health information.

·          We use appropriate safeguards to prevent inappropriate use and disclosure, other than provided for in the contract,

·        We report any use or disclosure not provided for by its contract of which it becomes aware,

·        We ensure that subcontractors agree to the contract’s conditions and restrictions,

·        We make records available to patients for inspection and amendment and incorporate amendments as required under the patient access and amendment of records requirements of the rule,

·        We make information available for an accounting of disclosures,

·        We make its internal practices, books, and records relating to the use and disclosure of PHI available to HHS for compliance reviews, and

·        At contract termination, if feasible, return or destroy all PHI.

·        If we know of a pattern of activity or practice of a business associate that constitutes a material breach or violation of the agreement, we will take reasonable steps to cure the breach.  If such steps are unsuccessful, we will terminate the contract, or if termination is not feasible, you will report the problem to HHS.  

Administrative Requirement—Privacy Officer

Daniel C. Biber, PhD is designated the privacy officer for Dilworth Psychotherapy Associates.  He is responsible for the development and implementation of the policies and procedures to protect PHI, in accordance with the requirements of the Privacy Rule.  As the contact person for our practice, Daniel C. Biber, PhD receives complaints and fulfills obligations as set out in notice to patients.

The Privacy Officer is responsible for all ongoing activities related to the development, implementation, maintenance of, and adherence to the practice’s policies and procedures covering the privacy of and access to patient’s PHI in compliance with federal and state laws.  As Privacy Officer, Dr. Biber:

1.                  Develops implements and maintains the practice’s policies and procedures for protecting individually identifiable health information.

2.                  Conducts ongoing compliance monitoring activities.

3.                  Works to develop and maintain appropriate consent forms, authorization forms, notice of privacy practices, business associate contracts and other documents required under the HIPAA Privacy Rule.

4.                  Ensures compliance with the practice’s privacy policies and procedures and applies sanctions for failure to comply with privacy policies for all members of the practice’s workforce and business associates.

5.                  Establishes and administers a process for receiving, documenting, tracking, investigating and taking action on all complaints concerning the practices privacy policies and procedures.

6.                  Performs all aspects of privacy training for the practice and other appropriate parties.  Conducts activities to foster information privacy awareness with the practice and related entities.

7.                   Ensures alignment between security and privacy practices.

8.                   Cooperates with the Office of Civil Rights and other legal entities in any compliance reviews or investigations.

 Administrative Requirement—Training

As required by the Privacy Rule, we train all members of our staff, as necessary and appropriate to carry out their functions, on the policies and procedures to protect PHI.  We have the discretion to determine the nature and method of training necessary to ensure that staff appropriately protects the privacy of my patients’ records.

We train new members of our staff within a reasonable time after joining the staff.  We provide training to staff whose function is impacted by a material change in the Privacy Rule within a “reasonable time” from the effective date of the material change.  

Administrative Requirement—Safeguards

To protect the privacy of the PHI of our patients, we have in place appropriate administrative, technical, and physical safeguards, in accordance with the Privacy Rule.  

Administrative Requirement—Complaints

 The privacy of our patients’ PHI is critically important for our relationship with patients and for our practice.  We provide a process for patients to make complaints concerning our adherence to the requirements of the Privacy Rule.

 1.      Patients may file privacy complaints by submitting them in one of the following ways:

a.   In person, using the Privacy Complaint form.

      b.   By mail, either on the Privacy Complaint form or in a letter containing the necessary information.  All complaints should be mailed to:

                        Daniel C. Biber, Ph.D.

                        Dilworth Psychotherapy Associates

                        1717 Cleveland Avenue

                        Charlotte , NC 28203

      c.   By telephone at 704 334-4300

b.      By fax at 704 334-8639

2.   All privacy complaints should be directed to Daniel C. Biber, Ph.D.

3.   The complaint must include the following information:

a.       The type of infraction the complaint involves

b.      A detailed description of the privacy issue

c.       The date the incident or problem occurred, if applicable

d.      The mailing/email address where formal response to the complaint may be sent.

4.      When a privacy complaint is filed by a patient, we will take the following step:

a.   Validate the complaint with the individual.

c.     If appropriate, attempt to correct any apparent misunderstanding of the policies and procedures on the patient’s part; if after clarification, the patient does not want to pursue the complaint any further, indicate that “no further action is required.”  Record the date and time and file under dismissed complaints.

d.   If not dismissed, log the complaint by placing a copy of the complaint form in both the complaint file and in the patient’s record.

e.   Investigate the complaint by reviewing the circumstances with relevant staff (if applicable).

f.        If we determine that the complaint is invalid, we will send a letter stating the reasons the complaint was found invalid.  We will file a copy of the letter and form in an investigated complaints file.

g.   If our investigative findings are unclear, we will get a second opinion from our attorney.

h.    If we determine that the complaint is valid and linked to a required process or an individual’s rights, we will follow our office sanction policy to the extent that an individual is responsible.  If the complaint involves compliance with the standards that do not involve a single individual, then we will begin the process to revise current policies and procedures.

i.        Once an appropriate sanction or action has been taken with respect to a complaint with merit, or if the response will take more than 30 days, we will send a letter explaining the findings and the associated response or intended response.  We will document the disposition of the complaint and file the letter and form in an investigated complaints file.

j.        We will place a copy of the complaint form in the patient’s record.

k.      We will review both invalid and investigated complaint files periodically, to determine if there are any emerging patterns.  

Administrative Requirement—Sanctions

 We have and apply appropriate sanctions against a member of our staff who fails to comply with the requirements of the Privacy Rule or our policies and procedures.  We may not apply sanctions against an individual who is testifying, assisting, or participating in an investigation, compliance review, or other proceeding.

Administrative Requirement—Mitigation  

We mitigate, to the extent possible, any harmful effect that we become knowledgeable of regarding our use or disclosure, or our business associate’s use or disclosure, of PHI in violation of policies and procedures or the requirements of the Privacy Rule.  

Administrative Requirement—Retaliatory Action and Waiver of Rights

We believe that patients should have the right to exercise their rights under the Privacy Rule.  We do not take retaliatory action against a patient for exercising his or her rights or for bringing a complaint.  Of course, we will take legal action to protect ourselves, if we believe that a patient undertakes an activity in bad faith.

 We will not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against a patient for exercising a right, filing a complaint or participating in any other allowable process under the Privacy Rule.

We will not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against a patient or other person for filing an HHS compliance complaint, testifying, assisting, or participating in a compliance review, proceeding, or hearing, under the Administrative Simplification provisions of HIPAA.

We will not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against a patient or other person for opposing any act or practice made unlawful under the Privacy Rule, provided that the patient or other person has a “good faith belief” that the practice is unlawful and the manner of opposition is reasonable and does not involve disclosure of PHI.  

We will not require a patient to waive his or her rights provided by the Privacy Rule or his or her right to file an HHS compliance complaint as a condition of receiving treatment.  

Administrative Requirement—Policies and Procedures  

To ensure that we are in compliance with the Privacy Rule, we have implemented policies and procedures to ensure compliance with the privacy rule.  

·        Our policies and procedures are a demonstration of our compliance with the Privacy Rule.

·        We promptly change our policies and procedures that accord with changes to the Privacy Rule.  Notice provided to our patients will also be promptly changed to reflect the change in policy and procedure, unless the change does not materially affect the notice.  The timing of the change in notice and reliance on the change may depend on the terms for such changes in the notice.  

Administrative Requirement--Documentation  

We meet applicable laws of the State of North Carolina and the Privacy Rule’s requirements regarding documentation.  

·        We maintain policies and procedures in written or electronic form.

·        All written communication required by the Privacy Rule is maintained (or an electronic copy is maintained) as documentation.

·        If an action, activity, or designation is required by the Privacy Rule to be documented, a written or electronic copy is maintained as documentation.

·        Documentation is maintained for a period of six years from the date of creation or the date when it last was in effect, whichever is later.

Effective April 14, 2002