Ready to Feel Your Best? Book a Health Analysis at  866-869-6864 or Schedule Online.

Notice of Privacy Practices

Subtitle
Table Of Contents

General

Introduction:
While Longevity Medical Clinic ("Practice") is not a covered entity under the Health Insurance Portability and Accountability Act (“HIPAA”), we have voluntarily elected to implement policies and procedures that align with HIPAA standards to safeguard the integrity and confidentiality of protected health information (“PHI”) and other sensitive patient information.

Purpose of Privacy Policies and Procedures:

The purpose of these policies and procedures is to:

  • Emulate the protection standards for PHI as outlined by federal and state laws, including HIPAA, thereby enhancing the privacy and security of our patients’ health information.
  • Provide our workforce with the necessary medical and other information to deliver the highest quality medical care possible.
  • Ensure that the confidentiality of patient information is maintained to the highest degree possible, thereby fostering patient trust and confidence in our commitment to privacy and security.

These policies signify our commitment to the voluntary adoption of privacy standards that reflect our dedication to protecting patient information, despite our non-covered status under HIPAA.

General Policy:
        Teresa Gabrielson shall serve as Practice’s Privacy Officer. Practice and its personnel shall not use or disclose PHI, except as permitted or required by the HIPAA Privacy Rule and the HIPAA Security Rule. All Practice workforce members are required to comply with all HIPAA Privacy Policies and Procedures. In addition, workforce members are expected to report known or suspected violations of the HIPAA Privacy Policies and Procedures by others. Reports of violations should be in writing and directed to Practice’s Privacy Officer.

Procedures:

  1. 1) Practice and its personnel are permitted to use or disclose PHI as follows:
    • a) to the individual patient.
    • b) for treatment, payment, or health care operations as permitted under HIPAA.
      c) incident to a use or disclosure otherwise permitted or required by the HIPAA Privacy Rule, provided that such use or disclosure is limited to the minimum necessary to accomplish the intended purpose of the use, disclosure or request.
    • d) pursuant to and in compliance with a valid authorization for use and disclosure of PHI from the individual pursuant to the Authorizations for the Use or Disclosure of PHI Policies and Procedures;
    • e) pursuant to an agreement by an individual for the use or disclosure after being given an opportunity to agree or object to such use or disclosure; or
    • f) as otherwise permitted or required under the HIPAA Privacy Rule.
  2. 2) Practice and its personnel are required to disclose PHI as follows:
    • a) to an individual, when requested in accordance with these HIPAA Privacy Policies, and
    • b) when required by the Secretary of Health and Human Services (“HHS”) under HIPAA to investigate or determine Practice’s compliance with the HIPAA Privacy Rule.
  3. 3) The Privacy Officer shall investigate whenever there is a credible allegation that a violation of these HIPAA Privacy Policies and Procedures has occurred and shall recommend appropriate sanctions for such violations, if any.

    4) When using or disclosing PHI or when requesting PHI from another covered entity, Practice will make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. The foregoing minimum necessary requirement does not apply to the following:
    • a) disclosures to or requests by a health care provider for treatment.
    • b) uses or disclosures made to the individual, as permitted or required under the HIPAA Privacy Rule.
    • c) uses or disclosures made pursuant to an authorization by an individual where authorization is required under the HIPAA Privacy Rule.
    • d) disclosures made to HHS as required to investigate or determine Practice’s compliance with the HIPAA Privacy Rule.
    • e) uses or disclosures that are required by law under the HIPAA Privacy Rule; and uses or disclosures that are required for compliance with the applicable requirements of the HIPAA Privacy Rule.

Permitted Uses and Disclosures

General Policy:
       Practice is permitted to use and disclose PHI in specific instances as permitted by the HIPAA Privacy Rule without patient authorization.

Procedures:

  • 1) Treatment, Payment and Health Care Operations. Practice personnel are permitted to use (in some instances) or disclose PHI for treatment, payment and healthcare operations purposes as follows:
    1. a) Practice may use or disclose PHI for its own treatment, payment, or health care operations.
    2. b) Practice may disclose PHI for treatment activities of a health care provider.
    3. c) Practice may disclose PHI to another covered entity or a health care provider for the payment activities of the entity that receives the information.
    4. d) Practice may disclose PHI to another covered entity for health care operations activities of the entity that receives the information, if each entity either has or had a relationship with the individual who is the subject of the PHI being requested, the PHI pertains to such relationship, and the disclosure is:
      1. (1) Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; patient safety activities (as defined in 42 CFR 3.20); population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;
      3. (2) Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities.
      4. (3) For the purpose of health care fraud and abuse detection or compliance.
  • 2) Permissible Disclosures. Practice personnel are permitted to use or disclose PHI without a patient authorization as follows:
    1. a) As required by law.
    2. b) To the appropriate state or federal health authority conducting public health surveillance, public health investigations, public  health interventions and the Food and Drug Administration  regulatory oversight.
    3. c) Limited fundraising – if the client is able to opt out.
    4. d) For health oversight activities.
    5. e) Reporting the suspected abuse or neglect of a child or vulnerable  adult as required by federal and state law.
    6. f) Cooperating with ongoing investigations related to the suspected abuse of a child or vulnerable adult.
    7. g) Responding to a subpoena or court order from a federal, state or  county court, in which case attempts must be made to notify the   individual of the disclosure.
    8. h) Responding to legal action initiated by a client against the agency regarding services provided.
    9. i) Limited law enforcement purposes when the disclosure of PHI is reasonably believed to be evidence of criminal conduct (pursuant  to the restrictions in 45 CFR 164.512(f)).
    10. j) To a law enforcement official who requests such information to identify or locate a suspect, fugitive, material witness, or missing person. In this case only very limited PHI would be disclosed.
    11. k) About decedents to coroner, medical examiner or funeral director.
    12. l) For research purposes,  if approved by an Institutional Review Board.
    13. m)  In order to avert a serious threat to health or safety including reporting the imminent danger of a client to self or others as required by state law.
    14. n) For some specialized government functions related to military,  veterans,  armed forces, national security or intelligence activity, and correctional institutions and custodial situations.
    15. o) For some government programs providing public benefits.
    16. p) To assist with workers’ compensation claims.
    17. q) To business associates as outlined in the Business Associate  Agreements Policy and Procedure.
    18. r) As otherwise permitted by the HIPAA Privacy Rule.

Sanctions Policy

General Policy
          Whenever there is a credible allegation that a violation of a patient’s privacy rights has occurred, Practice shall investigate the allegation and shall recommend appropriate sanctions for such violations, if any.

Procedures
          Sanctions for workforce members may include, but are not limited to verbal warnings, written warnings, paid and unpaid suspensions, and termination, in accordance with applicable personnel policies.

1) Definition of a Violation: The level of breach in patient confidentiality or privacy violation is determined according to the severity of the breach or violation, whether  the breach or violation was intentional or unintentional, and whether the  breach or violation indicates a pattern or practice of improper use or release of confidential patient information or violation of patient privacy. The degree of discipline may range from a verbal warning to immediate termination.

a) Class I Violation(s):  Carelessness or Inadvertent action. This level of breach or violation occurs when a Practice workforce member unintentionally or carelessly accesses, reviews, or releases confidential patient information without a legitimate business reason. Examples include, but are not limited to:

  1. i. Leaving PHI in an unsecured area where it might be viewed by others.
  2. ii. Leaving a computer unattended while the workforce member is logged on to a system containing PHI.
  3. iii. Sharing PHI with another workforce member without authorization or unrelated to the performance of the workforce member’s duties.
  4. iv. Discussing PHI in public areas where you can be overheard (i.e. patient waiting room, restroom, etc.); or
  5. v. Faxing documents to the wrong location or mailing/giving documents to the wrong person/patient.

b) Class II Violation(s): No Personal Gain. This level of breach or violation occurs when a workforce member intentionally accesses or releases confidential patient information for purposes other than the care of the patient or other authorized purposes but for reasons unrelated to personal gain. Examples include but are not limited to:

  • i. The sharing of computer access codes (username & password); or
    ii. The use of another person’s computer access codes (username & password).

c) Class III Violation(s): Personal Gain or Malice. This level of breach or violation occurs when a workforce member accesses, reviews, or releases confidential patient information for personal gain or with malicious intent. Examples include, but are not limited to:

  1.  i. Accessing or reviewing a health record of a patient, such as reviewing the record of a patient in the news, another workforce member’s information or a public personality.
  2. ii. Using and/or disclosing PHI for commercial advantage, personal gain or malicious harm; or
  3. iii. Obtaining PHI under false pretenses.

2) Sanctions: Violation of this policy will result in action appropriate to the circumstances, the class of offense, and whether there is a pattern of repeated violations. The following steps are guidelines for disciplinary action for privacy breaches and violations. Risk to patients or staff and other  serious offenses may warrant deviation from these guidelines. Such  disciplinary actions may include, but are not limited to,  any one or more of the following:

  • a) Class I Violation(s):
    1.        i. First Offense: A documented warning.
    2.       ii. Multiple Offenses: Each subsequent Class I Violation constitutes a Class II Violation.
  • b) Class II Violation(s):
  •             i. First Offense: Depending on the facts, (1) documented warning, and/or (2) final written warning/last chance agreement.
  •             ii.     Multiple Offenses: Depending on the facts, (1) final written warning/last change agreement, (2) suspension up to five days without pay, documented and maintained in the workforce member’s file, and/or (3) immediate termination with reports to appropriate agencies if applicable.
  • c) Class III Violation(s):
    1.        i. First or Subsequent Offense: Depending on the facts, (1) suspension of up to five days without pay, documented and maintained in the workforce member’s file, and/or (2) immediate termination with reports to appropriate agencies if applicable.
    2.       ii. Civil and criminal penalties as provided under HIPAA and other applicable Federal/State/Local laws.
  • 3) Exceptions: No sanctions or retaliatory actions shall apply to:
    1. a) Whistleblowers.  Workforce members who believe in good faith that Practice has engaged in conduct that is  unlawful or otherwise violates professional or clinical standards, or  that the care, services, or conditions provided by Practice potentially   endanger patients, workers, or the public shall not be sanctioned for  disclosing PHI to the following individuals or entities:
    2.        i. A health oversight agency or public health authority authorized by law to investigate or oversee the conduct or conditions of Practice so long as the purpose of the disclosure was to report the allegation regarding Practice’s failure to meet the relevant legal or professional standards.
    3.        ii. A health care accreditation organization, so long as the purpose of the disclosure was to report the allegation regarding Practice's failure to meet the relevant legal or professional standards; or  
             iii. An attorney retained by or on behalf of the workforce member for the purpose of determining the legal options that the member has regarding Practice’s alleged illegal or unprofessional conduct under Section 3.a.
    4. b) Individuals who oppose  actions that violate HIPAA.  Sanctions will not be  applied to any individual for the following: 
             i. Filing a truthful complaint with HHS, or other governmental agency, regarding a privacy violation.
      •  ii. Testifying, assisting, or participating in any official investigation, compliance review, proceeding, or hearing under HIPAA; or
      •  iii. Opposing any act of Practice that violates the HIPAA Privacy or Security Rules, as long as the individual doing so believes in good faith that the act of Practice is unlawful, and the manner of the opposition is reasonable and does not involve making a disclosure of PHI that violates HIPAA.

Authorizations for the Use or Disclosure of PHI

General Policy:
Except in the circumstances permitted by the HIPAA Privacy Rule and/or described in Practice’s HIPAA Privacy Policies and Procedures, Practice will not use or disclose a patient’s PHI without first obtaining the patient's written authorization.

Procedures:

  1. 1) Authorization Forms.  Workforce members shall use the authorization forms that have been developed by Practice to comply with all of the requirements for such forms outlined in the HIPAA Privacy Rule and shall not alter those forms in any way.  
  2. 2) Incomplete Authorizations.  Authorization forms that are not filled in completely, or that are not signed and/or dated will not be accepted.  Incomplete authorizations are not valid, and disclosures made pursuant to them are not  "authorized" under our privacy policies.
    3) Compound Authorizations. The following rules regarding compound authorizations (i.e., forms that authorize more than one use or disclosure of PHI) apply:
        a) Authorization forms that condition treatment, payment, or enrollment in a health plan upon the patient signing the authorization will not be combined with an authorization for another use or disclosure.  
  1.     b) Authorization forms that authorize the use or disclosure of psychotherapy notes will only be combined with authorizations for other uses and disclosures of psychotherapy notes.
  2.     c) Authorization forms that authorize the use or disclosure of PHI for research may be combined with any other type of written authorization for the same or another research study.  Upon the creation of any authorization forms for research,  Practice personnel should consult 45 CFR 164.508 specifically.
     

4) Treatment Conditioned on Authorization. Practice will not condition the provision of treatment on a patient’s provision of an authorization, except:

  1. a) The provision of research-related treatment may be conditioned on a patient's authorization to have the information generated from that treatment released as part of the research.  
  2. b) The provision of treatment,  the sole purpose of which is to create information for release to third parties, may be conditioned on a patient's authorization to have the information released to the relevant third parties.  For instance, if a patient has requested a physical examination for the sole purpose of having the results of that examination released to his or her employer, Practice may refuse to perform the examination if the patient refuses to authorize the release of PHI regarding that exam to the employer.

5) Revocation of Authorization.  In most cases, patients may revoke their authorizations,  in writing, at any time. Revocations become effective when the patient has revoked such authorization in writing and submitted it to Practice.  Exceptions to this general rule are:

  1. a) If Practice has already taken action in reliance on an authorization, the revocation is not effective with respect to those actions.  
  2. b) If the patient signed an authorization as a condition of receiving insurance coverage, a revocation of that authorization will not be effective to impede an insurer's contest of a claim under the policy.

6) Authorization Required When Patient Seeks Disclosure. If a patient seeks disclosure of his or her PHI for any purpose for which an authorization is required,  the patient shall complete an authorization form.  A copy of the completed form shall be given to the patient and the original shall be sent to the Privacy Officer. The Privacy Officer shall review the form and make the disclosure, if appropriate. If the form is not complete, the Privacy Officer shall contact the patient to notify him or her that additional information is needed. The Privacy Officer shall file the authorization form in the patient's medical record.

7) Authorization for Disclosure for Marketing Purposes. Practice shall follow the Disclosure of PHI for Marketing Policy prior to disclosing any PHI for marketing purposes.

Incidental Disclosures of PHI

General Policy:
Incidental disclosures are disclosures of PHI that occur as a by-product of a permissible use or disclosure,  are limited in nature, and cannot be prevented using reasonable measures. Incidental disclosures do not violate Practice’s HIPAA Privacy Policies and Procedures as long as: (1) reasonable measures were taken to prevent the incidental disclosure; and (2) the disclosure resulted from a use or disclosure that is otherwise permissible under Practice’s HIPAA Privacy Policies and Procedures, including policies regarding using or disclosing the minimum necessary information.

Procedures:
1) The following measures are considered reasonable with respect to the prevention of incidental disclosures and shall be followed when applicable:

  1. a) Compliance with the Policy Regarding Transmission of PHI via Facsimile, Policy Regarding Transmission of PHI via E-mail, and the Policy Regarding Transmission of PHI via Telephone shall constitute reasonable measures for the prevention of incidental disclosures when receiving or disclosing PHI via telephone, e-mail or fax.
  2. c) When discussing PHI in any non-private area (e.g., a waiting room, reception area, or hall), all conversations should be kept as low as reasonably possible. Private areas should be used for such discussions whenever possible. If PHI is communicated via sign language, reasonable efforts should be made to move the discussion out of plain view of passersby.
  3. d) Computer screens should be set up out of view of patients.

Patient Request to Access Medical Records

General Policy:  Except as specifically limited by this Policy, Practice shall allow patients to inspect and obtain a copy of PHI about the patient that is maintained in a designated record set.  Requests for access must be made in writing and should be directed to Practice’s Privacy Officer.

Procedures:
1. Inquiries. All patients who inquire about accessing their medical records shall be notified that requests for access must be made in writing.
2. Non-Reviewable Grounds for Denial of Access.  Access may be denied under the following circumstances. Denials for these reasons are final and non-reviewable:
     a) Knowledge of health care information could reasonably be expected to lead to the patient's identification of an individual who provided the information in confidence and under circumstances in which confidentiality was appropriate.
     b) The health care information was compiled and is used solely for litigation, quality assurance, peer review, or administrative purposes; or
     c) An individual's access to the health care information that is contained in records that are subject to the Privacy Act, 5 U.S.C. 552a, may be denied, if the denial of access under the Privacy Act would meet the requirements of that law.

3. Reviewable Grounds for Denial of Access.  Access may be denied under the following circumstances.  Patients may request to have these denials reviewed by a licensed health care professional who was not involved in the original denial determination:
      a) Knowledge of the requested health care information would endanger the life or physical safety of the patient or another person.


4. Action on Requests.  Upon receiving a written request for access, the Privacy Officer or his or her designee shall review the request in accordance with the policies set forth in Paragraphs 1 through 3 of this policy.

  1. a) General Rule.  Within fifteen (15) days, the Privacy Officer shall determine whether access will be granted in full, granted in part, or denied; shall inform the patient of the decision; and shall provide the access that is granted, if any.
  2. b) Extensions of Time.  If the subject record is in use, or unusual circumstances have delayed the handling of the access request, the Privacy Officer may inform the patient and specify in writing the earliest date, not later than twenty-one (21) days after receiving the request, when Practice will respond to the patient’s request.

5. Providing Access.  Practice will provide access to the records in accordance with this Section 5.

  1. a) Form or format.  If access is granted, the patient will be provided with the information in the form or format requested if the information is readily available in that format. If records are not readily available in the format requested, the patient shall be provided with a readable hard copy of the information.
  2. b) Electronic Format.  If a patient requests an electronic copy of his or her PHI, and if the requested PHI is maintained electronically by Practice, Practice must provide the patient with access to the PHI in the electronic form and format requested by the patient (e.g. Adobe PDF), if it is readily producible in such form and format; or, if not, in a readable electronic form and format as agreed to by Practice and the patient.
  3. c) Summary Alternative.  Practice may provide the patient with a summary of the requested PHI, in lieu of providing access to the PHI or may provide an explanation of the PHI to which access has been provided, if the patient agrees in advance to such a summary or explanation, and the patient agrees in advance to the fees imposed (if any) by Practice for such summary or explanation.
  4. d) In-Person Access.  If the patient requests in-person access to his or her medical records, the Privacy Officer shall provide the phone number of the appropriate records staff person so that the patient may contact this person to arrange for in-person inspection.  The patient will be informed that Practice personnel must be present at all times during inspection of the medical record.  
  5. e) Third Party Access.  If a patient’s request for access directs Practice to transmit the copy of PHI directly to another person designated by the patient, Practice must provide the copy to the person designated by the patient. The patient’s request must be in writing, signed by the patient, and clearly identify the designated person and where to send the copy of PHI.

6. Denying Access.  All patients who have had their request denied will be sent a written denial within the timeframes set forth in Paragraph 3 above.

  1. a) Access Upon Denial.  If Practice denies access to a patient’s requested PHI, Practice will, to the extent possible, give the patient access to any other PHI requested after excluding the PHI to which Practice has a ground to deny access.
  2. b) Information Not Maintained.  If Practice does not maintain the requested information, Practice shall provide the patient with the name of the person or entity who maintains the information, if known
  3. c) Review.  If a patient’s request for access is denied under this policy, Practice shall permit examination and copying of the record by another health care provider, selected by the patient, who is licensed, certified, registered, or otherwise authorized under the laws of Washington State to treat the patient for the same condition as Practice.Practice shall inform the patient of the patient's right to select another health care provider under this subsection. The patient shall be responsible for arranging compensation from the other health care provider so selected.

7. Fees.  If a patient requests a copy of the PHI or agrees to a summary or explanation of such information, Practice may charge a reasonable cost-based fee in accordance with HIPAA and applicable state laws pertaining to patient access to medical records.

8. Requests and Responses.  All correspondence regarding requests for access shall be maintained in the patient’s record for a minimum of six (6) years. 

Patient Request for Restrictions on the Use and Disclosure of PHI

General Policy:
Practice’s Privacy Officer or his or her designee may grant a patient’s request to restrict the use or disclosure of the patient’s PHI, subject to the limitations set forth in this policy.

Procedures:
1. Requests for Restrictions. If a patient asks to restrict the use or disclosure of PHI, the patient shall submit a written request to Practice’s Privacy Officer.
       a) Practice is not required to agree to a requested restriction, except if a patient’s request is to restrict disclosure of PHI to a health plan for the purpose of carrying out payment or health care operations, the disclosure is not otherwise required by law, and the PHI pertains solely to a health care item or service which has been paid in full by the patient or another person or entity on the patient’s behalf.
      b) If Practice agrees to a requested restriction, it may not use or disclose the PHI in violation of such restriction, except in the emergency situations and other permitted or required situations described below.

2. Use of Restricted Information in Emergency Situations. Practice may use the restricted information in emergency circumstances, where the information is needed to provide treatment to the patient or for the purpose of providing such treatment. In such emergency cases, the restricted information may also be disclosed to another health care provider to allow that provider to treat the patient. When making the disclosure, the health care provider will be requested to not further use or disclose the restricted information.

3. Other Permitted or Required Situations. A restriction agreed to by Practice is not effective to prevent uses or disclosures by Practice which are permitted or required as follows.

  1. 1) When required by HHS to investigate or determine Practice’s compliance with HIPAA Privacy Rule;
  2. 2) For Practice’s facility directories, unless the patient has specifically expressed an objection to restrict the use or disclosure of his/her PHI for such directory purposes; and
  3. 3) When required by law; for public health activities; for disclosures about victims of abuse, neglect, or domestic violence; for health oversight activities; for judicial and administrative proceedings; for law enforcement purposes; about decedents requested by coroners, medical examiners, and funeral directors; for cadaveric organ, eye or tissue donation purposes; for research purposes, subject to the conditions set forth in HIPAA Privacy Rule; to avert a serious threat to health or safety; for specialized government functions, such as military activities and national security/intelligence activities; or for worker’s compensation.

4. Termination of Restriction. An agreement to a restriction can be terminated at any time by either the patient or Practice. The patient’s request or agreement to termination of a restriction shall be in writing, or if submitted orally, shall be reduced to writing and filed in the patient’s medical record. If Practice determines to terminate the restriction it shall inform the patient and such termination shall be effective only with respect to PHI of the patient created or received after that notification.

5. Documentation. The Privacy Officer or his/her designee shall ensure that the restrictions, if any, are documented in the patient’s record. Documentation of the restrictions shall be maintained for six (6) years from the date the notation was made or six (6) years from the date the restriction was last in effect, whichever is later.

Accounting of Disclosures

General Policy:
Except for specific restrictions delineated in this Accounting of Disclosures Policy and Procedure, a patient shall, upon request, be given an accounting of all disclosures of PHI contained in his or her medical or billing record made during all or part of the six (6) years immediately preceding the patient’s request. This accounting shall include disclosures by Practice, or on behalf of Practice, by business associates.

Procedures:
1) Recording of Disclosures: With the exception of the disclosures listed in this Accounting of Disclosures Policy and Procedure, any employee or other agent who makes a disclosure of the PHI maintained about a patient in a medical or billing record shall record the following information regarding that disclosure:
     a) The date of the disclosure.
     b) The name of the entity or person who received the disclosure, and, if known, the address of that entity or person.
     c) A brief description of the information disclosed.
     d) A brief statement of the purpose of the disclosure that would  reasonably inform a reader of the basis for the disclosure.

If multiple disclosures are made to the same person or entity over a period of time, a reference to the documentation of the first disclosure and the date of subsequent disclosures can be recorded in the accounting log. If disclosures are periodic, that fact can be recorded along with the first disclosure, as well as the expected date of each periodic disclosure.

2) Requests for Accounting: All people who request an accounting of disclosures shall be directed to make such a request in writing and submit it to the Privacy Officer, which will be provided to the patient on request.

3) Action on Requests for Accounting: Upon receiving a written request for an accounting, the Privacy Officer or his designee will:
     a) Contact all qualified service organizations and business associates  who have received the PHI of the patient in question and request a copy of the business associate’s or qualified service   organization’s accounting log and research disclosures log regarding the patient.
   b) Within sixty (60) days of the patient’s request, review all relevant accounting logs including, but not limited to: the advanced directives section of the patient’s chart, the correspondence section, as well as other appropriate areas of the chart that may include any HIPAA related incidences. Once completed, either provide the information requested or notify the patient that an extension of time is needed. The reason for the delay shall be explained and a date for availability of the desired information will be provided. The extension may be no longer than thirty (30) days and can be utilized only once for any given request.

4) Accounting Information to be Provided: Each disclosure included in the accounting shall include:
     a) A description of the type of PHI that was disclosed.
     b) The date or period of time during which disclosures may have occurred, including the date of the last such disclosure during the accounting period.
     c) The name, address, and telephone number of the entity that requested the information.
     d) In the event that it appears that the patient’s health information was disclosed to a research protocol or activity, in addition to a, b, and c, a description of the protocol or activity, including the purpose of the research and the criteria for selecting certain records, will be provided. Practice will assist the patient in contacting the entity that sponsored the research, upon the patient’s request.

5) Exceptions to the Right to Accounting: An accounting will not be provided to the patient for the following disclosures:
     a) Disclosures made for the purpose of carrying out treatment, payment, or health care operations.
     b) Disclosures made to the patient.
     c) Disclosures of information maintained in our patient directory, or disclosures made to people involved in the patient’s care, or for the purpose of notifying the patient’s family or friends about the patient’s whereabouts.
     d) Disclosures for national security or intelligence purposes.
     e) Disclosures to correctional institutions or law enforcement officials who had the patient in custody at the time of the disclosures.
      f) Disclosures that occurred prior to April 14, 2003.
     g) Disclosures made pursuant to an authorization signed by the patient.
     h) Disclosures are part of a limited data set.
      i) Incidental disclosures that comply with the Incidental Disclosures of PHI Policy and Procedure.

6) Suspension of Accounting Rights: A request by a health oversight agency or law enforcement official to suspend a patient’s ability to receive an accounting of the disclosures made to the agency and/or official shall be complied with if:

  1. a) The agency or official provides a written statement that an accounting of the disclosures that have been or are being made to the agency or official would be reasonably likely to impede the agency or official’s activities, and states a time period for which the suspension will be effective; or
  2. b) The agency or official provides an oral statement that an accounting of the disclosures that have been made or are being made to the agency or official would be reasonably likely to impede the agency or official’s activities, so long as the oral statement is documented by Practice employee or agent who takes the statement. Oral suspensions of accountings are effective only for 30 days and may not be renewed with another oral request.

7) Charges: If the patient has not received an accounting in the twelve (12) month period preceding his or her request, the accounting will be provided at no cost to the patient. Otherwise, the patient will be charged for each additional accounting. Patients will be informed of this policy and billed for this charge prior to, or at the time of, the second request for an accounting. At that time the patient may withdraw or modify his or her request in order to avoid the charge.

8) Documentation: All correspondence regarding requests for accountings, suspensions of accountings by health oversight agencies and law enforcement officials, as well as accountings themselves, shall be maintained in the patient’s record for a minimum of six (6) years.

Requests to Correct or Amend Medical Records

General Policy:
Patients or their legally authorized representatives have a right to request to amend or correct PHI maintained by Practice. Requests must be in writing, should be reviewed in a timely fashion, and the disposition documented in writing. When applicable, the disposition of the request will be disclosed to others who need it.

Procedures:
1) Requests to correct or amend PHI, in order to be fully considered, must be in writing.

2) Timing for Response
Within ten (10) days of receipt of a request, Practice shall either:
     a) Make the requested correction or amendment and inform the patient of the action.
     b) Inform the patient if the record no longer exists or cannot be found.
     c) If Practice does not maintain the record, inform the patient and provide the patient with the name and address, if known, of the person who maintains the record; or
     d) Deny the request in writing as described below
If Practice is unable to act on the amendment within ten (10) days, Practice may extend the time for response by no more than twenty-one (21) days from the Practice’s receipt of the request, provided that the record is in use or unusual circumstances have delayed the handling of the correction or amendment request.

4) Approval of a Request:
   a) The correction or amendment shall be made in the appropriate record.
   b) Mark the record affected by the change as corrected/amended at patient’s request.
   c) Draw a single line through any information to be modified, or create some other notation, and date and sign the entry. The original entry is to remain legible.
   d) Indicate where in the record the corrected or amended information is located.
   e) Enter the new information, indicate that it is a corrected or amended chart note, and date and sign the entry.
   f) Send a copy of the correction or amendment to any third party that previously received the amended information.
   g) Obtain the individual’s identification of any person the individual wants notified of the correction or amendment and take reasonable steps to notify such persons of the change.

5) Denial of a Request: An individual’s request to correct or amend a medical record may be denied if Practice determines that the PHI:

   i) It was not created by Practice, unless the individual provides a reasonable basis to believe that the originator of PHI is no longer available to act on the requested amendment.
           i) Is not part of the designated record set.
          ii) Would not be available for inspection under the Patient Request to Access Medical Records Policy; or
          iii) Is accurate and complete.

6) Disposition:
a) Individuals must be informed of the disposition of the written request.

b) If the request is denied:
   i) Send the requestor a denial letter and include the reason for the denial and information about the option to file a statement of disagreement.
  ii) Document the reason for the denial.
  iii) Add any statement of disagreement with the suggested amendment.
  iv) Add a copy of the denial letter to the medical record.
  v) Mark the challenged entry to indicate that the patient claims the entry is inaccurate or incomplete and indicate where the request for amendment and any statement of disagreement is located in the record.
  vi) Send any statement of disagreement to any third-party payor or insurer that previously received the disputed PHI.
  vii) Document the disclosure.

c) Future disclosures must include the written request, the denial and any statement of disagreement. However, if no statement of disagreement is filed, the written request and the denial may only be included in future disclosures upon the request by the patient or authorized individual.

7) Amendments Originating Elsewhere: If notified by another health care entity that an amendment or correction has been made to a patient’s PHI then:
   a) The correction or amendment shall be filed in the appropriate record.
    b) As necessary, mark the record affected by the change as corrected or amended, and
   c) The affected record should be attached or linked or otherwise indicate where in the record the corrected or amended information is located.

8) Documentation: Teresa Gabrielson, as the Privacy Officer, is responsible for receiving and processing requests for amendments by individuals and retaining documentation of the requests and responses for 6 years.

Breach Notification Policy

General Policy:
Practice will comply with the federal mandatory breach notification requirements pertaining to the breach of unsecured PHI. To that end, Practice will notify the appropriate parties, including patients, law enforcement as applicable, HHS, and other covered entities of whom Practice is a business associate of a breach of unsecured PHI in accordance with the federal mandatory breach notification requirements. The mandatory reporting obligations set forth in this policy apply only to unsecured PHI.

Definitions:
a) “Unsecured PHI” means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by HHS.

b) “Breach” means, except as provided below, an acquisition, access, use or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule is presumed to be a breach unless Practice or one of its business associates, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment which must include at least the factors set forth below in this Policy. The term “breach” does not include:

    a) Any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of Practice or a business associate of Practice if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the HIPAA Privacy Rule.

   b) Any inadvertent disclosure by a person who is authorized to access PHI at a facility operated by Practice or a business associate of Practice to another person authorized to access PHI at Practice or the same business associate of Practice, or organized health care arrangement in which Practice participates, and such disclosure is not further used or disclosed in a manner not permitted under the HIPAA Privacy Rule; or

   c) A disclosure of PHI where Practice or a business associate of Practice has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

Procedures:
1) Analysis of Incident. When determining the probability that a breach has occurred, i.e. whether the privacy or security of a patient’s PHI has been compromised, Practice shall consider the factors included in the HIPAA Breach Assessment at Exhibit A to this Policy. These factors must include the following:
    a) The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification.
   b) The unauthorized person who used the PHI or to whom the disclosure was made.
    c) Whether the PHI was actually acquired or viewed; and
    d) The extent to which the risk to the PHI has been mitigated.
Other factors may also be considered as necessary.

2) Notification. Practice will notify each patient whose unsecured PHI has been, or is reasonably believed by Practice to have been, accessed, acquired, or disclosed because of a breach.

3) Timing of Notification. Unless a law enforcement official determines that notification will impede a criminal investigation or cause damage to national security, Practice will make the notification required by this policy without unreasonable delay and in no event later than sixty (60) calendar days after Practice’s discovery of the breach. For purposes of this notification timeframe, a breach is deemed to have been discovered on the first day that such breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or agent of Practice.

4) Method of Notification. Practice will provide notice of a breach to patients in writing, by first class mail, sent to the last known address of the patient. If a patient has specified a preference for electronic mail, such notice shall be made via electronic mail. If Practice knows the patient is deceased and has the address of the next of kin or personal representative of the patient, Practice will provide notification by first-class mail to either the next of kin or personal representative of the patient. The foregoing notifications may be provided in one or more mailings as information is available. In cases deemed by Practice to require urgency because of the possible misuse of unsecured PHI, Practice may provide information to patients by telephone or other means.
a) If Practice has insufficient or out-of-date contact information that precludes written notification to the patient in the manner described above, Practice will provide a substitute form of notice reasonably calculated to reach the patient. Such substitute notice will not be provided in the case in which there is insufficient or out-of-date contact information that precludes written notification to the next of kin or personal representative of a patient known by Practice to be deceased.

      (i) In cases where there is insufficient or out-of-date contact information to provide written notice required under this policy for fewer than ten (10) patients, the substitute notice may be provided by an alternative form of written notice, telephone, or other means.

    (ii) In cases where there is insufficient or out-of-date contact information to provide written notice required under this policy for ten (10) or more patients, Practice will either: (1) make a conspicuous posting for a period of ninety (90) days on the home page of its website, or (2) make a conspicuous notice in a major print or broadcast media, including major media in the geographic area(s) where the patients affected by the breach likely reside. Such postings and notices will include a toll-free phone number where a patient can learn whether the patient’s unsecured PHI may be included in the breach.

b) If a breach of unsecured PHI involves more than five hundred (500) residents and Practice reasonably believes the unsecured PHI has been accessed, acquired, or disclosed, then, in addition to the notice described above, Practice will provide notice to prominent media outlets serving the geographic area(s) of the patients affected by the breach.

c) If a breach of unsecured PHI involves five hundred (500) or more patients and unsecured PHI is acquired or disclosed during such a breach, then, in addition to the notice described above, Practice will notify HHS of the breach in the manner specified by HHS.

5) Content of Notification. All breach notices made by Practice pursuant to this policy will be written in plain language and will, to the extent possible, include the following information:
      a) A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.
      b) A description of the types of unsecured PHI that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, diagnosis, or disability code).
     c) The steps patients should take to protect themselves from potential harm resulting from the breach.
     d) A brief description of what Practice is doing to investigate the breach, mitigate losses, and protect against any further breaches; and
     e) Contact procedures for patients to ask questions or learn additional information, including a toll-free telephone number and an email, website, or postal address.

6) Maintaining a Log of Breaches. Practice will maintain a log of all breaches of unsecured PHI involving less than five hundred (500) patients and will submit such a log to HHS on an annual basis of such breaches occurring during that year not later than sixty (60) days after the end of that calendar year.

Complaint and Grievance

General Policy:
Practice will continually strive to improve the quality of the services it provides and will provide a process for handling complaints and grievances related to the use or disclosure of PHI.

Definitions:
     1) Complaint: an oral concern about compliance with health-information privacy laws.
     2) Grievance: a written concern about compliance with health-information privacy laws and regulations.
     3) Responsible Party: all physicians, employees, and personnel of Practice.

Procedures:
      1) All grievances regarding privacy policies and practices, and compliance with those policies and practices, will be accepted and considered. Complaints should be made in writing using the Compliant and Grievance form attached at the end of this Compliant and Grievance Policy and Procedure and directed to the Privacy Officer.
     2) All grievances will be responded to in writing if the complaint seeks a response.
    3) Individuals who file a grievance will not be retaliated against in any way, including through coercion, harassment, or refusal of treatment. Violations of this anti-retaliation policy will be handled in accordance with the Policy Regarding Sanctions for Privacy Violations.
    4) Procedure for Responding to a Complaint:
          a) The Privacy Officer, or his designee, shall review all complaints within a reasonable period but in no event not later than thirty (30) days.
         b) If the complaint seeks a response, and provides contact information, the Privacy Officer (or his or her designee) shall prepare and deliver a written response to the individual who lodged the complaint.
        c) If the complaint does not seek a response, or does not provide contact information, the Privacy Officer (or his designee) shall prepare a written statement of any action taken with regard to the complaint. That statement shall be attached to, and filed with, the complaint.

Privacy Practices Training

General Policy:
Each member of Practice’s workforce shall be instructed regarding these HIPAA Privacy Policies and Procedures and other privacy practices in a manner that is tailored to address the specific functions that the individual receiving that education performs.

Procedures:
1) Training for existing workforce members shall be completed as soon as practicable after these HIPAA Privacy Policies and Procedures are adopted by Practice. Each individual who joins the workforce after this initial training shall be trained as soon as practicable after joining the workforce.

2) “Workforce” includes all employees, work-study students, volunteers, trainees, and other persons whose conduct is under the direct control of Practice, whether or not they are paid employees.

3) Whenever a material change is made to privacy practices, each member of the workforce affected by the change shall be trained regarding the change within a reasonable period of time, as defined by the Privacy Officer.

4) The completion of training required by this Privacy Practices Training Policy shall be documented by the individual who offered the training. This documentation shall be retained for at least six (6) years from the date of its creation.

5) The Privacy Officer shall implement and oversee all training required by this Privacy Practices Training Policy. To accomplish this task, the Privacy Officer shall have the authority to consult with and delegate authority, as well as appoint committees to develop and perform training activities.

6) If the Privacy Officer believes that a workforce member's failure to attend or participate in the designated training required by this Privacy Practices Training Policy is purposeful and not reasonably justified, he or she shall report the information supporting that belief, in writing, and further action shall be taken as may be warranted.

7) Workforce members may be subject to disciplinary procedures for failure to attend and participate in the training required by this Privacy Practices Training Policy.

Stay in the Loop

Stay up to date on new developments in the field of longevity medicine.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Our Programs
Health AnalysisFlagship Longevity ProgramSexualityWeight LossIV Vitamin TherapyRegenerative Aesthetics
Company
About UsLocationsFAQsContact UsCareer Opportunities
© 2024 Longevity Medical Clinic. All Rights Reserved.
Notice of Privacy PracticesTerms of ServicePrivacy Policy