HIPAA NOtice

Danville Pittsylvania Community Services

NOTICE OF PRIVACY PRACTICES

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009

Omnibus Rule effective March 26, 2013

Effective Date: April 4, 2016

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

Your Privacy is Important. Danville Pittsylvania Community Services (DPCS) understands that your privacy is important. DPCS is required by law to take reasonable steps to maintain the privacy of your protected health information (PHI) and to provide you with notice of its legal duties and its privacy practices. DPCS must abide by the terms of this notice. DPCS will handle PHI only as allowed by federal law, state law, and DPCS administrative directives. DPCS will adhere to the law that more strictly protects your health information. By law, DPCS is required to make a reasonable effort to obtain your signature indicating that you have received this Notice of Privacy Practices. Your signature on the acknowledgement in no way obligates you. It merely provides an assurance that DPCS has provided you with the information to which you are lawfully entitled.

Each time you receive services from DPCS, the provider makes a record of the visit. Typically, this record contains a variety of information that is maintained according to legal and professional requirements, including your assessment, service plan, progress notes, diagnoses, treatment information, and service plan for future care or treatment. In addition, DPCS maintains other information about you that you provide, such as demographics, contact information, and information that assists DPCS with collecting payment for the services rendered.

Your Federal Rights Under HIPAA

Under 45 CFR Parts 160 and 164 (Standards for Privacy of Individually Identifiable Health Information), you have several rights concerning your PHI.

·         Inspection and Copies - You have the right to request to review your health care record. This right is not absolute. In certain situations, such as if access would cause harm, DPCS can deny access to that information. If you wish to access or obtain copies of your health care record, the request must be made in writing. The DPCS Medical Records Department can provide you the form to sign to make this request. If DPCS denies you access to the requested information, you will receive a timely, written response of the decision and the reason. A copy of the response becomes a part of your record.

·         Amendment of Records - You have the right to request an amendment of your health care record if you believe information in the record is inaccurate or incomplete. If you wish to make such an amendment, the request must be made in writing. Your service provider can assist you with making a request for amendment to your record. DPCS may deny the request for proper reasons and if your request is denied, you will be provided with a written explanation of the reason. DPCS has up to 30 days to make your PHI available to you and may charge you a reasonable fee for the costs of copying, mailing or other supplies associated with your request. DPCS may not charge you a fee if you need the information for a claim for benefits under the Social Security Act or any other state of federal needs-based benefit program. DPCS may deny your request in certain limited circumstances. If DPCS denies your request, you have the right to have the denial reviewed by a licensed healthcare professional who was not directly involved in the denial of your request, and DPCS will comply with the outcome of the review.

·         Accounting of Disclosures – You have the right to receive an accounting of DPCS’s disclosures of your PHI that were made for purposes other than treatment, payment, or health care operations, or that were not otherwise specifically authorized by you. An accounting will include the disclosure date, the name (and address, if known) of the entity or person to whom the disclosure was made, a brief description of the information disclosed, and a brief statement of the purpose for the disclosure.

·         Request for Restriction - You have the right to request a restriction from your service provider with regard to the use or disclosure of your PHI. This request will be given serious consideration by DPCS and you will be informed promptly whether DPCS will agree to honor the requested restriction. Consideration of this request will take into account the ability of DPCS to offer effective services, receive payment and maintain health care operations. Legally, DPCS is not required to agree to restrictions you request; however, if DPCS does agree, it is bound by that agreement except under certain emergency circumstances.

·         Restrict Disclosure to Your Health Insurance Plan – If you choose to pay 100% of the cost for the health care services you receive, you may request that we not provide information about those services to your health care plan (i.e. insurance).

·         Confidential Communications – You have the right to request that DPCS communicate with you about medical matters in a certain confidential way or at an alternate location. Your request must be made in writing to your service provider. DPCS will agree to accommodate reasonable requests, such as contacting you with an alternate telephone number or not leaving messages.

·         Right to Receive Information in the Format You Prefer - You have the right to request information be given to you in a paper or electronic format. You may be charged for the work it takes to put this information together and for the cost of supplies needed (e.g. CD Rom, flash drive). If you would like your PHI sent to you or to someone else using an unsecure method, such as unencrypted email, you will be provided with information about the risks of doing this and will be required to sign that you have been given this information.

·         Right to be Informed of a Breach – You have the right to be notified if there is a breach related to your PHI. A letter will be mailed to the most recent address in your record.

·         Privacy Notice Copy - You have the right to obtain a paper copy of this Notice of Privacy Practices at any time upon request. You may obtain a copy of this notice at www.dpcs.org.

Use and Disclosure of Your Information

The following describes the ways DPCS may use and disclose health information that identifies you (“Health Information”). Except for the purposes described below, DPCS will use and disclose Health Information only with your written permission. You may revoke such permission at any time by writing to the Privacy Officer.

Upon providing your personal information to DPCS when asking for services or information on available services, you are allowing DPCS to use and disclose necessary information about you within DPCS and with its business associates in order to provide treatment, to receive payment for treatment or services provided, and to conduct its day to day health care operations.

Treatment is the provision, coordination, or management of health care and related services. It also includes, but is not limited to, consultations and referrals between one or more of your providers. Examples of using your health information in providing treatment include the following situations. Your service provider may consult with various service providers both within and outside DPCS to help provide the most effective health care possible to you. During those consultations, health information about you may be shared. DPCS may call in prescriptions or discuss your medications with a pharmacy. We may discuss your information with another health care provider who is involved in your health care.

Payment generally includes actions to make coverage determinations and to obtain payment and reimbursement for the services you receive. These activities include, but are not limited to, billing, claims management, subrogation (the legal doctrine of substituting one creditor for another), reimbursement, reviews for medical necessity and appropriateness of care, utilization review, and pre-authorization. Examples of using your health information in obtaining payment include the following situations. Your health information may be sent to those companies, groups, insurers, or other entities responsible for payment; this can include Virginia’s Department of Behavioral Health and Developmental Services (DBHDS). A monthly bill is sent to the Responsible Party identified by you and noted on the financial form. DPCS may also share your information with a collection agency or other debt collection organization, including the Virginia State Department of Taxation, in the event that you default on your obligation to pay. Your information will be shared with other DPCS departments that assist in the collection and handling of monetary receipts.

Health Care Operations include, but are not limited to, conducting quality assessment and improvement activities, reviewing the competence or qualifications of health care professionals, disease management, case management, conducting or arranging for medical review, legal services, and auditing functions including fraud and abuse compliance programs, business planning and development such as cost management, general business management and administrative activities, and customer service. Examples of using your health information in health care operations include the following situations. Staff may handle your physical health care record in the process of filing documentation and in making the record available for use by your service providers. Many data elements are entered into computer systems that assist DPCS in carrying out its health care operations, including but not limited to processing billing, managing your financial account, and managing your health care record. DPCS provides statistical and other reporting to a variety of entities, including DBHDS), the federal government, and to grantors of service funds.

As part of DPCS’s efforts toward continuous quality improvement and enhancement of DPCS’s ability to provide the most effective services, professional staff may review your information to assure accuracy, completeness, appropriateness, timeliness, and quality of services. Records may be reviewed to resolve complaints and during accreditation and/or licensure surveys by organizations such as the Commission on Accreditation of Rehabilitation Facilities (CARF) or DBHDS. DPCS is required to submit to an annual audit of its books and accounting records as well as to outside audits by health oversight agencies and other authoritative organizations. These outside parties may view your information when DPCS complies with mandatory oversight, review, and reporting activities. Your information may be shared with other DPCS departments that provide support to health care operations, such as auditing, records management, and legal support.

Enhancing Your Healthcare

DPCS may contact you to provide:

· Appointment reminders by telephone call or in written form through the United States Postal Service or other mail carrier.

· Information about treatment alternatives.

· Information about health-related benefits and services that may be of interest to you.

Individuals Involved in Your Care or Payment for That Care

Unless you object, DPCS may release medical information about you to a friend or family member who is involved in your care. DPCS may also give information to someone who helps pay for your care.

Specific Circumstances for Disclosure

DPCS is also allowed/required by federal and state law in certain circumstances to disclose specific health information about you without your authorization.

These specific circumstances are:

· As required by law (ex: reports required for public health purposes, such as reporting certain contagious diseases)

· Judicial and Administrative proceedings (ex: order from a court or administrative tribunal, or legal counsel to the agency, or Inspector General)

· Law Enforcement purposes (ex: reporting of gunshot wounds; limited information requested about suspects, fugitives, material witnesses, missing persons, criminal conduct on premises)

· To avert serious threat to the health and safety of another person (ex: in response to a specific threat made by a person served to harm another)

· Children or incapacitated adults who are victims of abuse, neglect, or exploitation

· Specialized Government functions (ex: to ensure the health and safety of a person who is an inmate of a correctional facility)

· Military Services (ex: in response to appropriate military command to assure the proper execution of the military mission)

· National Security and Intelligence activities (ex: in relation to protective services to the President of the United States).

· State Department (ex: medical suitability for the purpose of security clearance)

· Correctional Facilities (ex: to a correctional facility about an inmate)

· Workers Compensation to facilitate processing and payment

· Family member, relative, or close personal friend of a deceased person, if it related to that person’s providing care or to payment for health care services that had been provided.

· Coroners and Medical Examiners for identification of a deceased person or to determine cause of death

· To the federal Department of Health and Human Services in connection with an investigation of DPCS for compliance with federal regulations

·   Employers, if we are providing health care services at the direction of your employer

· To communicate with other DPCS departments that provide assistance with health care operations and ensuring compliance, such as DPCS Auditor, Finance/Risk Management, and DPCS Attorney

Other Uses and Disclosures of Your Health Information by Authorization Only

DPCS is required to get your authorization to use or disclose your PHI for any reason other than for treatment or service delivery, payment, health care operations, and those specific circumstances outlined previously. DPCS uses a special authorization for disclosure form that specifically states what information will be given to whom, for what purpose, and through what time frame. This authorization document is only valid when signed by you, your legal guardian, or your authorized  representative. You have the ability to revoke the signed authorization at any time by a written statement except to the extent that DPCS has already acted on the authorization.

DPCS may disclose your PHI for public health activities. These activities generally include disclosures to prevent or control disease, injury or disability; report births and deaths; report child abuse or neglect; report reactions to medications or problems with products; notify people of recalls of products they may be using; a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition; and the appropriate government authority if DPCS believes a patient has been the victim of abuse, neglect or domestic violence. DPCS will only make this disclosure if you agree or when required or authorized by law.

If you are an organ donor, DPCS may use or release PHI to organizations that handle organ procurement or other entities engaged in procurement, banking or transportation of organs, eyes or tissues to facilitate organ, eye or tissue donation and transplantation.

If you are eligible to participate in any research study, you will be asked to sign an authorization to disclose your PHI for that purpose. Choosing not to participate in a research project will not affect your ability to receive services.

DPCS does not sell your PHI, use your PHI for marketing, maintain separate Psychotherapy Notes, or send funding raising information to people who receive health care services from DPCS (i.e. from the Department of Human Services).

DPCS may disclose your PHI to disaster relief organizations that seek your PHI to coordinate your care, or notify family and friends of your location or condition in a disaster. DPCS will provide you with an opportunity to agree or object to such a disclosure whenever DPCS practically can do so.

Other uses and disclosures of Protected Health Information not covered by this Notice or the laws that apply to us will be made only with your written authorization. If you do give us an authorization, you may revoke it at any time by submitting a written revocation to the Privacy Officer and DPCS will no longer disclose Protected Health Information under the authorization. Disclosures that DPCS made in reliance on your authorization before you revoked it will not be affected by the revocation.

Changes to Privacy Practices

DPCS reserves the right to change any of its privacy policies and related practices at any time, as allowed by federal and state law, and to make the change effective for all information that it maintains.

Should DPCS make a change to its privacy practices, a revised Notice of Privacy Practices will be posted at all service sites, and is available upon request. You may make your request for a copy of DPCS’s Notice of Privacy Practices by mail, by verbal request of a DPCS representative, by electronic request, or a combination of any of the three.

Complaint Process & Contact Information

DPCS provides a process as required by HIPAA for you to make complaints regarding DPCS’s policies and procedures or compliance with policies and procedures related to protecting the privacy of your health information. To access the complaint process or to request additional information about your privacy rights, you may contact, either verbally or in writing, one of the following:

Privacy Officer at 434-799-0456

Danville-Pittsylvania Community Services, 245 Hairston Street, Danville, Virginia 24540

State Advocate at 1-866-645-4510

Secretary of Health and Human Services at 1-800-368-1019

You will not experience any change in services or retaliation if you choose to file a complaint.

PRIVACY NOTICE SIGNATURE PAGE

I have been provided a Notice of Information Practices that fully explains the uses and disclosures that DPCS will make with respect to my individually identifiable health information. Danville-Pittsylvania Community Services has afforded me sufficient time to review this Notice and has answered any questions that I had to my satisfaction.

I understand that I have the right to request restrictions on the use or disclosure of my individually identifiable health information to carry out treatment, payment, or health care operations. I further understand that DPCS is not required to agree to the requested restriction but that, if it does agree, it must honor the restriction unless I request that it stop doing so or DPCS notifies me that it no longer intends to honor the request. I request the following restrictions on the use or disclosure of my individually identifiable health information

☐  No Objection
☐ Objection(s) as indicated below:

_____________________________________________________________________________________________

I understand that I have the right to request restriction as to the method of communications to me. For example, I might request that all medical bills be mailed to a post office box rather than my home. I further understand that Danville-Pittsylvania Community Services must honor this request if the method of communication is reasonable. Danville-Pittsylvania Community Services may not ask me why I want the alternate method of communication.

☐No Objection
☐ Objection(s) as indicated below:

_____________________________________________________________________________________________

I understand that I have the right to object to the use and/or disclosure of my individually identifiable health information to family members.

☐No Objection
☐ Objection(s) as indicated below:

_____________________________________________________________________________________________

☐I agree to receive voicemail messages at any phone numbers provided to DPCS.

☐I do not agree to receive voicemail messages.

☐I agree to receive emails at ____________________________________@____________________

I understand that receiving PHI through unencrypted or unsecured emails has a level of risk, and I understand that the information in the email could be read by a third party. DPCS is not responsible for unauthorized access of PHI while in transmission to the individual based on the individual’s request. Further, DPCS is not responsible for safeguarding information once delivered to the individual.

☐I do not agree to receive PHI through unencrypted or unsecured email transmission.

________________________________________      ________________________
Signature of Individual                                                      Date

________________________________________      ________________________
Signature of Legal Guardian                                             Date

________________________________________      ________________________
Signature of Authorized Representative                         Date

_______________________________________         ________________________
Signature of Witness                                                           Date

Case Number: ________________