Brett Elliott, M.D. P.A. Notice of Privacy Policies
Our practice is committed to maintaining the privacy of your Protected Health Information (PHI), while providing efficient, high quality medical care. In accordance with the Health Insurance Portability and Accountability Act (HIPAA) you will receive a summary copy of this notice at your first office visit after April 14, 2003. This explains:
In keeping with normally accepted medical business practices we may use and disclose your PHI for treatment, payment, and health care operations (TPO) without your permission. Should a physician routinely request your health care records in a situation which has no urgency we have as a matter of routine asked you to sign a Request for Information form, and it will be our policy to continue this practice. Examples of when information would be disclosed would be if your primary care physician wanted exam results, or if a pharmacist called about medicine you were on. If an optician or contact lens technician requested PHI about a lens prescription this would be disclosed. PHI such as your diagnosis would also be disclosed for billing purposes. Generally only the appropriate information that is necessary to accomplish the task is disclosed. Professional judgment will determine the amount of information to be released. This minimum necessary standard is not intended to impede the provision of quality healthcare. Consequently the disclosures of PHI between providers for treatment purposes are explicitly exempt from the minimum disclosure standard.
PHI can also be disclosed without your permission for certain Public Health purposes, such as reporting suspected child abuse or reporting a medication or device problem. Please see our Authorized and Non-Authorized Disclosure Policy for additional information.
As is also our current policy, PHI is not disclosed for non-medical purposes. For instance, if a contact lens manufacturer wanted a list of patients for marketing purposes this would not be provided. HIPAA allows for these non-authorized disclosures, however only when the patient has given specific permission and the limits of the disclosure are clearly defined.
Other HIPAA Provisions :
Authorizations are required for treatment or other communications, if the physician receives financial remuneration from the third party of that product or service. Exceptions exist for subsidized refill reminders or communications about a currently prescribed drug or biological, as well as certain face-to-face communications or gifts of nominal value. A physician must obtain an authorization before receiving direct or indirect remuneration in exchange for the sale of PHI, except for certain activities related to public health activities, research, treatment, the sale or other business consolidation or record copy fees. Physicians may disclose certain PHI to a business associate or related foundation for fundraising purposes without an individual’s authorization, as long as an opt-out was provided (e.g., a toll-free number or email address). Once the individual opts out, physicians cannot provide further fundraising communications described in the opt-out.
You have the right to inspect and receive a copy of your PHI. You can also request to amend and restrict access to your PHI. You have the right to an accounting of the disclosures of PHI for other than TPO. You have the right to complain about alleged violation to Dr. Elliott (This practice’s privacy officer as defined by the HIPAA regulations) and/or to the U.S. Department of Health and Human Services.
Note that FAA Medical Certification Records are considered the property of the FAA and should be obtained directly from the them. Certain Disability Determination Examinations and forensic records are not routinely releasable as per government regulations.
It is required that physicians report breaches of unsecured electronic PHI to individuals and HHS, along with the media, if more than 500 individuals are affected. Harm is not a consideration in defining a breach. If more than 10 notifications to individuals are returned as undeliverable, substitute notice must be provided “as soon as reasonably possible” within the required 60-day notification period. Physicians do not need to pay the cost of any media broadcasts. Reports are valid even if the media fails to publish the breach; however, posting a general press release on a website is insufficient. Dr. Elliott maintains PHI in an encrypted and password protected format.
If you have questions about our policies please ask for clarification or assistance. The "Bible" for individuals with questions regarding HIPAA can be found on The Department of Health and Human Services website at: HIPAA Guidance Information for Consumers.