Medical Privacy - HIPAA









Brett Elliott, M.D. P.A. Notice of Privacy Policies

    Our practice is committed to maintaining the privacy of your Protected Health Information (PHI), while providing efficient, high quality medical care.  In accordance with the Health Insurance Portability and Pricacy Act (HIPAA) you will receive a summary copy of this notice at your first office visit after April 14, 2003. This explains:

bulletHow we may use and disclose your PHI.
bulletOur obligations concerning the use and disclosure of your PHI.
bulletYour rights regarding your PHI.

    In keeping with normally accepted medical business practices we may use and disclose your PHI for treatment, payment, and health care operations (TPO) without your permission.  Should a physician routinely request your health care records in a situation which has no urgency we have as a matter of routine asked you to sign a Request for Information form, and it will be our policy to continue this practice.  Examples of when information would be disclosed would be if your primary care physician wanted exam results, or if a pharmacist called about medicine you were on. If an optician or contact lens technician requested PHI about a lens prescription this would be disclosed. PHI such as your diagnosis would also be disclosed for billing purposes. Generally only the appropriate information that is necessary to accomplish the task is disclosed. Professional judgment will determine the amount of information to be released. This minimum necessary standard is not intended to impede the provision of quality healthcare.  Consequently the disclosures of PHI between providers for treatment purposes are explicitly exempt from the minimum disclosure standard.

     PHI can also be disclosed without your permission for certain Public Health purposes, such as reporting suspected child abuse or reporting a medication or device problem. Please see our Authorized and Non-Authorized Disclosure Policy for additional information. 

     As is also our current policy, PHI is not disclosed for non-medical purposes.  For instance, if a contact lens manufacturer wanted a list of patients for marketing purposes this would not be provided. HIPAA allows for these non-authorized disclosures, however only when the patient has given specific permission and the limits of the disclosure are clearly defined.

Other HIPAA Provisions :  

   Authorizations are required for treatment or other communications, if the physician receives financial remuneration from the third party of that product or service. Exceptions exist for subsidized refill reminders or communications about a currently prescribed drug or biological, as well as certain face-to-face communications or gifts of nominal value. A physician must obtain an authorization before receiving direct or indirect remuneration in exchange for the sale of PHI, except for certain activities related to public health activities, research, treatment, the sale or other business consolidation or record copy fees. Physicians may  disclose certain PHI to a business associate or related foundation for fundraising purposes without an individual’s authorization, as long as an opt-out was provided (e.g., a toll-free number or email address). Once the individual opts out, physicians cannot provide further fundraising communications described in the opt-out. 

  You have the right to inspect and  receive a copy of your PHI. You can also request to amend and restrict access to your PHI. You have the right to an accounting of the disclosures of PHI for other than TPO. You have the right to complain about alleged violation to Dr. Elliott (This practice’s privacy officer as defined by the HIPAA regulations) and/or to the U.S. Department of Health and Human Services. 

  Note that FAA Medical Certification Records are considered the property of the FAA and should be obtained directly from the them.   Disability Determination Examinations  and forensic records are not routinely releasable as per government regulations. Dr. Elliott will send appropriate PHI using a HIPAA compliant FAX or e mail system and it is suggested but not required that patients do the same.  Contact our office at (302) 422-3034  for further information..  

  It is required that physicians  report breaches of unsecured electronic PHI to individuals and HHS, along with the media, if more than 500 individuals are affected. Harm is not a consideration in defining a breach. If more than 10 notifications to individuals are returned as undeliverable, substitute notice must be provided “as soon as reasonably possible” within the required 60-day notification period. Physicians do not need to pay the cost of any media broadcasts. Reports are valid even if the media fails to publish the breach; however, posting a general press release on a website is insufficient.   Dr. Elliott maintains PHI in an encrypted and password protected format. 

    If you have questions about our policies please ask for clarification or assistance. The "Bible" for individuals with   questions regarding HIPAA can  be found on The Department of Health and Human Services website  at: HIPAA Guidance Information for Consumers.   

This page was last updated on 06/22/2023