Privacy & Security
TL;DR: I take your privacy seriously at all levels, I'm also required to by law, and there are times when the law requires or permits me to share your confidential information without your permission, primarily to help maintain safety and quality care. I use technology that protects the security of your personal data.
Privacy Practices
This notice explains how your health information may be used and disclosed and how you can access this information. Please review it carefully.
I am committed to protecting the confidentiality and security of your personal health information. I collect and record information regarding the services you receive from me in order to provide you with quality care and comply with legal requirements. This notice applies to all the records of your care generated by this practice and will describe your rights and my obligations regarding use and disclosure of your health information.
I am required by law to:
Ensure that protected health information (“PHI”) that identifies you is kept private.
Give you this notice of my legal duties and privacy practices with respect to health information.
Follow the terms of the notice that is currently in effect.
I can change the terms of this notice, and such changes will apply to all information I have about you. Copies of the updated notice will be available upon request and on my website.
How I May Use And Disclose Health Information About You
The following categories describe different ways that I may use and disclose health information. For each category of uses or disclosures I will explain the category and give examples. Not every type of use or disclosure in a category will be listed. However, all of the ways I am permitted to use and disclose information will fall within one of these categories.
For Treatment, Payment, or Health Care Operations: Federal privacy rules and regulations allow health care providers who have a direct treatment relationship with the patient/client to use or disclose the patient/client’s personal health information without the patient’s/client's written authorization to carry out the health care provider’s own treatment, payment or health care operations. I may also disclose your protected health information for the treatment activities of any health care provider. This, too, can be done without your written authorization. For example, if I, as a licensed health care provider were to consult with another licensed health care provider about your condition, we would be permitted to use and disclose your personal health information, which is otherwise confidential, in order to assist the health care provider in diagnosis and treatment of your condition. Disclosures for treatment purposes are not limited to the minimum necessary standard because other health care providers need access to the full record and/or full and complete information in order to provide quality care. The word “treatment” includes, among other things, the coordination and management of health care providers with a third party, consultations between health care providers, and referrals of a patient for health care from one health care provider to another.
Lawsuits and Disputes: If you are involved in a lawsuit, I may disclose health information in response to a court or administrative order. I may also disclose health information about your child in response to a lawful subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have been made to tell you about the request or to obtain an order protecting the information requested.
Certain Uses And Disclosures Require Your Authorization
Session Notes: I keep “session notes” of your services and any use or disclosure of such notes requires your authorization unless the use or disclosure is:
For my use in treating you.
For my use in training or supervising associates to help them improve their clinical skills.
For my use in defending myself in legal proceedings instituted by you.
For use by the Secretary of Health and Human Services to investigate my compliance with HIPAA.
Required by law and the use or disclosure is limited to the requirements of such law.
Required by law for certain health oversight activities pertaining to the originator of the session notes.
Required by a coroner who is performing duties authorized by law.
Required to help avert a serious threat to the health and safety of others.
As a health care provider, I will not sell your PHI or use or disclose your PHI for marketing purposes.
Certain Uses And Disclosures Do Not Require Your Authorization
Subject to certain limitations in the law, I can use and disclose your PHI without your authorization for the following reasons:
When disclosure is required by state or federal law, and the use or disclosure complies with and is limited to the relevant requirements of such law.
For public health activities, including reporting suspected child, elder, or dependent adult abuse, or preventing or reducing a serious threat to anyone’s health or safety.
For health oversight activities, including audits and investigations.
For judicial and administrative proceedings, including responding to a court or administrative order, although my preference is to obtain an authorization from you before doing so.
For law enforcement purposes, including reporting crimes against me.
To coroners or medical examiners, when such individuals are performing duties authorized by law.
For research purposes, including studying and comparing the patients who received one form of care versus those who received another form of care for the same condition.
Specialized government functions, including ensuring the proper execution of military missions, protecting the President of the United States, conducting intelligence or counterintelligence operations, or helping to ensure the safety of those working within or housed in correctional institutions.
For workers’ compensation purposes. Although my preference is to obtain an authorization from you, I may provide your PHI in order to comply with workers’ compensation laws.
Appointment reminders and health related benefits or services. I may use and disclose your PHI to contact you to remind you that you have an appointment with me.
Certain Uses And Disclosures Require You To Have The Opportunity To Object
Disclosures to Family, Friends, or Others: I may provide your PHI to a family member, friend, or other person that you indicate is involved in your care or the payment for your health care, unless you object in whole or in part. The opportunity to consent may be obtained retroactively in emergency situations.
You Have The Following Rights With Respect To Your PHI
The Right to Request Limits on Uses and Disclosures of Your PHI: You have the right to ask me not to use or disclose certain PHI for treatment, payment, or health care operations purposes. I am not required to agree to your request, and I may decline your request if I believe it would negatively affect your health care.
The Right to Request Restrictions for Out-of-Pocket Expenses Paid for In Full: You have the right to request restrictions on disclosures of your PHI to health plans for payment or health care operations purposes if the PHI pertains solely to a health care item or a health care service that you have paid for out-of-pocket in full.
The Right to Choose How I Send PHI to You: You have the right to ask me to contact you in a specific way (for example, home or office phone) or to send mail to a different address, and I will agree to all reasonable requests.
The Right to See and Get Copies of Your PHI: Other than “session notes,” you have the right to get an electronic or paper copy of your medical record and other information that I have about you. I will provide you with a copy of your record, or a summary of it, if you agree to receive a summary, within 30 days of receiving your written request, and I may charge a reasonable, cost-based fee for doing so.
The Right to Get a List of the Disclosures I Have Made: You have the right to request a list of instances in which I have disclosed your PHI for purposes other than treatment, payment, or health care operations, or for which you provided me with an Authorization. I will respond to your request for an accounting of disclosures within 60 days of receiving your request. The list I will give you will include disclosures made in the last six years unless you request a shorter time. I will provide the list to you at no charge, but if you make more than one request in the same year, I will charge you a reasonable cost based fee for each additional request.
The Right to Correct or Update Your PHI: If you believe that there is a mistake in your PHI, or that a piece of important information is missing from your PHI, you have the right to request that I correct the existing information or add the missing information. I may decline your request, but I will explain this action in writing within 60 days of receiving your request.
The Right to Get a Paper or Electronic Copy of This Notice: You have the right to request to receive a copy of this notice by email, by paper copy, or by both email and paper copy.
Effective Date Of This Notice: This notice went into effect on 11/19/2019
Electronic Information Security
HIPAA refers to the Health Insurance Portability and Accountability Act of 1996. This federal law includes the HIPAA Privacy Rule which addresses authorized uses and protections of personally identifiable and protected health information (PHI) for covered entities such as health insurers and healthcare providers, as described in the Privacy Notice above. HIPAA also includes the Security Rule, which sets security standards for storing and transmitting electronic protected health information (EPHI). In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act expanded protections for EPHI and regulations for systems managing electronic health records. You can read more details about HIPAA on the U.S. Department of Health & Human Services website.
I maintain a series of administrative, technical, and physical safeguards in order to control EPHI access, maintain information integrity, and maintain information security during storage and transmission of EPHI in order to reduce the risk of security violations. These include protocols to ensure that physical and electronic access to information systems and records containing EPHI are only attained by authorized individuals and entities. I also establish business associate contracts with other covered entities that interact with your EPHI to ensure they will also take required steps to protect your personal information.
I maintain a business associate agreement (BAA) with a secure third-party electronic records management (ERM) system for generation and transmission of EPHI. Information exchanged via this system is secure and encrypted, including video, document portal, and messaging. I also maintain an email account that ensures integrated end-to-end encryption during email transmission and encrypted data storage within my account. Encrypted data is encoded using an algorithm during transfer such that only the sender and intended recipient can access or read it, strongly reducing the likelihood that protected information is decipherable by an unauthorized party in the event of a breach or theft. I do not record or store client audio and video.
Tips to help keep your private electronic information secure
- Keep your your computers, devices, and browsers updated.
- Install and update anti-virus software.
- Disable file-sharing applications.
- Do not enable automatic login on your accounts, computers, or devices.
- Enable two-factor authentication for account logins.
- Use strong passwords and other user authentications, don't reuse passwords, and change your passwords regularly.
- Use passwords and firewalls to protect your networks.
- Use a virtual private network (VPN) to secure your internet use on public WiFi networks.
- Verify the source and legitimacy of unsolicited requests for personal or account information before responding.
- Email, text messaging, and internet video conferencing are not secure methods of information transmission without additional security measures.