APPENDIX H                                              Effective September 23, 2009

 

KENTUCKY EYE INSTITUTE - NOTICE OF PRIVACY PRACTICES

 

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED

AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

 

PLEASE REVIEW IT CAREFULLY.

 

 

In fulfillment of one of the HIPAA requirements, KEI has prepared and implemented a Patient Confidentiality Policy. This notice is a component of that policy.  As a covered entity, we are required to inform you of your rights.  We are also required to obtain your signature indicating that we have informed you.  Thank you for your cooperation.

 

History:  The U.S. Department of Health and Human Services (HHS) has issued the final rules for protecting the privacy of individually identifiable health information.  The rules were issued pursuant to provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

 

Effective September 23, 2009, a new HIPAA Breach Notification Rule (Rule) was created as a component of the American Recovery and Reinvestment Act of 2009.  This Rule concerns the unauthorized acquisition, access, use, or disclosure of unsecured patient health information (PHI) as a result of a security breach.

 

Covered Entities:  The final rules cover health plans, health clearinghouses (i.e., entities that process health information received from a covered entity), and healthcare providers, like KEI, that conduct certain financial and administrative transactions electronically (e.g., electronic billing and funds transfer).

 

Protected Information:  The regulations cover all medical records and any other individually identifiable health information, whether communicated electronically, on paper, or orally.  The rules do not apply to information that contains no identifying information, or information that has been altered so as not to identify the individual about whom the information applies.

 

Limits on Use and Release of Protected Information:  Protected patient information generally can only be used or disclosed for purposes of healthcare treatment (e.g., documenting and referring to patient information in a medical record, sharing patient information with referring doctors, etc.), payment (i.e., submitting claims to Medicare/Medicaid or private insurance companies), and operations (i.e., internal accounting and record keeping) pursuant to a general advance consent from the patient, except for disclosures to the patient or the patient’s personal representative, emergencies, and other limited exceptions discussed below.

 

Permitted Uses and Disclosures:  The privacy standard identifies certain permissible uses and disclosures, without the need to obtain written consent or authorization from a patient.  The following are permissible uses and disclosures:

 

·         Oversight of the healthcare system, including quality assurance activities.

·         Public health.

·         Research, generally limited to when a waiver of authorization is independently provided by a privacy board or institutional review board.

·         Certain marketing and fund-raising activities, as long as individuals targeted by such activities are given the opportunity to opt out from receiving future communications.

·         Judicial or administrative proceedings.

·         Certain law enforcement activities.

·         Information on abuse, neglect, or domestic violence victims.

·         Decedent information.

·         Cadaveric, organ, eye, or tissue donation purposes.

·         To avert a serious threat to health or safety.

·         For specialized government functions (such as military, national security, intelligence).

·         Workers compensation (state law dictates disclosure requirements).

 

Privacy Officer:  The regulations require that covered entities, like KEI, appoint a Privacy Officer.  In keeping with this requirement, the KEI Board of Directors has appointed Kenneth E. Woodworth, Jr., COMT, COE in this capacity.  He may be reached at 1401 Harrodsburg Road, Lexington, KY 40504, local 859-278-9393 or toll-free 800-432-9278, extension 105.

 

Patients’ Rights:*

 

·         Patients must be able to see and obtain copies of their records and to request changes.  They are also entitled to receive an accounting of disclosures of their protected healthcare information (must be in writing) other than disclosures related to treatment, payment, and healthcare operations, and subject to certain other exceptions.  Requests for access to records and accountings of disclosure will be acted upon within timeframes allowed by HIPAA regulations.  The patient may be charged for any copying and mailing costs up to the statutory limit.

 

·         Patients have the right to request restrictions on the uses and disclosures of their information.  KEI doctors will make the final determination as to whether or not to comply with such requests, but if they do, they must consistently comply with and document such restrictions.

 

·         Patients have a right to request changes to their medical records.  Such requests may be denied for the following reasons:

 

• The information the patient wants amended was not created by someone in the practice;
• The Individual/entity that created the information is no longer available to make the amendment;
• The information is not part of the medical record kept by the practice;
• The information is not part of the medical record that a patient is permitted to inspect and copy; or
• The practice believes the information is correct and accurate as is.

 

It is the treating KEI physician’s prerogative to accept or deny the patient’s request.

 

·         Patients have the right to complain to KEI or to the Secretary of Health and Human Services about violations of the rules or the policies and procedures of KEI.  Patients will not be penalized for filing such complaints.

 

·         Patients have the right to request that KEI confidentially communicate health information to them by alternative means or at alternative locations.  KEI must comply with such requests if they are reasonable.

 

·         Patients have the right to revoke any consent or authorization previously provided to KEI.  A request for this must be in writing and sent or given to KEI’s privacy officer.

 

In compliance with the HIPAA Breach Notification Rule discussed under History above, KEI will take appropriate steps to determine any unauthorized acquisition, access, use, or disclosure of unsecured PHI caused by security breaches.  Once a security breach has been determined, KEI, through its Privacy and Security Officer, will determine the nature of the breach, what steps will be taken to prevent such a breach from reoccurring, and take appropriate steps to notify those individuals or entities specified in the Rule.

 

HIPAA regulations permit covered entities like KEI to change terms of this notice.  In the event changes occur, notice of such changes will be visibly posted in each KEI practice location.  You may request a copy of the notice that incorporates the changes.

 

 

* All requests for access and/or amendment to Protected Health Information (PHI) must be in writing.  This written request must be addressed to the Privacy Officer referenced above.