NOTICE OF PRIVACY PRACTICES
THIS NOTICE OF PRIVACY PRACTICES DESCRIBES HOW WE MAY USE OR DISCLOSE YOUR HEALTH INFORMATION AND HOW YOU CAN GET ACCESS TO SUCH INFORMATION. PLEASE READ THIS NOTICE CAREFULLY. Your “health information” will be defined as any information that identifies you and that is created, received, maintained or transmitted by South Waterfront Eye Care (SWEC) in the course of providing health care items or services to you.
We are required by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and other applicable federal, state, and local laws to maintain the privacy of your health information and to provide individuals with this Notice of our legal duties and privacy practices with respect to such information. We are required to abide by the terms of this Notice and to notify affected individuals following a breach of their unsecured health information. The HIPAA Privacy Rule is a set of federal standards to protect the privacy of patients’ medical records and other health information maintained by covered entities: health plans, which include many governmental health programs, such as the Veterans Health Administration, Medicare and Medicaid; most doctors, hospitals and many other health care providers; and health care clearinghouses. These standards provide patients with access to their medical records and with significant control over how their personal health information is used and disclosed.
BASIC PRINCIPLE
A major purpose of the Privacy Rule is to define and limit the circumstances in which an individual’s protected health information may be used or disclosed by covered entities. A covered entity may not use or disclose protected health information, except either: (1) as the Privacy Rule permits or requires; or (2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.
USES AND DISCLOSURES OF INFORMATION WITHOUT YOUR AUTHORIZATION
The most common reasons why we use or disclose your health information are for treatment, payment or health care operations. Examples of how we use or disclose your health information for treatment purposes are: setting up an appointment for you; testing or examining your eyes; prescribing glasses, contact lenses, or eye medications and faxing them to be filled; showing you low vision aids; referring you to another doctor or clinic for eye care or low vision aids or services; or getting copies of your health information from another professional that you may have seen before us. Examples of how we use or disclose your health information for payment purposes are: asking you about your health or vision care plans or other sources of payment; preparing and sending bills or claims; and collecting unpaid amounts (either ourselves or through a collection agency or attorney). “Health care operations” mean those administrative and managerial functions that we must carry out in order to run our office. Examples of how we use or disclose your health information for health care operations are: financial or billing audits; internal quality assurance; personnel decisions; participation in managed care plans; defense of legal matters; business planning; and outside storage of our records. Access to personal health information is available to all staff, including scribes/volunteers, at South Waterfront Eye Care. All entities under SWEC have been trained to uphold the utmost confidentiality in regards to HIPAA and its stipulations.
OTHER DISCLOSURES AND USES WE MAY MAKE WITHOUT YOUR AUTHORIZATION OR CONSENT
In some limited situations, the law allows or requires us to use or disclose your health information without your consent or authorization. Not all of these situations will apply; some may never come up at our office at all. Such uses or disclosures are:
- Business Associates. There are some services provided through contracts with business associates. Examples include medical directors, outside attorneys and a copy service we use when making copies of your health record. When these services are contracted, we may disclose your health information so that they can perform the job we’ve asked them to do and bill you or your third-party payer for services rendered. To protect your health information, however, we require the business associate to appropriately safeguard your information.
- Providers. Many services, which are provided to you, as part of your care at SWEC, are offered by participants in one of our organized healthcare arrangements. These participants include a variety of providers such as physicians (e.g., MD, DO, Podiatrist, Dentist, Optometrist), therapists (e.g., Physical therapist, Occupational therapist, Speech therapist), portable radiology units, clinical labs, hospice caregivers, pharmacies, psychologists, LCSWs, and suppliers (e.g., prosthetic, orthotics).
- Treatment Alternatives. We may use and disclose health information to tell you about possible treatment options or alternatives that may be of interest to you. Treatment also refers to the provision, coordination, or management of health care and related services for an individual by one or more health care providers including consultation between providers regarding a patient, and referral of a patient by one provider to another.
- Health-Related Plans, Benefits, and Services and Reminders. We may contact you to provide appointment reminders or information about treatment alternatives or other health-related benefits and services that may be of interest to you.
- Fundraising Activities. We may use health information about you to contact you in an effort to raise money as part of a fundraising effort. We may disclose health information to a foundation related to the Facility so that the foundation may contact you in raising money for the Facility. We will only release contact information, such as your name, address and phone number and the dates you received treatment or services at the Facility. You do have the opportunity to object in the future; please advise SWEC if you wish to opt out of receiving further related communications.
- Facility Directory. We may include information about you in the Facility directory while you are a resident. This information may include your name, location in the Facility, your general condition (e.g., fair, stable, etc.) and your religion. The directory information, except for your religion, may be disclosed to people who ask for you by name. Your religion may be given to a member of the clergy, such as a priest or rabbi, even if they don’t ask for you by name. This is so your family, friends and clergy can visit you in the Facility and generally know how you are doing.
- Individuals Involved in Your Care or Payment for Your Care. Unless you object, we may disclose health information about you to a friend or family member who is involved in your care. We may also give information to someone who helps pay for your care. In addition, we may disclose health information about you to an entity assisting in a disaster relief effort so that your family can be notified about your condition, status and location.
- As Required By Law. We will disclose health information about you when required to do so by federal, state or local law, as well as all degrees of statutes, regulations, or court orders.
- To Avert a Serious Threat to Health or Safety. We may use and disclose health information about you to prevent a serious threat to your health and safety or the health and safety of the public or another person. We would do this only to help prevent the threat.
- Military and Veterans. If you are a member of the armed forces, we may disclose health information about you as required by military authorities. We may also disclose health information about foreign military personnel to the appropriate foreign military authority. Applicable, essential government functions include: assuring proper execution of a military mission, conducting intelligence and national security activities that are authorized by law, providing protective services to the President, making medical suitability determinations for U.S. State Department employees, protecting the health and safety of inmates or employees in a correctional institution, and determining eligibility for or conducting enrollment in certain government benefit programs.
- Research. “Research” is any systematic investigation designated to develop or contribute to generalizable knowledge. The Privacy Rule permits a covered entity to use and disclose protected health information for research purposes, without an individual’s authorization, provided the covered entity obtains either: (1) documentation that an alteration or waiver of individuals’ authorization for the use or disclosure of protected health information about them for research purposes has been approved by an Institutional Review Board or Privacy Board; (2) representations from the researcher that the use or disclosure of the protected health information is solely to prepare a research protocol or for similar purpose preparatory to research, that the researcher will not remove any protected health information from the covered entity, and that protected health information for which access is sought is necessary for the research; (3) representations from the researcher that the use or disclosure sought is solely for research on the protected health information of decedents, that the protected health information sought is necessary for the research, and, at the request of the covered entity, documentation of the death of the individuals about whom information is sought. A covered entity also may use or disclose, without an individuals’ authorization, a limited data set of protected health information for research purposes.
- Limited Data Set. A limited data set is protected health information from which certain specified direct identifiers of individuals and their relatives, household members, and employers have been removed. A limited data set may be used and disclosed for research, health care operations, and public health purposes, provided the recipient enters into a data use agreement promising specified safeguards for the protected health information within the limited data set. In specific research or case study instances, SWEC may request your written consent for utilizing your de-identified health information.
- De–Identified Health Information. There are no restrictions on the use or disclosure of de-identified health information. De-identified health information neither identifies nor provides a reasonable basis to identify an individual. There are two ways to de-identify information; either (1) a formal determination by a qualified statistician; or (2) the removal of specified identifiers of the individual and of the individual’s relatives, household members, and employers is required, and is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual.
- Workers’ Compensation. . We may disclose health information about you for workers’ compensation or similar programs. These programs provide benefits for work-related injuries or illness.
- Reporting. Federal and state laws may require or permit the Facility to disclose certain health information related to the following:
- Public Health Risks. We may disclose health information about you for public health purposes, including:
- Prevention or control of disease, injury or disability (in accordance with ICD-9 until October 1st 2015, then following compliance with ICD-10 that day forward);
-
- ICD-10 refers to the International Classification of Diseases, 10th Revision developed by the World Health Organization. ICD-10 replaces ICD-9 codes used by physicians and health care professionals to record and identify diagnoses and procedures for purposes of claims payment and reporting. ICD-10 affects diagnosis and inpatient procedure coding; it does not affect CPT coding for outpatient procedures.
- Reporting births and deaths;
- Reporting victims of abuse, neglect, or domestic violence;
- Reporting reactions to medications or problems with products;
- Notifying people of recalls of products;
- Notifying a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease;
- Notifying the appropriate government authority if we believe a resident has been the victim of abuse, neglect or domestic violence. We will only make this disclosure if you agree or when required or authorized by law.
-
- Prevention or control of disease, injury or disability (in accordance with ICD-9 until October 1st 2015, then following compliance with ICD-10 that day forward);
- Health Oversight activities. We may disclose health information to a health oversight agency for activities authorized by law. These oversight activities may include audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws.
- Judicial and Administrative Proceedings: If you are involved in a lawsuit or a dispute, we may disclose health information about you in response to a court or administrative order. We may also disclose health information about you in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have been made to tell you about the request or to obtain an order protecting the information requested.
- Public Health Risks. We may disclose health information about you for public health purposes, including:
- Law Enforcement. We may disclose health information when requested by a law enforcement official:
- In response to a court order, subpoena, warrant, summons or similar process;
- To identify or locate a suspect, fugitive, material witness, or missing person;
- About you, the victim of a crime if, under certain limited circumstances, we are unable to obtain your agreement;
- About a death we believe may be the result of criminal conduct;
- About criminal conduct at the Facility; and in emergency circumstances to report a crime; the location of the crime or victims; or the identity, description or location of the person who committed the crime.
- Family, Coroners, Medical Examiners and Funeral Directors. Upon your death, we may disclose to your family members or to other persons who were involved in your care or payment for heath care prior to your death (such as your personal representative) health information relevant to their involvement in your care unless doing so is inconsistent with your preferences as expressed to us prior to your death. We may disclose medical information to a coroner or medical examiner. This may be necessary to identify a deceased person or determine the cause of death. We may also disclose medical information to funeral directors as necessary to carry out their duties.
- Cadaveric Organ, Eye, or Tissue Donation. Covered entities may use or disclose protected health information to facilitate the donation and transplantation of cadaveric organs, eyes, and tissue.
- National Security and Intelligence Activities. We may disclose health information about you to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law.
- Correctional Institution: Should you be an inmate of a correctional institution, we may disclose to the institution or its agents health information necessary for your health and the health and safety of others.
Unless you object, we will also share relevant information about your care with any of your personal representatives who are helping you with your eye care.
SPECIFIC USES AND DISCLOSURES OF INFORMATION REQUIRING YOUR AUTHORIZATION
The following are some specific uses and disclosures we may not make of your health information without your authorization:
Marketing activities. We must obtain your authorization prior to using or disclosing any of your health information for marketing purposes unless such marketing communications take the form of face-to-face communications we may make with individuals or promotional gifts of nominal value that we may provide. If such marketing involves financial payment to us from a third party your authorization must also include consent to such payment.
Sale of Health Information. We do not currently sell or plan to sell your health information and we must seek your authorization prior to doing so.
Psychotherapy notes. Although we do not create or maintain psychotherapy notes on our patients, we are required to notify you that we generally must obtain your authorization prior to using or disclosing any such notes.
YOUR RIGHTS TO PROVIDE AN AUTHORIZATION FOR OTHER USES AND DISCLOSURES
- Other uses and disclosures of your health information that are not described in this Notice will be made only with your written authorization.
- You may give us written authorization permitting us to use your health information or to disclose it to anyone for any purpose.
- We will obtain your written authorization for uses and disclosures of your health information that are not identified in this Notice or are not otherwise permitted by applicable law.
- We must agree to your request to restrict disclosure of your health information to a health plan if the disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law and such information pertains solely to a health care item or service for which you have paid in full (or for which another person other than the health plan has paid in full on your behalf).
Any authorization you provide to us regarding the use and disclosure of your health information may be revoked by you in writing at any time. After you revoke your authorization, we will no longer use or disclose your health information for the reasons described in the authorization. However, we are generally unable to retract any disclosures that we may have already made with your authorization. We may also be required to disclose health information as necessary for purposes of payment for services received by you prior to the date you revoked your authorization.
HIPAA Privacy Rule and Electronic Health Information Exchange in a Networked Environment
The Privacy Rule allows SWEC to communicate and share PHI electronically, such as through, or fax, with their patients and other co-providers working on a patient’s care plan, provided they apply reasonable safeguards when doing so. For example, certain precautions may need to be taken when using email to avoid unintentional disclosures, such as checking the email address for accuracy before sending, or sending an email alert to the patient for address confirmation prior to sending the message.
Patients may initiate communications with a provider using email. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that email communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted email, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue email communications.
SWEC also utilizes a cloud-based software, which provides patients with individual access to their basic personal health record (PHR). The Privacy Rule adheres that an individual may not be given access to the entirety of his or her health record held by the health care provider and may only have the ability to view and not update or edit the information that is assembled by the health care provider. As your SWEC PHR is not a comprehensive record of the your health care, you may request copies of your health information as explained in the next section concerning your individual rights as a patient.
Note that an individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable. For example, if the use of unencrypted email is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated. If you prefer SWEC to disallow email, fax, or cloud-based PHR transmissions such as above, please submit your request in writing so we may document the effective change.
- Certain web-based communications fall into a controversial part of HIPAA compliancy. However, products or technology cannot themselves be “HIPAA-compliant.” Hospitals, providers, and other covered entities are the ones who are either “HIPAA-compliant” or not. In other words, it is providers and practitioners that need to be “HIPAA-compliant” not products or technology. Covered entities do need to ensure that any technology or products they use be compatible with HIPAA standards so that they, as covered entities, can comply with their HIPAA obligations.
-
- As many platforms are proprietary and cannot reliably develop/ verify audit trails, it is difficult to known if an external breach of information can occur. Because of these matters, the following disclaimers are applied to any form of telemedicine* at SWEC:
-
-
- Patients have been informed of security breach risks and consent to proceed with PHI communication through telemedicine platforms.
- SWEC is not liable for any failures such as interrupted transmissions, poor video conferencing feed, incomplete backups, non-encrypted interaction etc. Furthermore, patient acknowledges these may interfere with complete diagnoses and assessment postulated.
- Certain limitations (i.e. intake only, follow up only, etc.) may apply based on case-by-case basis, which is at the discretion of the physicians at SWEC.
-
-
- HIPAA does not require providers to encrypt devices or electronic information. SWEC has determined the electronic PHI is safe without encryption. Since there is no mandate, it is not reasonable and appropriate based on the protocols followed by the practice. Alternatively, the electronic health record system utilized provides extensive safety insurances for maintaining a protected platform.
- We do not take PHI containing technology out of the office, nor do we use unprotected cloud based information portals. All trash from our office is shredded and free from any identifying patient information.
- All technology used is password protected. Should we discontinue use of any PHI containing technological devices, deactivation will be done with HIPAA compliance to prevent any leakage or vulnerability.
- As required by HIPAA, in case of data attack, SWEC will follow its incidence response plan. Affected parties will be contacted, information will be posted about the breach on our website for 90 days, and information about the breach will be provided to the applicable news media.
- As many platforms are proprietary and cannot reliably develop/ verify audit trails, it is difficult to known if an external breach of information can occur. Because of these matters, the following disclaimers are applied to any form of telemedicine* at SWEC:
-
*Telemedicine refers to the remote diagnosis and treatment of patients by means of telecommunications technology. There are three main types of “care absentia,” which include store-and-forward, remote monitoring and real-time interactive services.
YOUR INDIVIDUAL RIGHTS
You have many rights concerning the confidentiality of your health information. You have the right:
- To request restrictions on the health information we may use and disclose for treatment, payment and health care operations. We are not required to agree to these requests. To request restrictions; please send a written request to SWEC. In your request, you must tell us (1) what information you want to limit; (2) whether you want to limit our use, disclosure or both; and (3) to whom you want the limits to apply, for example, disclosures to your spouse.
- To receive confidential communications of health information about you in any manner other than described in our authorization request form. You must make such requests in writing to the address below. However, we reserve the right to determine if we will be able to continue your treatment under such restrictive authorizations.
-
- Communications about participating providers in a provider or health plan network, replacement of or enhancements to a health plan, and health-related products or services available only to a health plan’s enrollees that add value to, but are not part of, the benefits plan;
- Communications for treatment of the individual; and
- Communications for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or care settings to the individual.
-
- To inspect or copy your health information. You must make such requests in writing to SWEC. If you request a copy of your health information we may charge you a fee for the cost of copying, mailing or other supplies. In certain circumstances we may deny your request to inspect or copy your health information, subject to applicable law.
- Access. Except in certain circumstances, individuals have the right to review and obtain a copy of their protected health information in a covered entity’s designated record set. The “designated record set” is that group of records maintained by or for a covered entity that is used, in whole or part, to make decisions about individuals, or that is a provider’s medical and billing records about individuals or a health plan’s enrollment, payment, claims adjudication, and case or medical management record systems. The Rule excepts from the right of access the following protected health information: psychotherapy notes, information compiled for legal proceedings, laboratory results to which the Clinical Laboratory Improvement Act (CLIA) prohibits access, or information held by certain research laboratories. For information included within the right of access, covered entities may deny an individual access in certain specified situations, such as when a health care professional believes access could cause harm to the individual or another. In such situations, the individual must be given the right to have such denials reviewed by a licensed health care professional for a second opinion. Covered entities may impose reasonable, cost-based feeds for the cost of copying and postage.
- Special Case: Minors. In most cases, parents are the personal representatives for their minor children. Therefore, in most cases, parents can exercise individual rights, such as access to the medical record, on behalf of their minor children. In certain exceptional cases, the parent is not considered the personal representative. In these situations, the Privacy Rule defers to State and other law to determine the rights of parents to access and control the protected health information of their minor children. If State and other law is silent concerning parental access to the minor’s protected health information, a covered entity has discretion to provide or deny a parent access to the minor’s health information, provided the decision is made by a licensed health care professional in the exercise of professional judgment.
- To amend health information. If you feel that health information we have about you is incorrect or incomplete, you may ask us to amend the information. To request an amendment, you must write to us at the address below. You must also give us a reason to support your request. We may deny your request to amend your health information if it is not in writing or does not provide a reason to support your request. We may also deny your request if the health information:
-
- Was not created by us, unless the person that created the information is no longer available to make the amendment,
- Is not part of the health information kept by or for us,
- Is not part of the information you would be permitted to inspect or copy, or
- Is accurate and complete.
-
- To receive an accounting of disclosures of your health information. You must make such requests in writing to the address below. Not all health information is subject to this request. Your request must state a time period for the information you would like to receive, no longer than 6 years prior to the date of your request and may not include dates before April 14, 2003. Your request must state how you would like to receive the report (paper, electronically).
- To designate another party to receive your health information. If your request for access of your health information directs us to transmit a copy of the health information directly to another person the request must be made by you in writing to the address below and must clearly identify the designated recipient and where to send the copy of the health information.
Practice Contact Person:
Our contact person for all questions, requests or for further information related to the privacy of your health information is:
Mila Ioussifova, OD
3615 SW River Parkway
Portland, OR 97239
(971) 229-0820
Complaints:
If you think we have not properly respected the privacy of your health information, you are free to complain to us at SWEC or to the U.S. Department of Health and Human Services, Office for Civil Rights. To file a complaint to us, send a written complaint to the office contact person at the address shown above. If you prefer, you can discuss your complaint in person or by phone. You will not be penalized for filing a complaint.
Changes to This Notice:
We reserve the right to change this Notice. We reserve the right to make the revised or changed Notice effective for health information we already have about you as well as any information we receive in the future. We will have a copy of the current Notice available at SWEC and on our website (https://www.southwaterfronteyecare.com). The Notice will specify the effective date. In addition, if material changes are made to this Notice, the Notice will contain an effective date for the revisions and copies can be obtained by contacting the Facility administrator.
Notice Revised: September 17, 2013
Notice Revised: February 4, 2014
Notice Revised: August 2, 2014
Notice Revised: February 14, 2015
Notice Revised: October 7, 2015
Notice Revised and Effective: August 17, 2016