The Health Insurance Portability & Accountability Act
NOTICE OF PRIVACY PRACTICES
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
A federal law called the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) creates new rights for clients of health care organizations. One of those rights is to information regarding the provider’s privacy practice. Under federal regulations, we must provide you with a copy of this Notice of Privacy Practices and ask that you sign a document stating that we gave the notice to you. You may review the Notice of Privacy Practices immediately or at a later time. At some point, you should read it carefully because it explains:
• Generally how we use health care information about you;
• That we, like other health care providers, may use and disclose health information about you as part of your treatment, to arrange for payment for services provided, and for our internal operations. We are not required to have separate permission for these uses and disclosures;
• Other circumstances where we may use or disclose information about your health where we are not required to get your permission first;
• The rights you have with respect to health information we have about you, namely:
o Your right to have a copy of this privacy notice;
o Your right to review and copy health information that we may have about you;
o Your right to an accounting for how we use and disclose your health information under certain limited circumstances;
o Your right to request restrictions on how we use your health care information;
o Your right to request an amendment to information in our records that you think is in error; and your right to file a complaint if you think your privacy rights have been violated.
At Whitman-Walker, we take your confidentiality very seriously. We encourage you to read this Notice and keep a copy of it for your records.
THE POLICIES IN THIS NOTICE BECOME EFFECTIVE ON APRIL 14, 2003.
Our Pledge Regarding Your Health Information
This Notice of Privacy Practices (the “Notice”) describes the privacy practices of Whitman-Walker Health (“WWH” or the “Health”), which includes its employees, volunteers, interns and contractors.
WWH wants you to know that nothing is more central to our operations than maintaining the privacy of your health information (“Protected Health Information” or “PHI”). PHI is information about you, including basic demographic information that may identify you, and that relates to your past, present or future health or condition and dispensing of pharmaceutical products to you. We take this responsibility very seriously.
We are required by federal and applicable state law to protect the privacy of your health information and to provide you with this Notice of our legal duties and privacy practices with respect to your PHI. This Notice describes how we may use and disclose PHI about you to carry out treatment, payment or health care operations and for other specified purposes that are permitted or required by federal and state laws. The Notice also describes your rights with respect to your PHI.
WWH is required to follow the requirements of the HIPAA statute whenever we use or disclose your PHI. We will not use or disclose PHI about you without your written authorization, except as permitted by law.
Certain programs within WWH are not governed by this Notice. This include our legal services program as it is not treated as a covered entity providing health care services for the purposes of federal privacy regulations. In general, our health care operations can share information about you with these programs only if you provide a signed authorization form. These programs are also governed by other standards that protect your privacy, including state laws and professional ethics restrictions.
We reserve the right to change our practices and this Notice and to make the new Notice effective for all PHI we maintain. Upon your request to our Privacy Office listed below, we will provide a revised Notice to you. We will also post the revised Notice on our website at www.WWH.org within 30 days of any revisions we make.
Please note that WWH is a participant in the DC regional Health Information Organization (“DC RHIO”). The DC RHIO stores patient medical information that is exchanged through a network of participating hospitals and Healths. DC RHIO participants may use and disclose medical information about you with other participants for treatment, payment and health care operations, consistent with HIPAA requirements and the DC RHIO policies, including medical information collected by WWH. If you have specific questions about WWH’s participation in the DC RHIO, please contact WWH’s Senior Privacy Officer, at (202) 939-7694or compliance@WWH.org.
How We May Use and Disclose Your PHI Without Your Permission
FOR TREATMENT, PAYMENT OR HEALTH CARE OPERATIONS:
As permitted under federal and applicable state law, we will use or disclose your PHI without your express authorization for three purposes: (i) treatment, (ii) payment and (iii) health care operations. For each of these categories, we explain what that means below.
• For Treatment. We may use your PHI to provide you with treatment, health care, or other related services. For example, we may contact you to provide appointment reminders, or inform you about treatment options available to you, or health-related benefits or services to which you may be entitled. Your PHI may be used by WWH employees who are involved in taking care of you in order to coordinate the different things you need, such as prescriptions, lab work, x-rays, therapy, or to coordinate a referral. The Health may also disclose your PHI to individuals or entities outside the Health who may be involved in your health care, providers to whom you have been referred or to whom you are transferring your care, family members, or those providing services that are part of your overall care, such as case managers.
• For Payment. We may use and disclose your PHI to bill and collect for the treatment and services we provide to you. For example, we may contact Medicare, Medicaid or your private insurance company to determine whether treatment will be reimbursed under your plan or to get paid for services we have provided.
• For Health Care Operations. We may use and disclose your PHI for health care operations at WWH. These uses and disclosures are necessary to run the Health, to make sure you receive competent, quality health care, and to maintain and improve the quality of health care we provide. For example, we may use your PHI to monitor the quality and effectiveness of the Health’s programs and services.
• Incidental Uses and Disclosures. We may occasionally inadvertently use or disclose your PHI incident to another use or disclosure that is permitted or required by law. Although the Health has safeguards in place to protect against others overhearing conversations that take place between providers, for example, there may be times that such conversations are in fact overheard. Please be assured, however, that WWH exercises its best efforts to avoid such incidental uses and disclosures.
FOR OTHER SPECIAL CIRCUMSTANCES:
There are other special circumstances when we are permitted under federal and applicable state law to use or disclose your PHI without your permission. The following explains when these circumstances may arise in two categories: (i) when we are likely to use or disclose your PHI and (ii) when we are permitted under law, but probably will not use or disclose your PHI.
We are likely to use or disclose your PHI for the following purposes:
Business associates: There are some services provided by us through contracts with other companies, who are our “business associates.” Federal law requires us to enter into a contract with these business associates to ensure that they will appropriately safeguard your PHI. For instance, we may contract to have certain of our services delivered by another health care provider or we may use a billing service for submitting our claims. When these services are contracted for, we may disclose PHI about you to our business associates so that they can perform the job we have asked them to do or bill an insurance company or managed care group for services rendered. But these business associates will be required to protect any PHI they receive in accordance with federal and applicable state laws, regulations and policies.
Individuals Involved in Your Care or Payment for Care. We may release PHI about you that is relevant for a friend, personal representative, spouse, domestic partner or family member who is involved in your medical care. If you are present, we can make these disclosures when you do not object or we can reasonably infer that you agree. If you are not present or are incapacitated, we may disclose certain PHI about you if we determine that the disclosure would be in your best interest.
Disclosures to parents or legal guardians: If you are a minor, we may release PHI about you to your parent or legal guardian when we are permitted to or required to under federal and applicable state law.
Workers’ compensation: We may disclose PHI about you to the extent authorized by and to the extent necessary to comply with laws relating to workers’ compensation or other similar programs established by law.
Public health: As required by law, we may disclose PHI about you to public health or legal authorities charged with preventing or controlling disease, injury, or disability. These activities may include the following:
• Mandatory disclosures to report child abuse or neglect;
• Disclosures to report reactions to medications or other products to the U.S. Food and Drug Administration or other authorized entity;
• Disclosures to notify individuals of recalls on products they may be using; and
• Disclosures (if required by law) to individuals who may have been exposed to disease or may be at risk for contracting or spreading a disease.
Law enforcement: We may disclose PHI about you for law enforcement purposes as required by law or in response to a request by a law enforcement official. These disclosures of your PHI may be:
• In response to a court order, subpoena, warrant, summons or similar process;
• To identify or locate a suspect, fugitive, material witness or missing person;
• About the victim of a crime if, under certain limited circumstances, we are unable to obtain the person’s agreement;
• About a death we believe may be the result of criminal conduct;
• About crimes conducted on our premises or against a member of our workforce; and
• In an emergency circumstance, to report a crime, the location of the crime or victims, or the identity, description or location of the person who committed the crime.
As required by law: We must disclose PHI about you when required to do so by federal, state or local laws.
Health oversight activities: We may disclose PHI about you to an oversight agency for activities authorized by law. These oversight activities include audits, investigations, and inspections, as necessary for our licensure and for the government to monitor the health care system, government programs, and compliance with federal and state laws.
Judicial and administrative proceedings: If you are involved in a lawsuit or a dispute, we may disclose PHI about you in response to a court or administrative order. We may also disclose PHI about you in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have been made to tell you about the request or to obtain an order protecting the requested PHI.
United States Department of Health and Human Services: Under federal law, we are required to disclose your PHI without your permission, if this PHI is requested by the U.S. Department of Health and Human Services to determine if we are in compliance with the federal laws and regulations regarding protecting the confidentiality of health information.
Research: Under certain circumstances, we may use or disclose your PHI for research purposes. Before we use or disclose your PHI, however, the research project will have to be approved through a special approval process by an institutional review board or privacy board that has reviewed the research proposal and established protocols to ensure the privacy of your PHI. We may also use or disclose your PHI for research purposes if we obtain your express written authorization for this use or disclosure.
Fundraising: Currently, WWH does not use client lists for fundraising purposes. However, we may elect to do so in the future. If we do so, the sole information we will use as part of this process is your name, address, and telephone number. You may receive fundraising contacts even if we do not use client lists for fundraising purposes. For instance, if you are a past donor or on a list of potential likely donors that we acquire from third parties, you may receive fundraising solicitations from us. The fact that you have received a solicitation does not mean that we have used information gained in our health care operations. However, our Development Office will gladly remove you from our solicitation lists. If you do not want receive solicitations, you can either call the Development Office at 202-797-3520 or write to the Development Office, Whitman-Walker Health, 1701 14th St. NW, Washington, DC 20009.
Victims of abuse, neglect, or domestic violence: We may disclose PHI about you to a government authority, such as a social service or protective services agency, if we reasonably believe you are a victim of abuse, neglect, or domestic violence. We will only disclose your PHI for this purpose to the extent required by law, if you agree to the disclosure, or if the disclosure is allowed by law and we believe it is necessary to prevent serious harm to you or someone else or the law enforcement or public official that is to receive the report represents that it is necessary and will not be used against you. When we make this disclosure, we will notify you.
Administrator or Executor: Upon your death, we may disclose your PHI to an administrator, executor or other individual so authorized under applicable state law.
Although we may not engage in these activities, we may use or disclose PHI about you for the following purposes under federal or state law without your permission:
Coroners, medical examiners, and funeral directors: We may release PHI about you to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death. We may also disclose PHI to funeral directors consistent with applicable law to carry out their duties.
Organ or tissue procurement organizations: Consistent with applicable law, we may disclose PHI about you to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of organs for the purpose of tissue donation and transplant.
Notification: We may use or disclose PHI about you to an entity assisting in a disaster relief effort so that your family, personal representative or friends may be notified about your condition, status and location.
Correctional institution: If you are or become an inmate of a correctional institution, we may disclose to the institution or its agents PHI necessary for your health and the health and safety of others.
To avert a serious threat to health or safety: We may use and disclose PHI about you when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat.
Military and veterans: If you are a member of the armed forces, we may release PHI about you as required by military command authorities. We may also release PHI about foreign military personnel to the appropriate military authority.
National security and intelligence activities: We may release PHI about you to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law.
Protective services for the President and others: We may disclose PHI about you to authorized federal official so they may provide protection to the President, other authorized persons or foreign heads of state or conduct special investigations.
How We May Use or Disclose Your PHI For Other Purposes
We will obtain your written authorization before using or disclosing PHI about you for purposes other than those provided for above (or as otherwise permitted or required by law).
You may revoke this authorization in writing at any time. If you decide to revoke your authorization, you must submit a request to revoke in writing to our Privacy Office at the address listed below. Your revocation will become effective upon its receipt by us. Your revocation will not have any effect on any action taken by us in reliance upon the authorization before we received written notice of the revocation.
Our Legal Services Program: Whitman-Walker Health operates a legal services program. However, if you receive services from our legal services department, we do not automatically share information about clients who may receive services from our other organizational components. If our legal services staff or volunteers need health information about you for your legal representation, they will ask you to sign an authorization form.
Your Rights Regarding Your PHI
You have the following rights with respect to PHI about you:
• Obtain a paper copy of the Notice upon request. You may request a copy of this Notice at any time. To obtain a copy, go to www.whitman-walker.org or contact the WWH Privacy Office at the address or number set forth below.
• Inspect and obtain a copy of PHI. You have the right to access and copy PHI about you contained in a “designated record set” for as long as we maintain the PHI. The “designated record set” usually will include prescription and billing records. To inspect or copy PHI about you, you must send a written request to the Whitman-Walker Health Privacy Office at 1701 14th Street NW, Washington, DC 20009. We will respond to your request in writing within 30 days (or 60 days if the PHI is located off-site). We may charge you a fee for the costs of copying, mailing, or other supplies that are necessary to grant your request. We may deny your request to inspect and copy in certain limited circumstances. We may deny your request if: (i) we have reasonably determined that providing access to PHI would endanger your life or safety or cause substantial harm to you or another person, (ii) the PHI references another person and we do not have the required permission to disclose; or (iii) some other legal requirement prohibits us from disclosing this information to you. If we deny your request, we will notify you in writing and provide you with the opportunity to request a review of the denial.
• Request an amendment of PHI. If you feel that PHI about you contained in a designated record set maintained by us is incomplete or incorrect, you may request that we amend it. The designated record set usually will include prescription and billing records. You may request an amendment for as long as we maintain the PHI in a designated record set. To request an amendment, you must send a written request to Whitman-Walker Health Privacy Office at 1701 14th Street NW, Washington, DC 20009. Your request must identify: (i) which information you seek to amend, (ii) what corrections you would like to have made and (iii) why the information needs to be amended. We will respond to your request in writing within 60 days (with a possible 30-day extension). In our response we will either: (i) agree to make the amendment or (ii) inform you of our refusal to make the amendment, explain our reason and outline any procedure that is available for you to appeal. We may deny your request to amend for certain reasons. If we deny your request for amendment, you also have the right to file a statement of disagreement with the decision and we will provide you with a rebuttal to your statement, both of which will be attached to your designated record set.
• Receive an accounting of disclosures of PHI. You have the right to request an accounting of the disclosures we have made of PHI about you after April 14, 2003 for most purposes other than treatment, payment, or health care operations. The accounting will exclude disclosures we have made directly to you, disclosures made with your authorization, incidental uses and disclosures, disclosures to friends or family members involved in your care, disclosures for notification purposes and certain other exceptions. To request an accounting, you must submit your request in writing to Whitman-Walker Health Privacy Office at 1701 14th Street, NW, Washington, DC 20009. Your request must specify the time period, but may not be longer than six years. We will respond to your request in writing within 60 days of receiving your request (with a possible 30-day extension). The first accounting you request within a 12 month period will be provided free of charge, but you may be charged for the cost of any subsequent accountings. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time.
• Request communications of PHI by alternative means or at alternative locations. You have the right to request that we communicate with you in a certain way or at a certain location. For example, you may request that we contact you about medical matters only in writing at a specific address. To request confidential communication of PHI about you, you must submit your request in writing to Whitman-Walker Health Privacy Office at 1701 14th Street, NW, Washington, DC 20009. Your request must state how, where or when you would like to be contacted. We will accommodate all reasonable requests.
• Request a restriction on certain uses and disclosures of PHI. You have the right to request a restriction or limitation on our use or disclosure of PHI about you by sending a written request to the Whitman-Walker Health Privacy Office at 1701 14th Street, NW, Washington, DC 20009. You must identify in this request: (i) what particular information you would like to limit, (ii) whether you want to limit use, disclosure or both and (iii) to whom you want the limits to apply. Although we will consider your request carefully, we are not required to agree to those restrictions. We will provide you with a written response to your request within 30 days. If we do agree to restrict use or disclosure of your PHI, we will not apply these restrictions in the event of an emergency. We also have the right to terminate the restriction if: (i) you agree orally or in writing or (ii) we inform you of the termination, which becomes effective only with respect to your PHI created or received after we inform you of the termination.
For More Information or to Report a Problem
If you have questions or would like additional information about Whitman-Walker Health’s privacy practices, you may contact the Privacy Officer at 202.939.7694 or by writing Whitman-Walker Health, Director of Compliance, 1701 14th Street, N.W., Washington, D.C. 20009.
If you believe your privacy rights have been violated, you can file a complaint with our Privacy Office or with the Secretary of the United States Department of Health and Human Services. To file a complaint with us, contact our Privacy Office at the address and number listed above. All complaints must be submitted in writing. You will not be penalized in any way for filing a compliant.
This Notice, as amended, is effective as of April 14, 2003.
Acknowledgement of Receipt of Notice of Privacy Practices from Whitman-Walker Health is indicated by your signature on our Consents form within your record.