Notice of Privacy Practices
Effective: January 2022
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
This Notice of Privacy Practices (“Notice”) describes the privacy practices of Diana Health, a “covered entity” under the Health Insurance Portability and Accountability Act (“HIPAA”). We will share your medical and health information that is subject to HIPAA (“Protected Health Information” or “PHI”) as necessary to carry out treatment, payment and health care operations and as permitted by HIPAA and this Notice. References to “we”, “our”, or “us” include all legal entities that make up Diana Health, and cover their department and units, the staff within our health care facilities, health care professionals permitted by us to provide services to you on our behalf, and others involved in providing your care. This Notice does not apply to health information that is not subject to HIPAA or similar state health information privacy laws, or information used or shared in a manner that cannot identify you.
This facility and its medical staff members have organized and are presenting you this document as a joint notice. Information will be shared as necessary to carry out treatment, payment and health care operations. Physicians and caregivers may have access to PHI in their offices to assist in reviewing past treatment as it may affect treatment at the time.
We may also participate in various electronic health information exchanges that facilitate access to medical information by other health care providers outside of Diana Health who provide you care. For example, if you are admitted on an emergency basis to a hospital that participates in the health information exchange, the exchange will allow us to make your PHI available electronically to those who need it to treat you.
This Notice does not apply to any Diana Health health plan or to Diana Health as an employer. Any Diana Health health plan is considered a separate covered entity for the purpose of HIPAA and has its own notice of privacy practices. Additionally, if your doctor is not a member of a physician practice that is owned by Diana Health, he or she may have different policies about how to handle your information and will have a separate notice of privacy practices.
This Notice only applies to those parts of Diana Health’s websites and mobile device applications where you can access your Protected Health Information or interact with a clinician regarding your specific care, such as Diana Health’s patient portal with respect to your PHI. However, these websites and applications may contain additional terms associated with your use. You should review those terms as well as the website terms contained on the Diana Health website that you visit.
You may have additional rights under other applicable state or federal law. Applicable state or federal laws that provide greater privacy protection or broader privacy rights will continue to apply and we will comply with such laws to the extent they are applicable.
USES AND DISCLOSURES OF YOUR PROTECTED HEALTH INFORMATION
We may use and disclose your Protected Health Information in the following situations; however, applicable laws governing sensitive information (including behavioral health information, drug and alcohol treatment information, and HIV status) may further limit these uses and disclosures:
- Treatment: We may use or disclose your Protected Health Information to provide medical treatment and/or services in order to manage and coordinate your medical care. For example, we may share your PHI with other providers to ensure that the medical provider has the necessary PHI to diagnose and provide treatment to you.
- Payment: Your Protected Health Information may be used or disclosed to obtain payment for your health care services. For example, we will provide your health care plan with the PHI it requires prior to paying us for the services we have provided to you. This use and disclosure may also include certain activities that your health plan requires prior to approving a service, such as determining benefits eligibility and prior authorization, etc.
- Health Care Operations: We may use and disclose your Protected Health Information to manage, operate, and support the business activities of our practice. These activities include, but are not limited to, quality assessment, employee review, licensing, and conducting other business activities. We may use or disclose your Protected Health Information, as necessary, to contact you to remind you of your appointment or for important services such as annual checkups, and inform you about treatment alternatives or other health-related benefits and services that may be of interest to For example, we may call, text, or e-mail you to remind you of a scheduled appointment. We may also share your PHI for case management and care coordination purposes. We may share PHI with our students, trainees, and staff for review and learning purposes. We may also use and share your PHI to confirm the time, place and attendance of your appointment for treatment with third-party transportation services.
- Minors: Protected Health Information of minors will be disclosed to their parents or legal guardians acting as personal representatives, unless prohibited by law or in circumstances where the law permits us to withhold PHI, such as to prevent harm to the minor or another person or in cases of suspected child abuse or neglect.
- Required by Law and Legal Proceedings: We will use or disclose your Protected Health Information when required to do so by local, state, federal, and international law. For example, we may share your PHI as require to report a suspicious death or suspected child abuse or neglect. We may use and disclose your PHI in conjunction with judicial or administrative proceedings or for purposes of litigation as permitted by law. We may also share your PHI in response to an administrative or court order, or in response to a subpoena, a discovery request, or other legal process if we are advised that you have been made aware of the request or that efforts were made to secure a qualified protective order.
- Abuse, Neglect, and Domestic Violence or Other Threats to Safety: Your Protected Health Information will be disclosed to the appropriate government agency if we believe that a patient has been or is currently the victim of abuse, neglect, or domestic violence and the patient agrees to the disclosure or we are otherwise permitted or required by law to do so. In addition, your PHI may also be disclosed when necessary to prevent a serious threat to your health or safety or the health and safety of others to someone who may be able to help prevent the threat. State laws may require such disclosure when an individual or group has been specifically identified as the target or potential victim.
- Law Enforcement: We will disclose your Protected Health Information for law enforcement purposes when all applicable legal requirements have been met. This includes, but is not limited to, law enforcement due to identifying or locating a suspect, fugitive, material witness or missing person; complying with a court order or warrant, and grand jury subpoena; reporting information about a victim of a crime, reporting a death we believe resulted from criminal conduct, reporting criminal conduct occurring on our premises, or reporting crime in an emergency, such as the location of the crime or victims or the identity, description or location of the person who committed the crime.
- Public Health: Your Protected Health Information may be disclosed and may be required by law to be disclosed for public health purposes. This includes: to prevent or control disease; report births and deaths; reporting of reactions to medications or problems with health products; reporting a person who may have been exposed to a disease or may be at risk of contracting and/or spreading a disease or condition. We may share your PHI with public health authorities for public health purposes to prevent or control disease, injury, or disability and for conducting public health monitoring, investigations, or activities.
- Health Oversight Activities: We may disclose your Protected Health Information to a health oversight agency for audits, investigations, inspections, licensures, and other activities as authorized by law. The relevant agencies include governmental units that oversee or monitor the health care system, government benefit and regulatory programs, and compliance with civil rights laws.
- Military, National Security, and other Specialized Government Functions: We may disclose your PHI, if you are in the Armed Forces, for activities deemed necessary by appropriate military command authorities for determination of benefit eligibility by the Department of Veterans Affairs or to foreign military authorities if you are a member of that foreign military service. We may disclose your PHI to authorized federal officials for conducting national security and intelligence activities or special investigations (including for the provision of protective services to the President of the United States, other authorized persons, or foreign heads of state) or to the Department of State to make medical suitability determinations.
- Inmates and Correctional Institutions: If you are an inmate at a correctional institution, then under certain circumstances we may disclose your PHI to the correctional institution or law enforcement official. This may be necessary 1) for the institution to provide you with health care; 2) to protect your health and safety or the health and safety of others; or 3) for the safety and security of the correctional institution and its staff.
- Worker’s Compensation: We will disclose only the Protected Health Information necessary for Worker’s Compensation in compliance with Worker’s Compensation laws. This PHI may be reported to your employer and/or your employer’s representative regarding an occupational injury or illness.
- Practice Ownership Change: If our medical practice is sold, acquired, or merged with another entity, your PHI may become the property of the new owner. However, you will still have the right to request copies of your records and have copies transferred to another provider.
- Breach Notification Purposes: If for any reason there is an unsecured breach of your Protected Health Information, we will utilize the contact information you have provided us with to notify you of the breach, as required by law. In addition, your Protected Health Information may be disclosed as a part of the breach notification and reporting process.
- Research: Your Protected Health Information may be used by or disclosed to researchers for the purpose of conducting research when the research has been approved by an Institutional Review or Privacy Board and in compliance with law governing research or where you have provided your authorization. You may choose to participate in a research study that requires you to obtain related health care services. In this case, we may share your PHI 1) with the researchers involved in the study who ordered the hospital or other health care services; and 2) with your insurance company in order to receive payment for those services that your insurance agrees to pay for. We may use and share your PHI with a researcher if certain parts of your PHI that would identify you are removed before we share it with the researcher. This will only be done if the researcher agrees in writing not to share the information, will not try to contact you, and will obey other requirements that the law provides.
- Business Associates: We may disclose your Protected Health Information to our business associates who provide us with services necessary to operate and function as a medical practice. We will only provide the minimum information necessary for the associate(s) to perform their functions as it relates to our business operations. For example, we may use a separate company to process our billing or transcription services that require access to a limited amount of your PHI. Please know and understand that all of our business associates are obligated to comply with the same HIPAA privacy and security rules in which we are obligated. Additionally, all of our business associates are under contract with us and committed to protect the privacy and security of your Protected Health Information. We may also share your PHI with a Business Associate who will remove information that identifies you so that the remaining information can be used or disclosed for purposes outside of this Notice.
- Coroners, Medical Examiners, and Funeral Directors. We may disclose your PHI to a coroner, medical examiner, or funeral director as necessary for them to carry out their duties.
- Organ and Tissue Donation. If you are an organ donor, we may disclose your PHI to organizations that handle organ procurement or organ, eye or tissue transplantation, or to an organ donation bank, as necessary to facilitate organ or tissue donation and transplantation.
- Proof of Immunization. We will disclose proof of immunization to a school that is required to have it before admitting a student if you have agreed to the disclosure on behalf of yourself or your dependent.
USES AND DISCLOSURES IN WHICH YOU HAVE THE RIGHT TO OBJECT AND OPT OUT
- Facility Directory: We may include limited information about you in a facility directory while you are a patient at a Diana Health hospital or other facility. The information may include your name, location in the building, general condition, such as “stable,” “serious,” “critical,” and your religious affiliation. Except for your religious affiliation, the directory information may be released to people who ask for you by name. We may give your religious affiliation to a member of the clergy, such as a priest or rabbi, even if they don’t ask for you by name. This helps your family, friends, and clergy who visit you to know how you are doing. You have the right to ask that all or part of your information not be given out. If you do so, we will not be able to tell your family or friends your room number or that you are in the hospital or facility.
- Communication with family and/or individuals involved in your care or payment of your care: Unless you object, disclosure of your Protected Health Information may be made to a family member, friend, or other individual , whom you have identified that is involved in your care or payment for your care. We may share your PHI with these persons if you are present or available before we share your PHI with them and you do not object to our sharing your PHI with them, or we reasonably believe that you would not object to this. If you are not present and certain circumstances indicate to us that it would be in your best interests to do so, we will share information with a friend or family member or someone else identified by you, to the extent necessary. This could include sharing information with your family or friend so that they could pick up a prescription or a medical supply. We may tell your family or friends that you are in a Diana Health facility and your general condition.
- Disaster: In the event of a disaster, your Protected Health Information may be disclosed to disaster relief organizations to coordinate your care and/or to notify family members or friends of your location and condition. Whenever possible, we will provide you with an opportunity to agree or object.
- Fundraising: As necessary, we may disclose your Protected Health Information to contact you regarding fundraising events and efforts. For example, you may receive a letter from Diana Health asking for a donation to support enhanced patient care, treatment, education or research at Diana Health. You have the right to object or opt out of these types of communications. Please let our office know if you would NOT like to receive such communications.
USES AND DISCLOSURES THAT REQUIRE YOUR WRITTEN AUTHORIZATION
We will not disclose or use your Protected Health Information in the situations listed below without first obtaining written authorization to do so. In addition to the uses and disclosures listed below, other uses not covered in this notice will be made only with your written authorization. If you provide us with an authorization, you may revoke it at any time by submitting a request in writing. Revocation does not apply to PHI that has already been used or disclosed with your permission. You can obtain an authorization form from us upon request.
- Disclosure of Psychotherapy Notes: Unless we obtain your written authorization, in most circumstances we will not disclose your psychotherapy notes. Some circumstances in which we will disclose your psychotherapy notes include the following: for your continued treatment; training of medical students and staff; to defend ourselves during litigation; if the law requires; health oversight activities regarding your psychotherapist; to avert a serious or imminent threat to yourself or others; and to the coroner or medical examiner upon your death.
- Marketing: Disclosures for marketing purposes which result in our receiving financial payment from a third party whose product or services is being marketed will require your written authorization. This does not include compensation that merely covers our cost of reminding you to take and refill your medication or otherwise communicate about a drug or biologic that is currently prescribed to you. However, we may use or disclose your PHI without your authorization to send you information about alternative medical treatments, our own programs or about health-related products and services that may be of interest to you, provided that we do not receive financial remuneration for making such communications. For example, if you suffer from a chronic illness or condition, we may use your PHI to assess your eligibility and propose newly available treatments. When we see you face-to-face, we may also use your PHI without your authorization to encourage you to maintain a healthy lifestyle and get recommended tests, suggest that you participate in a disease management program, provide you with promotional gifts of nominal value, or tell you about government sponsored health programs.
- Sale of PHI: Any activity constituting a sale of your Protected Health Information will require your prior written authorization.
PROTECTED HEALTH INFORMATION AND YOUR RIGHTS
The following are statements of your rights, subject to certain limitations, with respect to your Protected Health Information:
- You have the right to inspect and copy your Protected Health: Pursuant to your written request, you have the right to inspect and copy your Protected Health Information contained in a Designated Record Set (as defined by HIPAA) in paper or electronic format. Under federal law, you may not inspect or copy the following types of records: psychotherapy notes, information compiled as it relates to civil, criminal, or administrative action or proceeding; information restricted by law; information related to medical research in which you have agreed to participate; information obtained under a promise of confidentiality; and information whose disclosure may result in harm or injury to yourself or others. To inspect, copy or otherwise electronically access your PHI in the designated record set, you must submit your request in writing. Where permitted by law, we may charge a reasonable fee for the costs of copying, mailing or other supplies associated with your request, including where you designate a third-party recipient. We will discuss any fees with you before processing your request. We may deny your request to inspect and copy in certain very limited circumstances. If we deny you access to your PHI for certain reasons, we will provide you with an opportunity to request that the denial be reviewed. A licensed health care professional chosen by us will perform such a review. This person will not be the same person who refused your request.
- You have a right to a summary or explanation of your Protected Health Information: You have the right to request only a summary of your Protected Health Information if you do not desire to obtain a copy of your entire record. You also have the option to request an explanation of the PHI to which you were provided access when you request your entire record.
- You have the right to obtain an electronic copy of medical records: You have the right to request an electronic copy of your medical record for yourself or to be sent to another individual or organization when your Protected Health Information is maintained in an electronic format. We will make every attempt to provide the records in the format you request; however, in the case that the information is not readily accessible or producible in the format you request, we will provide the record in a standard electronic format or a legible hard copy form. We provide the Diana Health patient portal as one option for patients to electronically access their PHI. You may set up access to the Diana Health patient portal by Downloading the application in the appropriate application store. There is no fee for you to access information through the Diana Health patient portal.
- You have the right to receive a notice of breach: In the event of a breach of your unsecured Protected Health Information, you have the right to be notified of such breach. We will notify you of breach of your unsecured PHI experienced by us or one of our Business Associates in accordance with applicable law.
- You have the right to request Amendments: At any time if you believe the Protected Health Information we have on file for you is inaccurate or incomplete, you may request that we amend the information. Your request for an amendment must be submitted in writing and detail what PHI is inaccurate and why. Please note that submitting a request for an amendment does not necessarily mean the PHI will be amended. If we approve your request, we will include the amendment in any future disclosures of the relevant PHI. If we deny your request for an amendment, you may file a written statement of disagreement, which we may rebut in writing. The denial, statement of disagreement, and rebuttal will be included in any future disclosures of the relevant PHI. We may deny your request for an amendment if it is not in writing or does not include a reason to support the request. In addition, we may deny your request if you ask us to amend PHI that: is not part of the PHI maintained by us; was not created by us, unless the person or entity that created the information is no longer available to make the amendment; is not part of the information which you would be permitted to inspect and copy; or is accurate and complete. All denials will be made in writing.
- You have a right to receive an accounting of certain disclosures: You have the right to receive an accounting of certain disclosures of your Protected Health Information. An “accounting” being a list of the certain disclosures that we have made of your PHI. The request can be made for paper and/or electronic disclosures. Certain disclosures are exempt from the accounting requirement, such as (but not limited to) disclosures made for the purposes of: treatment; payment; health care operations; notification and communication with family and/or friends; and those required by law. Your request must be in writing. Your request must include the time frame that you would like us to cover, which may be no longer than 6 years prior to the date of your request. We will provide the first requested accounting in any 12-month period without charge. However, we may charge you for the cost of providing the accounting for any subsequent accounting requested in a 12-month period. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time before any costs are incurred.
- You have the right to request restrictions of your Protected Health Information: You have a right to request to restrict and/or limit the PHI we disclose to others, such as family members, friends, and individuals involved in your care or payment for your care. You also have the right to request to limit or restrict the PHI we use or disclose for treatment, payment, and/or health care operations. Your request must be submitted in writing and include 1) what PHI you want to limit; (2) whether you want to limit our use, disclosure or both; and (3) to whom you want the limits to apply, for example, disclosure to your spouse. Please note that our practice/your provider is not required to agree to your request for restriction with the exception of a restriction requested to not disclose PHI for purposes of payment or health care operations to your health plan for care and services in which you have paid us in full out-of-pocket. If we do agree to any request, we still may provide PHI, as necessary, to give you emergency treatment
- You have a right to request to receive confidential communications: You have a right to request confidential communications from us by alternative means or at an alternative location. For example, you may request that we send mail only to an address specified by you which may or may not be your home address. You may request that we should only call you on your work phone or specify which telephone numbers we are allowed or not allowed to leave messages on. You do not have to disclose the reason for your request; however, you must submit a request with specific instructions in writing. We will make reasonable efforts to accommodate your request.
- You have the right to appoint a personal representative, such as a medical power of attorney or if you have legal guardian. Your personal representative may be authorized to exercise your rights and make choices about your PHI. We will confirm the person has this authority and can act for you before we take any action based on their request.
- You have a right to receive a paper copy of this Notice: Even if you have agreed to receive an electronic copy of this Notice, you have the right to request we provide it in paper form. You may make such a request at any time. You can also get a copy of this Notice at our website.
CHANGES TO THIS NOTICE
We reserve the right to change our privacy practices and the terms of this Notice at any time, provided the change is permitted by law. We reserve the right to have such a change apply to all PHI we maintain, including PHI we received or created before the change. If we make changes to this Notice, we will post an updated form in our office and on our website.. We will also make copies available of our new notice if you wish to obtain one.
ELECTRONIC MEDICAL INFORMATION SHARING THROUGH APPLICATION PROGRAMMING INTERFACES
You have the right to request or authorize that your electronic PHI in your designated record set be transmitted to you or another person or organization through an application programming interface (API). APIs are computer coding mechanisms that permit two or more electronic computer applications or software programs to communicate with each other and share information. Diana Health is required by law to comply with requests regarding API transmissions, subject to certain exceptions. You understand that PHI transmitted through an API at your request will no longer be under Diana Health’s protection and control, will no longer be subject to the protections and rights outlined in this Notice, and may no longer be subject to the same laws, regulations, policies or procedures regarding its confidentiality, security, privacy, use, or disclosure. You understand and agree that you make requests to Diana Health to transmit your PHI through an API at your own risk and you assume all liability for the consequences of such action taken by Diana Health at your direction. Diana Health cautions you to confirm any confidentiality, security or privacy protections with respect to your transmitted PHI with the recipient of the PHI prior to submitting a request to Diana Health to transmit your PHI through an API.
If at any time you believe your privacy rights have been violated and you would like to register a complaint, you may do so with us or with the Secretary of the United States Department of Health and Human Services. If you file a complaint, we will not take action against you or change our treatment of you in any way.
If you wish to file a complaint with us, please submit it in writing to our Privacy Officer at email@example.com.
If you wish to file a complaint with the Secretary of the United States Department of Health and Human Services, please go to the website of the Office for Civil Rights (www.hhs.gov/ocr/hipaa/), call 202-619-0257 (toll free 877-696-6775), or mail to:
Secretary of the US – Department of Health and Human Services
200 Independence Ave S.W.
Washington, D.C. 20201
To file a complaint with the Secretary, you must 1) name the Diana Health place or person that you believe violated your privacy rights and describe how that place or person violated your privacy rights; and 2) file the complaint within 180 days of when you knew or should have known that the violation occurred.
HIPAA COMPLIANCE OFFICER
We are required by law to provide individuals with this Notice of our legal responsibilities and privacy practices with respect to Protected Health Information. We are also required to implement safeguards to maintain the privacy of PHI, and abide by the terms of the Notice currently in effect. If you have any questions in reference to this Notice, please our Privacy Officer by email or by phone at the number listed above.