Notice Of Privacy Practices
THIS NOTICE EXPLAINS HOW YOUR MEDICAL INFORMATION MAY BE USED AND DISCLOSED AND HOW YOU MAY GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
We respect the privacy of and are committed to maintaining the confidentiality of residents’ and employees’ personal health information. This Notice applies to all medical information and records related to your care that our staff, employees, volunteers, and physicians have received or created. This Notice informs you about the possible uses and disclosures of residents’ and employees’ personal health information and describes residents’ and employees’ rights and our obligations regarding such health information.
We are required by law to:
- Maintain the privacy of your protected health information
- Provide you this detailed Notice of our legal duties and privacy practices relation to your personal health information; and
- Abide by the terms of the Notice that are currently in effect.
We may use and disclose your personal health information for the treatment, payment, and health care operations without needing to obtain your consent:
1. Treatment: We will use and disclose your personal health information in providing you with treatment and services. We may disclose your personal health information to facility and non-facility personnel who may be involved in your care, such as physicians, nurses, nurse aides, and physical therapists. For example, a nurse caring for you will report any change in your condition to your physician. We also may disclose personal health information to individuals who will be involved in your care after you leave the facility.
2. Payment: We may use and disclose your personal health information so that we can bill and receive payment for the treatment and services you receive at the facility. For billing and payment purposes we may disclose your personal health information to your representative, an insurance or managed care company, Medicare, Medicaid or another third party payor. For example, we may contact Medicare or your health plan to confirm your coverage or to request prior approval for a proposed treatment or service.
3. Health Care Operation: We may use and disclose your personal health information for facility operations. These uses and disclosures are necessary to manage the facility and to monitor your quality of care. For example, we may use personal health information to evaluate our facility’s services, including the performance of our staff.
4. Authority for collection of information including social security number. Sections 1819(f), 1919(f), 1819(b)(3)(A), and 1864 of the Social Security Act.
We may use or disclose personal health information about you for the following specific purposes:
1. As specifically required or permitted by law or for law enforcement purposes;
2. To an organization assisting in disaster relief;
3. For public health purposes, which may include:
a. Reporting to a public health or other government authority for preventing or controlling disease, injury or disability, or reporting child abuse or neglect;
b. Reporting to the federal Food and Drug Administration (FDA) concerning adverse events or problems with products for tracking products in certain circumstances, to enable product recalls or to comply with other FDA requirements;
c. To notify a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or conditions;
d. For certain purposes involving workplace illness or injuries.
4. In response to a court or administrative order, a subpoena, discovery request, or other lawful process, in which case efforts will be made to contact you about the request or to give you an opportunity to obtain an order or agreement protecting the information.
5. To comply with laws relating to workers’ compensation or similar programs.
6. If we believe that you have been a victim of abuse, neglect or domestic violence, to notify a government authority if required or authorized by law, or if you agree to the report.
7. To a health oversight agency for oversight activities authorized by law, which may include, for example, audits, investigations, inspections and licensure actions or other legal proceedings. These activities are necessary for government oversight of the health care system, government payment or regulatory programs, and compliance with civil rights laws.
8. To identify or locate a suspect, fugitive, material witness, or missing person.
9. When information is requested about the victim of a crime if he individual or under other limited circumstances.
10. As appropriate to report information about a suspicious death.
11. As appropriate to provide information about criminal conduct occurring at the facility.
12. As appropriate to report information in emergency circumstances about a crime.
13. As appropriate to identify or apprehend an individual in relation to a violent crime or an escape from lawful custody.
14. To authorized officials conducting national security and intelligence activities or as needed to provide protection to the President of the United States, certain other persons or foreign heads of states or to conduct certain special investigations.
15. As expressly permitted by the resident, the employee, or a person who has the power to provide such permission on behalf of the resident or employee (for example, a person with an applicable power of attorney).
16. To a family member or close personal friend, including clergy, who is involved in your care or payment for your care, if the personal health information is relevant to that person’s involvement.
17. When necessary to prevent a serious threat to your health or safety or the health or safety of the public or another person, but any such disclosure would be made only to someone able to help prevent the threat.
18. Upon death, we may release information to a coroner, medical examiner, funeral director, or organ procurement organizations if you are an organ donor.
19. If you are a veteran or member of the armed forces, we may release information as required to military command authorities. We may also use and disclose personal health information about foreign military personnel as requires by the appropriate foreign military authority.
20. As appropriate to remind a resident about an appointment or to inform the resident about treatment alternatives or to inform residents and employees about health-related benefits and services.
21. We will include limited information about residents and employees in our facility directory unless the resident or employee objects. This may include your name, location in the facility, general condition, and religious affiliation. Our directory does not include specific medical information about you.
22. We will provide family members and clergy with information regarding your room number and general information on your condition unless you object. We may provide members of the clergy with information regarding your religious affiliation as listed in the facility directory unless you object.
23. We may provide individual medical information for medical research but only with the execution of a written authorization for the resident, such as the attorney-in-fact or guardian, or by the employee on his or her own behalf.
24. To contact you in an effort to raise money for the facility and its operations. We may disclose personal health information to a foundation related to the facility so that the foundation may contact you in raising money for the facility. In doing so, we would only release contact information, such as your name, address and phone number and the dates you received treatment or services at the facility. Such fundraising communications shall provide, in a clear and conspicuous manner, the opportunity for you to opt out of receiving future fundraising communications.
25. Medicare and Medicaid participating long-term care facilities are required to conduct comprehensive, accurate, and reproducible standardized assessments of each resident’s functional capacity and health status. To implement this requirement, the facility must obtain information from every resident. This information also is used by the Federal Centers for Medicare and Medicaid Services (CMS) to ensure that the facility meets quality standards and provides appropriate care to all residents. For this purpose, as of June 22, 1998, all such facilities are required to establish a database of resident assessment information, and to electronically transmit the information to the CMS contractor in the State government, which in turn transmits the information to CMS. Because the law requires disclosure of this information to the Federal and State sources as discussed above, a resident does not have the right to refuse consent to these disclosures.
26. Discussions between the facility and you concerning possible products and services offered by outside entities are considered “marketing communication”. For example, if an outside vendor requests that we recommend their product or service to you, or provide you with a pamphlet or other written brochures, a “marketing discussion” has occurred. Generally speaking, before we can engage in these conversations with you, or to provide you with the materials, we will need to receive your authorization. The only current exceptions to this process are for communication made:
a. To provide refill reminders or otherwise communicate about a drug or biologic that is currently being prescribed for you, and so long as any payment received by us from the outside
supplier in exchange for making this communication is reasonably related to our cost or making the communication; or
b. For the following treatment and health care operation purposes, except where we receive payment in exchange for making the communication
For the treatment of an individual by a health care provider including care management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual,
To describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of the covered entity making the communication, including communications about: the entities participating in a health care provider network of health plan network; replacement of, or enhancements to, a health plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits; or
For case management or care coordination, contacting of individuals with information about treatment alternatives, and related functions to the extent these activities do not fall within the definition of treatment
Your authorization is required for all other uses of personal health information.
Your authorization is required for most uses and disclosures of psychotherapy notes, uses and disclosures of personal health information for marketing purposes, and disclosure that constitute the sale of personal health information. Other uses and disclosures not described in this Notice will be made only with your written authorization. You may revoke your authorization to use or disclose personal health information in writing, at any time. If you revoke your authorization, we will no longer use or disclose your personal health information for the purposes covered by the authorization, except where we have already relied on the authorization.
Residents and employees have certain rights regarding personal health information:
1. The right to request restrictions on the use or disclosure of personal health information. You have the right to request restrictions on our use or disclosure of your personal health information for treatment, payment, or health care operations. You also have the right to restrict the personal health information we disclose about you to a family member, friend, or other person who is involved in your care or the payment for your care. We are required to agree to your agree to your requested restriction (except that while you are competent you may restrict disclosures to family members and friends), unless you have requested us to restrict disclosures to a health plan for purposes of carrying out payment or health care operations and the information to be restricted pertains solely to a health care item or service for which you (or person, other than the health plan on behalf of you) have us paid in full. If we do agree to accept your requested restriction, we must comply with your request except as needed to provide you emergency treatment.
2. The right to inspect and copy your medical or billing records or other health information. You have the right to request, either orally of in writing, your medical or billing records or other written information that may be used to make decisions about your care. If we maintain your information in an electronic record, you may obtain from us a copy of such information in an electronic format and direct us to transmit such copy directly to an entity or person designated by you. We must allow you to inspect your records within 24 hours of your request. If you request copies of the records, we must provide you with copies within 2 days of that request, in whatever format you choose, provided that the records are “readily producible” in the requested format. We may charge a reasonable fee for our costs. We may deny your request in certain limited circumstances, and, in some instances’, you will have the opportunity to request a review of the denial.
3. The right to request amendment to the information if you think it is incorrect or incomplete for as long as the information is kept by or for the facility. The request must be in writing and state the reason for the request. We may deny the request if the information:
a. Was not created by the facility, unless the originator of the information is no longer available to act on our request;
b. Is not part of the personal health information maintained by or for the facility;
c. Is not part of the information to which you have a right of access; or
d. Is already accurate and complete, as determined by the facility.
If we deny your request, we will provide you a written denial and the reason for the denial and you will have the right to submit a written statement disagreeing with the denial.
4. The right to request an accounting of our disclosures of the resident’s or employee’s personal health information. This is a listing of certain disclosures of your personal health information made by the facility or by others on our behalf, but generally will not include disclosures for treatment, payment and health care operation, disclosures made pursuant to a signed and dated authorization, or certain other exceptions allowed by law, except that if we implement the use of electronic health records, disclosures for treatment, payment and health care operations will be included in an accounting requested by you. The request must be in writing, statin a time period beginning on or after April 14, 2003 that is within six years from the date or your request (or within three years if we implement the use of electronic records). An accounting will include, if requested: the disclosure date; the name of the person or entity that received the information and address, if known; a brief description of the information disclosed; a brief statement of the purpose of the disclosure or a cop of the authorization or request; or certain summary information concerning multiple similar disclosure. If requested, we will provide one such list per year without charge; for further requests, we may charge you our costs.
5. The right to a paper copy of this Notice. You have the right to obtain a paper copy of this Notice even if you have requested to receive this Notice electronically. You may request a copy of this Notice at any time.
6. The right to request that we communicate with the resident or employee concerning personal health matters in a certain manner of at a certain location. We will accommodate reasonable requests.
We are required to notify you in the event that you unsecured protected health information (PHI) is breached. A breach is defined as the unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of the PHI, but does not include unintentional acquisition, access or use of such information, inadvertent disclosure of such information within a facility, and disclosure to a person not reasonably able to retain it. “Unsecured protected health information” refers to PHI that is not secured through the use of valid encryption process approved by the Secretary of Health and human Services or the destruction of the media on which the PHI is recorded or stored. Such encryption or destruction methods are not mandated on covered entities such as outs. We will evaluate the propriety of securing PHI for our residents, and act using our own discretion. However, should any of your “unsecured” PHI held by us be “breached”, then we will notify you in the following manner:
1. We will notify you no later than 60 days after discovery of such breach via first-class mail or e-mail, if specified by you as your preference. If the breach involves the information of more than 500 individuals, we will also provide notice to prominent media outlets. We will notify the Secretary of Health and Human Services of the breach (immediately if the breach involves the information of more than 500 individuals, or in an annual notification for all other breaches).
2. Our notification to you will include:
a. A brief description of what happened, including the date of breach and date of discovery (if known);
b. A description of the types of PHI that were involved in the breach;
c. Any steps you should take to protect yourself from potential harm resulting from the breach;
d. A brief description of what we are doing to investigate the breach, mitigate harm to the resident, and protect against further breaches; and
e. Contact procedures for you to ask questions or learn additional information, which must include a toll-free telephone number, and e-mail address, Web site, or postal address.
These rights are in addition to the rights provided to our resident’s under the Resident’s Bill of Rights.
If you believe that you privacy rights have been violated, you may file a complaint in writing with the facility or with the Office of Civil Rights in the U.S. Department of Health and Human Services. To file a complaint with the facility, contact Community Services at 717-285-6117. We will not retaliate against you if you file a complaint.
We may change this policy at any time. We will promptly revise and redistribute this Notice whenever there is a material change to the uses or disclosures, your individual rights, our legal duties, or other privacy practices stated in this Notice. We reserve the right to make new provisions effective for all personal health information we have already received and for all personal health information we may obtain in the future. Revised notices will be posted in the facility. In addition, we will provide a copy of the revised Notice to all residents.
If you have any questions about this policy, please contact: Mary Turnbaugh, President, or her designee at St. Anne’s.