January 24, 2020
THIS NOTICE DESCRIBES HOW YOUR MEDICAL INFORMATION MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
The CMDPN Medical Groups listed at the bottom of this notice (“CirrusMD Medical Groups” or “We”) respect the privacy of each and every one of our patients and are committed to protecting all of your protected health information (“PHI”) under the Health Insurance Portability and Accountability Act (“HIPAA”) and applicable state law.
As part of our commitment and legal compliance, we are providing you with this Notice of Privacy Practices (Notice). This Notice describes:
- Our legal duties and privacy practices regarding your PHI, including our duty to notify you following a data breach of your unsecured PHI.
- Our permitted uses and disclosures of your PHI.
- Your rights regarding your PHI.
INTRODUCTION AND BACKGROUND
CirrusMD Medical Groups are physician-owned medical groups engaged in the business of providing remote healthcare services through duly licensed health care professionals both synchronously and asynchronously via secure chat, video, interactive audio and store and forward technologies.
Our Uses and Disclosures
As described further below, we may use and disclose your information as we:
- Treat you.
- Bill for services.
- Run our organization.
- Do research.
- Comply with the law.
- Respond to organ and tissue donation requests.
- Work with a medical examiner or funeral director.
- Address workers' compensation, law enforcement, or other government requests.
- Respond to lawsuits and legal actions
As described further below, you have some choices about how we use and share information as we:
- Communicate with you.
- Tell family and friends about your condition.
- Provide disaster relief.
- Provide mental health care.
- Market our services and/or sell your information.
As described further below, you have the right to:
- Get a copy of your protected health information.
- Correct your protected health information.
- Ask us to limit the information we share, in some cases.
- Get a list of those with whom we've shared your information.
- Request confidential communication.
- Choose someone to act for you.
- Get a copy of this notice of privacy practices.
- File a complaint if you believe we have violated your privacy rights.
If you have any questions about this Notice, please contact firstname.lastname@example.org
- Is health information about you: Which someone may use to identify you; and Which we keep or transmit in electronic, oral, or written form.
- Includes information such as your: Name; Contact information; Past, present, or future physical or mental health or medical conditions; Payment for health care products or services; or Prescriptions
- Excludes employment records that your employer may hold.
We create a record of the care and health services you receive, to provide your care, and to comply with certain legal requirements. This Notice applies to all the PHI that we generate.
We follow and our employees and other workforce members follow the duties and privacy practices that this Notice describes and any changes once they take effect.
CHANGES TO THIS NOTICE
We can change the terms of this Notice, and the changes will apply to all information we have about you. The new notice will be available on request and on applicable program websites.
DATA BREACH NOTIFICATION
You may have the right to be notified in the event of unpermitted access or use of your unsecured PHI. If the law requires that we notify you, then we will within the legally required time frame. Most of the time, we will notify you in writing, by first-class mail, or we may email you if you have provided us with your current email address. In some circumstances, our business associates, which are described in more detail below, may provide the notification. In limited circumstances when we have insufficient or out-of-date contact information, we may provide notice in a legally acceptable alternative form.
ORGANIZED HEALTH CARE ARRANGEMENTS
The CirrusMD Medical Groups participate in an organized health care arrangement (OHCA) among them as defined by HIPAA. An OCHA allows us to:
- Collectively provide health care services among the CirrusMD Medical Group.
- Share patients' PHI to support the participating entities' joint operations.
The OHCA includes all of the CirrusMD Medical Groups listed at the bottom of this Notice and the CirrusMD Medical Groups t share health information with each other for treatment, payment, and health care operations.
USES AND DISCLOSURES OF YOUR PHI
The law permits or requires us to use or disclose your PHI for various reasons, which we explain in this Notice. We have included some examples, but we have not listed every permissible use or disclosure. When using or disclosing PHI or requesting your PHI from another source, we will make reasonable efforts to limit our use, disclosure, or request about your PHI to the minimum we need to accomplish our intended purpose.
USES AND DISCLOSURES FOR TREATMENT, PAYMENT, OR HEALTH CARE OPERATIONS
We may use or disclose your PHI and share it with other professionals who are treating you, including doctors, nurses, technicians, medical students, or hospital personnel involved in your care. For example, we might disclose information about your overall health condition with physicians who are treating you for a specific injury or condition.
We may use and disclose your PHI to bill and get payment from health plans or others. For example, we share your PHI with your health insurance plan so it will pay for the services you receive.
Health Care Operations.
We may use and disclose your PHI to run our practice and improve your care. For example, we may use your PHI to manage the services you receive or to monitor the quality of our health care services.
OTHER USES AND DISCLOSURES
We may share your information in other ways, usually for public health or research purposes or to contribute to the public good. For more information on permitted uses and disclosures, see www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html. For example, these other uses and disclosures may involve:
Our Business Associates.
We may use and disclose your PHI to outside persons or entities that perform services on our behalf, such as auditing, legal, or transcription (Business Associates). The law requires our business associates and their subcontractors to protect your PHI in the same way we do. We also contractually require these parties to use and disclose your PHI only as permitted and to appropriately safeguard your PHI.
Health Information Exchanges.
We may participate in health information exchanges (HIEs), which support electronic information sharing among members for treatment, payment, and health care operations purposes. Individuals may opt-out of HIEs. We will use reasonable efforts to limit the sharing of PHI in these electronic sharing activities for individuals who have opted out. If you would like to opt out, please contact email@example.com.
For example, we will share your PHI if the Department of Health and Human Services requires it when investigating our compliance with privacy laws.
Public Health and Safety Activities.
For example, we may share your PHI to:
- Report injuries, births, and deaths;
- Prevent disease;
- Report adverse reactions to medications or medical device product defects;
- Report suspected child neglect or abuse or domestic violence; or
- Avert a serious threat to public health or safety.
Responding to Legal Actions.
For example, we may share your PHI to respond to:
- A court or administrative order or subpoena;
- Discovery request; or
- Another lawful process.
For example, we may share your PHI for some types of health research that do not require your authorization, such as if an institutional review board (IRB) has waived the written authorization requirement.
Medical Examiners or Funeral Directors.
For example, we may share PHI with coroners, medical examiners, or funeral directors when an individual dies.
Workers' Compensation, Law Enforcement, or Other Government Requests.
For example, we may use and disclose your PHI for:
- Workers' compensation claims;
- Health oversight activities by federal or state agencies;
- Law enforcement purposes or with a law enforcement official; or
- Specialized government functions, such as military and veterans' activities, national security and intelligence, presidential protective services, or medical suitability.
For certain health information, you can tell us your choices about what we share. If you have a clear preference for how we share your information in the situations described below, please contact us at firstname.lastname@example.org and we will make reasonable efforts to follow your instructions.
You have both the right and choice to tell us whether to:
- Share information, such as your PHI, general condition, or location, with your family, close friends, or others involved in your care.
- Share information in a disaster relief situation, such as to a relief organization to assist with locating or notifying your family, close friends, or others involved in your care.
We may share your information if we believe it is in your best interest, according to our best judgment, and:
- If you are unable to tell us your preference, for example, if you are unconscious or unresponsive.
- When needed to lessen a serious and imminent threat to health or safety.
USES AND DISCLOSURES THAT REQUIRE AUTHORIZATION
In these cases we will only share your information if you give us written permission:
- Certain types of marketing.
- Selling or otherwise receiving compensation for disclosing your PHI.
- Certain research activities.
- Other uses and disclosures not described in this Notice.
You may revoke your authorization at any time, but it will not affect information that we already used and disclosed.
When it comes to your health information, you have certain rights. This section explains your rights and some of our responsibilities to help you.
You have the right to:
- Inspect and Obtain a Copy of Your PHI. You have the right to see or obtain a copy of the PHI that we maintain about you (right to request access). Some clarifications about your access rights:
- You always have access to your chats and progress notes in your account. If you would like to receive that PHI directly from us as opposed to accessing it yourself, we require you to make such access requests in writing by sending an email to email@example.com.
- You may request that we provide a copy of your PHI to a family member, another person, or a designated entity. We require that you submit these requests in writing by emailing firstname.lastname@example.org and we will send you a form to complete and return to us.
- You may request that we direct a copy of your PHI to a third party of your choice on a standing, regular basis. We require that you submit these requests in writing by emailing email@example.com and we will send you a form to complete and return to us.
- If you request a copy of your PHI, we will generally decide to provide or deny access within 30 days, however, if we cannot act within 30 days, we will give you a reason for the delay in writing and when you can expect us to act on your request.
- We may deny your request for access in certain limited circumstances, however, if we deny your access request, we will provide a written denial with the basis for our decision and explain your rights to appeal or file a complaint.
- Make Amendments. You may ask us to correct or amend PHI that we maintain about you that you think is incorrect or inaccurate. For these requests:
- You must submit requests in writing by emailing firstname.lastname@example.org. You should specify the inaccurate or incorrect PHI, and provide a reason that supports your request. We may request that you complete a form or provide additional information to process your request.
- We will generally decide to grant or deny your request within 60 days. If we cannot act within 60 days, we will give you a reason for the delay in writing and include when you can expect us to complete our decision, which will be no longer than an additional 30 days. We will only ask for an extension once in response to a request.
- We may deny your request for an amendment if you ask us to amend PHI that is not part of our record, that we did not create, that is not part of a designated record set, or that is accurate and complete.
- If we deny your request, we will tell you why in writing. You will have the right to submit a written statement disagreeing with the denial and, if you opt not to submit this statement, you may request that we provide your original request for amendment and the denial with any future disclosures of PHI subject to the amendment. However, we may prepare a written rebuttal to any individual's statement of disagreement that may also be included in any future disclosures.
- We will append the material created or submitted in accordance with this paragraph to your designated record.
- Request Additional Restrictions. You have the right to ask us to limit what we use or share about your PHI (right to request restrictions). You can contact us and request us not to use or share certain PHI for treatment, payment, or operations or with certain persons involved in your care. We require that you submit this request in writing to email@example.com. For these requests we are not required to agree, but will consider your request.
- Request an Accounting of Disclosures. You have the right to request an accounting of certain PHI disclosures that we have made. We require that you submit this request in writing to firstname.lastname@example.org. For these requests:
- We will respond no later than 60 days after receiving the request. We may ask for an additional 30 days during this 60-day period, but if we do, we will only do it once, provide a written statement of why, and indicate the date by which we intend to send the response;
- We will include all the disclosures except for those about treatment, payment, and health care operations, and certain other disclosures, such as any you asked us to make; and
- We will provide one accounting a year for free, but will charge a reasonable, cost-based fee, if you ask for another one within 12 months. We will notify you about the costs in advance and you may choose to withdraw or modify your request at that time.
- Choose Someone to Act for You. If you have given someone medical power of attorney or if someone is your legal guardian, that person can exercise your rights and make choices about your PHI.
- Request Confidential Communications. You have the right to request that we communicate with you about health matters in a certain way or at a certain location. We require that you make this request in writing to email@example.com. For example, you can ask that we only contact you at work or at a specific address. For these requests:
- You must specify how or where you wish to be contacted; and
- We will accommodate reasonable requests.
- Make Complaints. You have the right to complain if you feel we have violated your rights. We will not retaliate against you for filing a complaint. You may either file a complaint:
- Directly with us by contacting the CirrusMD Medical Group Privacy Officer. All complaints must be submitted in writing to firstname.lastname@example.org ; or
- With the Office for Civil Rights at the US Department of Health and Human Services. Please visit www.hhs.gov/ocr/privacy/hipaa/complaints/ for information on how to do submit such a complaint.
CMDPN Medical Group of Delaware, P.A.
CMDPN Medical Group of Illinois, S.C.
CMDPN Medical Group of New Jersey, P.C.
CMDPN Medical Group of Texas, P.A.
CMDPN Medical Group of Washington, P.C.
Wallace Blake McKinney Medical Group of California, P.C.