CirrusMD Medical Groups’ Notice of Privacy Practices

LATEST REVISION

January 24, 2020

THIS NOTICE DESCRIBES HOW YOUR MEDICAL INFORMATION MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

The CMDPN Medical Groups listed at the bottom of this notice (“CirrusMD Medical Groups” or “We”) respect the privacy of each and every one of our patients and are committed to protecting all of your protected health information (“PHI”) under the Health Insurance Portability and Accountability Act (“HIPAA”) and applicable state law.

As part of our commitment and legal compliance, we are providing you with this Notice of Privacy Practices (Notice). This Notice describes:

Our legal duties and privacy practices regarding your PHI, including our duty to notify you following a data breach of your unsecured PHI.
Our permitted uses and disclosures of your PHI.
Your rights regarding your PHI.

INTRODUCTION AND BACKGROUND

CirrusMD Medical Groups are physician-owned medical groups engaged in the business of providing remote healthcare services through duly licensed health care professionals both synchronously and asynchronously via secure chat, video, interactive audio and store and forward technologies.

For clarity, although they share similar names, the CirrusMD Medical Groups are separate legal entities from CirrusMD Inc. and CMDPN, LLC. CirrusMD Inc. and CMDPN, LLC are not health care providers or covered entities as defined in the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). CMDPN, LLC and CirrusMD Inc. act as business associates to the CMDPN Medical Groups. Accordingly, any PHI that CMDPN, LLC and CirrusMD Inc. receive or maintain on behalf the CMDPN Medical Groups is generally subject to this Notice and agreements we have in place with CMDPN, LLC and CirrusMD Inc. CMDPN, LLC and CirrusMD Inc., however, may have other relationships and business arrangements that are independent of the CMDPN Medical Groups and any information about you they receive, create or maintain pursuant to those separate relationships would be governed by the CirrusMD Inc. and CMDPN, LLC privacy policy to which CMDPN Medical Group is not a party.

Our Uses and Disclosures

As described further below, we may use and disclose your information as we:

Treat you.
Bill for services.
Run our organization.
Do research.
Comply with the law.
Respond to organ and tissue donation requests.
Work with a medical examiner or funeral director.
Address workers' compensation, law enforcement, or other government requests.
Respond to lawsuits and legal actions

Your Choices

As described further below, you have some choices about how we use and share information as we:

Communicate with you.
Tell family and friends about your condition.
Provide disaster relief.
Provide mental health care.
Market our services and/or sell your information.

Your Rights

As described further below, you have the right to:

Get a copy of your protected health information.
Correct your protected health information.
Ask us to limit the information we share, in some cases.
Get a list of those with whom we've shared your information.
Request confidential communication.
Choose someone to act for you.
Get a copy of this notice of privacy practices.
File a complaint if you believe we have violated your privacy rights.

CONTACT

If you have any questions about this Notice, please contact privacy@cirrusmd.com

PHI DEFINED

Your PHI:

Is health information about you: Which someone may use to identify you; and Which we keep or transmit in electronic, oral, or written form.
Includes information such as your: Name; Contact information; Past, present, or future physical or mental health or medical conditions; Payment for health care products or services; or Prescriptions
Excludes employment records that your employer may hold.

SCOPE

We create a record of the care and health services you receive, to provide your care, and to comply with certain legal requirements. This Notice applies to all the PHI that we generate.

We follow and our employees and other workforce members follow the duties and privacy practices that this Notice describes and any changes once they take effect.

CHANGES TO THIS NOTICE

We can change the terms of this Notice, and the changes will apply to all information we have about you. The new notice will be available on request and on applicable program websites.

DATA BREACH NOTIFICATION

You may have the right to be notified in the event of unpermitted access or use of your unsecured PHI. If the law requires that we notify you, then we will within the legally required time frame. Most of the time, we will notify you in writing, by first-class mail, or we may email you if you have provided us with your current email address. In some circumstances, our business associates, which are described in more detail below, may provide the notification. In limited circumstances when we have insufficient or out-of-date contact information, we may provide notice in a legally acceptable alternative form.

ORGANIZED HEALTH CARE ARRANGEMENTS

The CirrusMD Medical Groups participate in an organized health care arrangement (OHCA) among them as defined by HIPAA. An OCHA allows us to:

Collectively provide health care services among the CirrusMD Medical Group.
Share patients' PHI to support the participating entities' joint operations.

The OHCA includes all of the CirrusMD Medical Groups listed at the bottom of this Notice and the CirrusMD Medical Groups t share health information with each other for treatment, payment, and health care operations.

USES AND DISCLOSURES OF YOUR PHI

The law permits or requires us to use or disclose your PHI for various reasons, which we explain in this Notice. We have included some examples, but we have not listed every permissible use or disclosure. When using or disclosing PHI or requesting your PHI from another source, we will make reasonable efforts to limit our use, disclosure, or request about your PHI to the minimum we need to accomplish our intended purpose.

USES AND DISCLOSURES FOR TREATMENT, PAYMENT, OR HEALTH CARE OPERATIONS

Treatment.
We may use or disclose your PHI and share it with other professionals who are treating you, including doctors, nurses, technicians, medical students, or hospital personnel involved in your care. For example, we might disclose information about your overall health condition with physicians who are treating you for a specific injury or condition.

Payment.
We may use and disclose your PHI to bill and get payment from health plans or others. For example, we share your PHI with your health insurance plan so it will pay for the services you receive.

Health Care Operations.
We may use and disclose your PHI to run our practice and improve your care. For example, we may use your PHI to manage the services you receive or to monitor the quality of our health care services.

OTHER USES AND DISCLOSURES

We may share your information in other ways, usually for public health or research purposes or to contribute to the public good. For more information on permitted uses and disclosures, see www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html. For example, these other uses and disclosures may involve:

Our Business Associates.
We may use and disclose your PHI to outside persons or entities that perform services on our behalf, such as auditing, legal, or transcription (Business Associates). The law requires our business associates and their subcontractors to protect your PHI in the same way we do. We also contractually require these parties to use and disclose your PHI only as permitted and to appropriately safeguard your PHI.

Health Information Exchanges.
We may participate in health information exchanges (HIEs), which support electronic information sharing among members for treatment, payment, and health care operations purposes. Individuals may opt-out of HIEs. We will use reasonable efforts to limit the sharing of PHI in these electronic sharing activities for individuals who have opted out. If you would like to opt out, please contact privacy@cirrusmd.com.

Legal Compliance.
For example, we will share your PHI if the Department of Health and Human Services requires it when investigating our compliance with privacy laws.

Public Health and Safety Activities.
For example, we may share your PHI to:

Report injuries, births, and deaths;
Prevent disease;
Report adverse reactions to medications or medical device product defects;
Report suspected child neglect or abuse or domestic violence; or
Avert a serious threat to public health or safety.

Responding to Legal Actions.
For example, we may share your PHI to respond to:

A court or administrative order or subpoena;
Discovery request; or
Another lawful process.

Research.
For example, we may share your PHI for some types of health research that do not require your authorization, such as if an institutional review board (IRB) has waived the written authorization requirement.

Medical Examiners or Funeral Directors.
For example, we may share PHI with coroners, medical examiners, or funeral directors when an individual dies.

Workers' Compensation, Law Enforcement, or Other Government Requests.
For example, we may use and disclose your PHI for:

Workers' compensation claims;
Health oversight activities by federal or state agencies;
Law enforcement purposes or with a law enforcement official; or
Specialized government functions, such as military and veterans' activities, national security and intelligence, presidential protective services, or medical suitability.

YOUR CHOICES

For certain health information, you can tell us your choices about what we share. If you have a clear preference for how we share your information in the situations described below, please contact us at privacy@cirrusmd.com and we will make reasonable efforts to follow your instructions.

You have both the right and choice to tell us whether to:

Share information, such as your PHI, general condition, or location, with your family, close friends, or others involved in your care.
Share information in a disaster relief situation, such as to a relief organization to assist with locating or notifying your family, close friends, or others involved in your care.

We may share your information if we believe it is in your best interest, according to our best judgment, and:

If you are unable to tell us your preference, for example, if you are unconscious or unresponsive.
When needed to lessen a serious and imminent threat to health or safety.

USES AND DISCLOSURES THAT REQUIRE AUTHORIZATION

In these cases we will only share your information if you give us written permission:

Certain types of marketing.
Selling or otherwise receiving compensation for disclosing your PHI.
Certain research activities.
Other uses and disclosures not described in this Notice.

You may revoke your authorization at any time, but it will not affect information that we already used and disclosed.

YOUR RIGHTS

When it comes to your health information, you have certain rights. This section explains your rights and some of our responsibilities to help you.

You have the right to:

Inspect and Obtain a Copy of Your PHI. You have the right to see or obtain a copy of the PHI that we maintain about you (right to request access). Some clarifications about your access rights:
You always have access to your chats and progress notes in your account. If you would like to receive that PHI directly from us as opposed to accessing it yourself, we require you to make such access requests in writing by sending an email to privacy@cirrusmd.com.
You may request that we provide a copy of your PHI to a family member, another person, or a designated entity. We require that you submit these requests in writing by emailing privacy@cirrusmd.com and we will send you a form to complete and return to us.
You may request that we direct a copy of your PHI to a third party of your choice on a standing, regular basis. We require that you submit these requests in writing by emailing privacy@cirrusmd.com and we will send you a form to complete and return to us.
If you request a copy of your PHI, we will generally decide to provide or deny access within 30 days, however, if we cannot act within 30 days, we will give you a reason for the delay in writing and when you can expect us to act on your request.
We may deny your request for access in certain limited circumstances, however, if we deny your access request, we will provide a written denial with the basis for our decision and explain your rights to appeal or file a complaint.
Make Amendments. You may ask us to correct or amend PHI that we maintain about you that you think is incorrect or inaccurate. For these requests:
You must submit requests in writing by emailing privacy@cirrusmd.com. You should specify the inaccurate or incorrect PHI, and provide a reason that supports your request. We may request that you complete a form or provide additional information to process your request.
We will generally decide to grant or deny your request within 60 days. If we cannot act within 60 days, we will give you a reason for the delay in writing and include when you can expect us to complete our decision, which will be no longer than an additional 30 days. We will only ask for an extension once in response to a request.
We may deny your request for an amendment if you ask us to amend PHI that is not part of our record, that we did not create, that is not part of a designated record set, or that is accurate and complete.
If we deny your request, we will tell you why in writing. You will have the right to submit a written statement disagreeing with the denial and, if you opt not to submit this statement, you may request that we provide your original request for amendment and the denial with any future disclosures of PHI subject to the amendment. However, we may prepare a written rebuttal to any individual's statement of disagreement that may also be included in any future disclosures.
We will append the material created or submitted in accordance with this paragraph to your designated record.
Request Additional Restrictions. You have the right to ask us to limit what we use or share about your PHI (right to request restrictions). You can contact us and request us not to use or share certain PHI for treatment, payment, or operations or with certain persons involved in your care. We require that you submit this request in writing to privacy@cirrusmd.com. For these requests we are not required to agree, but will consider your request.
Request an Accounting of Disclosures. You have the right to request an accounting of certain PHI disclosures that we have made. We require that you submit this request in writing to privacy@cirrusmd.com. For these requests:
We will respond no later than 60 days after receiving the request. We may ask for an additional 30 days during this 60-day period, but if we do, we will only do it once, provide a written statement of why, and indicate the date by which we intend to send the response;
We will include all the disclosures except for those about treatment, payment, and health care operations, and certain other disclosures, such as any you asked us to make; and
We will provide one accounting a year for free, but will charge a reasonable, cost-based fee, if you ask for another one within 12 months. We will notify you about the costs in advance and you may choose to withdraw or modify your request at that time.
Choose Someone to Act for You. If you have given someone medical power of attorney or if someone is your legal guardian, that person can exercise your rights and make choices about your PHI.
Request Confidential Communications. You have the right to request that we communicate with you about health matters in a certain way or at a certain location. We require that you make this request in writing to privacy@cirrusmd.com. For example, you can ask that we only contact you at work or at a specific address. For these requests:
You must specify how or where you wish to be contacted; and
We will accommodate reasonable requests.
Make Complaints. You have the right to complain if you feel we have violated your rights. We will not retaliate against you for filing a complaint. You may either file a complaint:
Directly with us by contacting the CirrusMD Medical Group Privacy Officer. All complaints must be submitted in writing to privacy@cirrusmd.com ; or
With the Office for Civil Rights at the US Department of Health and Human Services. Please visit www.hhs.gov/ocr/privacy/hipaa/complaints/ for information on how to do submit such a complaint.

CMDPN Medical Group of Delaware, P.A.

CMDPN Medical Group of Illinois, S.C.

CMDPN Medical Group of New Jersey, P.C.

CMDPN Medical Group of Texas, P.A.

CMDPN Medical Group of Washington, P.C.

Wallace Blake McKinney Medical Group of California, P.C.

Expanding the Value of Virtual Care in Today’s Healthcare Environment

Retailer Benefits by Providing Virtual Care to Uninsured and Unenrolled Workers

CirrusMD Continues National Expansion of VA Health Chat, Improving Care Access for over 5.1 Million Veterans Across the U.S.

CirrusMD Study Reveals 45% Average Reduction in Employee Turnover For National Retailer Whose Workers Used Its Virtual Care Solution