This Notice of Privacy Practices is being provided to you as a requirement of the Health Insurance Portability and Accountability Act (HIPAA). This notice describes how we may use and disclose your protected health information to carry out treatment, payment or health care operations and for other purposes that are permitted or required by law. It also describes your rights to access and control your protected health information in some cases. Your “protected health information” means any of your written and oral health information that is created or received by your healthcare provider, and that relates to your past, present or future physical or mental health condition.
I. Uses and disclosures of Protected Health Information.
The practice may use your protected health information for purposes of providing treatment, obtaining payment for treatment, and conducting healthcare operations. Your protected health information may be used or disclosed is otherwise permitted by HIPAA Privacy Regulations or State law. Disclosures of your protected health information for the purposes described in this Notice may be made in writing, orally, or by facsimile.
A. Treatment. We will use and disclose your protected health information to provide, coordinate, or manage your health care and any related services. This includes the coordination or management of your health care with a third party for treatment purposes. For example, we may disclose protected health information to other providers who may be treating you or consulting with your provider with respect to your care. In some cases, we may also disclose your protected health information to an outside treatment provider for purposes of the treatment activities of the other provider.
B. Payment. Your protected health information will be used, as needed, to obtain payment for the services that we provide. This may include certain communications to your health insurer to get approval for the treatment that we recommended. For example, if a hospital admission is recommended, we may need to disclose information to your health insurer to get prior approval for the hospitalization. We may also disclose protected health information to your insurance company to determine whether you are eligible for benefits or whether a particular service is covered under your health plan. In order to get payment for your services, we may also need to disclose your protected health information to your insurance company to demonstrate the medical necessity of the services or, as required by your insurance company, for utilization review. We may also disclose patient information to another provider involved in you care for the other provider’s payment activities.
C. Operations. We may use or disclose your protected health information, as necessary, for our own health care operations in order to facilitate the function of the practice and to provide quality of care to all patients, Health care operations include such activities as:
-Quality assessment and improvement activities.
-Employee review activities.
-Training programs including those in which students, trainees, or practitioners in health care learn under supervision.
-Accreditation, certification, licensing or credentialing activities.
-Review and auditing, including compliance reviews, medical reviews, legal services, and maintaining compliance programs.
-Business management and general administrative activities.
-In certain situations, we may also disclose patient information to another provider or health plan for their health care operations.
D. Other uses and disclosures. As part of treatment, payment, and healthcare operations, we may also use or disclose your protected health information for the following purposes:
-To remind you of an appointment.
-To inform you of potential treatment alternatives or options.
-To inform you of health-related benefits or services that may be of interest to you.
II. Uses and disclosures beyond treatment, payment, and health care operations permitted without authorization or opportunity to object.
Federal privacy rules allow us to use or disclose your protected health information without your permission or authorization for a number of reasons including the following:
A. When legally required. We will disclose your protected health information when we are required to do so by any Federal, State, or local law.
B. When there are risks to public health. We may disclose your protected health information for the following public activities or purposes:
-To prevent, control, or report disease, injury, or disability as permitted by law.
-To report vital events such as birth or death as permitted or required by law.
-To conduct public health surveillance, investigation and interventions as permitted or required by law.
-To collect or report adverse events and product defects, track FDA regulated products, enable product recalls, repairs or replacements to the FDA and to conduct post marketing surveillance.
-To notify a person who has been exposed to a communicable disease or who may be at risk of contracting or spreading a disease as authorized by law.
-To report an employer information about an individual who is a member of the workforce as legally permitted or required.
C. To report abuse, neglect, or domestic violence. We may notify government authorities if we believe that a patient is the victim of abuse, neglect, or domestic violence. We will make this disclosure only when specifically required or authorized by law or when the patient agrees to the disclosure.
D. To conduct health and oversight activities. We may disclose your protected health information to a health oversight agency for activities including audits; civil, administrative, or criminal investigations, proceedings, or actions; inspections; licensure or disciplinary actions; or other activities necessary for appropriate oversight as authorized by law. We will not disclose your health information if you are the subject of an investigation and your health information is not directly related to your receipt of health care or public benefits.
E. In connection with judicial and administrative proceedings. We may disclose your protected health information in the course of any judicial or administrative proceedings in response to an order of court or administrative tribunal as expressly authorized by such order or in response to a signed authorization (in a format approved by the Michigan Court Administrator).
F. For law enforcement purposes. We may disclose your protected health information to a law enforcement official for law enforcement purposes as follows:
-As required by law for reporting certain types of wounds or other physical injuries.
-Pursuant to court order, court ordered warrant, subpoena, summons or similar process.
-For the purpose of identifying or locating a suspect, fugitive, material witness or missing person. Under certain limited circumstances, when you are the victim of a crime.
-To a law enforcement official if the practice has a suspicion that your death was the result of criminal conduct.
-In an emergency in order to report a crime.
G. To coroners, funeral directors, and for organ donation. We may disclose protected health information to a coroner or medical examiner for identification purposes, to determine cause of death or for the coroner or medical examiner to perform other duties authorized by law. We may also disclose protected health information to a funeral director, as authorized by law, in order to permit the funeral director to carry out their duties. We may disclose such information in reasonable anticipation of death. Protected health information may be used and disclosed for cadaveric organ, eye or tissue donation purposes.
H. For research purposes. We may use or disclose your protected health information for research when the use or disclosure for research has been approved by an institutional review board or privacy board that has reviewed the research proposal and research protocols to address the privacy of your protected health information.
I. In the event of a serious threat to health or safety. We may, consistent with applicable law and ethical standards of conduct, use or disclose your protected health information if we believe, in good faith, that such use or disclosure is necessary to prevent or lessen a serious and imminent threat to your health or safety or to the health and safety of the public.
J. For specified governed function. In certain circumstances, the Federal regulations authorize the practice to use or disclose your protected health information to facilitate specified government functions related to military and veteran activities, national security, and intelligence activities,protective services for the President and others, medical suitability determinations, correctional institutions, and law enforcement custodial situations.
K. For worker’s compensation. The practice may release your health information to comply with the worker’s compensation laws of similar programs.III. Uses and Disclosures Permitted Without Authorizations but with Opportunity to Object. We may disclose your protected health information to your family member or a friend if it is directly relevant to the person’s involvement in your care or payment related to your care. We can also disclose your information in connection with trying to locate and notify family members or others involved in your care concerning your location, condition or death. You may object to these disclosures. If you do not object to these disclosures or we can infer from the circumstances that you do not object or we determine, in the exercise of our professional judgment, that it is in your best interest for us to make disclosure of information that is directly relevant to the person’s involvement with your care, we may disclose your protected health information as described.
III. Uses and Disclosures That You Authorize.
Other than as stated above, we will not disclose your health information other than with your written authorization. You may revoke your authorization in writing at anytime except to the extent that we have taken action in reliance upon the authorization.
IV. Your Rights.
You have the following rights regarding your health information:
1. The right to inspect and copy your protected health information. You may inspect or obtain a copy of your protected health information that is contained in a “designated record set” contains medical and billing records and any other records that your provider and the practice uses for making decisions about you. Under Federal law, however, you may inspect or copy the following records:Psychotherapy notes; information compiled in a reasonable anticipation of, or for use in civil, criminal, and administrative action or proceeding; and protected health information that is subject to a law that prohibits access to protected health information. Depending on the circumstances, you may have the right to have a decision to deny access. We may deny your request to inspect or copy your protected health information if, in our professional judgment, we determine that the access requested is likely to endanger your life or safety and that of another person, or that it is likely to cause substantial harm to another person referenced within the information. You have the right to request a review of this decision. To inspect and copy your medical information, you must submit a written request to the Privacy Office whose contact information is listed on the last pages of this Notice. If you request a copy of your information, we may charge you a fee for the costs of copying, mailing or other costs incurred by us in complying with your request. Please contact our Privacy Officer if you have questions about access to your medical record.
2. The right to request a restriction on uses and disclosures of your protected health information. You may ask us not to use or disclose certain part of your protected health information for the purposes of treatment, payment or health care operations. You may also request that we not disclose your health information to family members or friends who may be involved in your care for notification purposes as described in this Notice of Privacy Practices. Your request must state the specific restrictions requested and to whom you want the restriction to apply. The practice is not required to agree to a restriction that you may request. We will notify you if we deny your request to restriction. If the practice does agree to the requested restriction, we may not use or disclose your protected health information in violation that restriction unless it is needed to provide emergency treatment. Under certain circumstances, we may terminate our agreement to a restriction. You may request a restriction by contacting the practice.
3. The right to request to receive confidential communications from us by alternative means or at an alternative location. You have the right to request that we communicate with you in certain ways. We will accommodate reasonable requests. We may condition this accommodation by asking you for information as to how payment will be handled or specification of an alternative address or other method of contact. We will not require you to provide an explanation for your request. Requests must be made in writing to the practice.
4. The right to have your provider amend your protected health information. You may request an amendment of protected health information about you in a designated record set for as long as we maintain this information. In certain cases, we may deny your request for an amendment. If we deny your request for amendment, you have the right to file a statement of disagreement with us and we may prepare a rebuttal to your statement and will provide you with a copy of any such rebuttal.Requests for amendment must be in writing and must be directed to the practice. In this written request, you must also provide a reason to support the requested amendments.
5. The right to receive an accounting. You have the right to request an accounting of certain disclosures of you protected health information made by the practice. This right applies to disclosures for purposes other than treatment, payment of health care operations as described in this Notice of Privacy Practices. We are also not required to account for disclosures that you have requested, disclosures that you agreed to by signing an authorization form, disclosures for a facility directory, to friends or family members involved in your case, or certain other disclosures we are permitted to make without your authorization. The request for an accounting must be made in writing to the practice. The request should specify the time period sought for the accounting. We are not required to provide an accounting for disclosures that take place prior to April 14, 2003. Accounting requests may not be made for periods of time in excess of six years. We will provide the first accounting you request during any 12-month period without charge. Subsequent accounting requests may be subject to a reasonable cost-based fee.
6. The right to obtain a paper copy of this notice. Upon request, we will provide a separate paper copy of this notice even if you have already received a copy of the notice or have agreed to accept this notice electronically.
V. Our Duties.
The practice is required by law to maintain the privacy of your health information and to provide you with this Notice of our duties and privacy practices. We are required to abide by terms of this Notice as may be amended from time to time. We reserve the right to change the terms of this Notice and to make the new Notice provisions effective for all protected health information that we maintain. If the practice changes in Notice, we will provide a copy of the revised Notice by sending a copy of the Revised Notice via regular mail or through in person contact.
VI. Complaints.
You have the right to express complaints to the Practice and to the Secretary of Health and Human Services if you believe that your privacy rights have been violated. You may complain to the Practice by contacting the practices’ Privacy Officer verbally or in writing, using the contact information below. We encourage you to express any concerns you may have regarding the privacy of your information. You will not be retaliated against in any way for filing a complaint.
VII. Contact Person.
The Practice’s contact person for all issues regarding patient privacy and your rights under Federal privacy standards is your therapist, supervised by Dr. Denise Brooks, LP. Information regarding matters covered by this Notice can be requested by contacting said therapist.
Complaints against the practice can be mailed to:
Stepping Stones Wellness Center, PLLC
595 Forest Street, Suite 7A
Plymouth, MI 48170
VIII. Confidentiality of Substance Use Disorder Information.
Federal law provides special protections for the confidentiality of records relating to Substance Use Disorder (SUD) diagnosis, treatment, or referral for treatment. These records are protected by 42 C.F.R. Part 2 and may not be used or disclosed except as permitted by those regulations. Part 2 protections apply in addition to the HIPAA Privacy Rule; when the two laws differ, the stricter rule governs.
A. Protected SUD information identifies you as having a Substance Use Disorder, having been diagnosed or treated for a Substance Use Disorder, or having been referred for SUD treatment. Except as expressly permitted by Part 2, we may not disclose this information without your written consent.
B. We may use or disclose SUD information without your authorization only in the following limited circumstances:
1. Medical Emergencies. We may disclose SUD information to medical personnel to the extent necessary to treat a condition that poses an immediate threat to your health or to the health or safety of another person.
2. Research. We may disclose SUD information for scientific research when the researcher meets all requirements under Part 2, including approval by an institutional review board and compliance with appropriate safeguards.
3. Audit and Evaluation Activities. We may disclose SUD information to persons or entities performing audits or evaluations of the practice, including federal or state agencies, third-party payers, or quality assurance organizations, as permitted under Part 2.
4. Qualified Service Providers. We may disclose SUD information to contractors or service providers who assist in the operation of the practice, provided they are bound by written agreements that meet all requirements of Part 2.
5. Court Order. We may disclose SUD information only when ordered by a court of competent jurisdiction following procedures and findings required by Part 2. A subpoena, search warrant, or other form of legal process does not, by itself, authorize disclosure of SUD information.
6. Crimes on Program Premises or Against Program Personnel. We may disclose limited information relating to crimes or threats of crimes committed on program premises or against staff, consistent with Part 2.
C. Except for the circumstances listed above, we will not disclose your SUD information without your written consent. Any consent you provide must meet the specific requirements of 42 C.F.R. Part 2, including identifying the information to be disclosed, the purpose of the disclosure, the recipient, and an expiration date or event. You may revoke your consent at any time, except to the extent that action has already been taken in reliance on the consent.
D. Any disclosure we make under Part 2 must include the following written statement prohibiting redisclosure:
“This information has been disclosed to you from records protected by Federal confidentiality rules (42 C.F.R. Part 2). The Federal rules prohibit you from making any further disclosure of this information unless further disclosure is expressly permitted by the written consent of the person to whom it pertains or as otherwise permitted by 42 C.F.R. Part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose. The Federal rules restrict any use of the information to criminally investigate or prosecute any substance use disorder patient.”
E. We are prohibited from using SUD information to initiate or substantiate criminal charges against you. Law enforcement officials may not obtain SUD treatment records unless Part 2 requirements—including a specialized court order—are met.
F. Your rights regarding access, amendment, restrictions, and accounting of disclosures apply to SUD information in a manner consistent with both HIPAA and Part 2. When these laws differ, the more protective standard controls.
ELECTRONIC RECORDS DISCLOSURE
Stepping Stones Wellness Center, PLLC (SSWC) keeps and stores records for clients in a record-keeping system produced and maintained by TherapyNotes. This system is “cloud-based,” meaning the records are stored on servers which are connected to the Internet.
Here are the ways in which the security of these records is maintained: SSWC has entered into a HIPAA Business Associate Agreement with TherapyNotes. Because of this agreement, TherapyNotes, is obligated by federal law to protect these records from unauthorized use or disclosure. The computers on which client records are stored are kept in secure data centers, where various physical security measures are used to maintain the protection of the computers from physical access by unauthorized persons. TherapyNotes employs technical security measures to maintain the protection of client records from unauthorized use or disclosure.
SSWC has its own security measures for protecting the devices that are used to access client records
-On computers: SSWC employs firewalls, antivirus software, passwords, and disk encryption to protect computers from unauthorized access and thus to protect records from unauthorized access.
-On mobile devices: SSWC uses passwords, remote tracking, and remote to maintain the security of the device and prevent unauthorized persons from using it to access client records.
Here are things to keep in mind about the SSWC record-keeping system:
-While SSWC’s record-keeping company uses security measures to protect these records, their security cannot be guaranteed.
-Some workforce members at TherapyNotes, such as engineers and administrators, may have the ability to access records for the purpose of maintaining the system itself. As a HIPAA Business Associate,
TherapyNotes is obligated by law to train their staff on the proper maintenance of confidential records and to prevent misuse or unauthorized disclosure of these records. However, this protection cannot be
guaranteed.
The SSWC record-keeping company keeps a log of system transactions for various purposes, including maintaining the integrity of the records and allowing for security audits. These transactions are kept for 7 (seven years) as required by the APA Ethical Code and the laws of the State of Michigan.
This Notice is effective July 15, 2016.