Wichita Dermatology & Aesthetics Review Our HIPAA Policy

Effective Date: August 2016

This Privacy Policy Notice to Clients is provided to you as a requirement of the Health Insurance Portability & Accountability Act of 1996 (HIPAA). It describes how we may use or disclose your protected health information (PHI) and certain rights you have with respect to your PHI. We are required by HIPAA to maintain the privacy of PHI and to provide you with notice of our legal duties and privacy practices with respect to PHI.

How We May Use and Disclose Your PHI

The following categories describe different ways that we are permitted to use and disclose your PHI. To the extent state law requires your consent to these disclosures, we would not make the disclosure without first obtaining your consent. If state law does not require your consent, we are permitted to use and disclose your PHI for these purposes without a consent or authorization. For example, Kansas law requires disclosure of positive HIV or AIDS tests and other infectious diseases to certain public health officials and those who may come in contact with bodily fluids, such as other healthcare providers and law enforcement or corrections officers. State law also allows us to disclose HIV or AIDS information to a patient’s spouse or partner who we have reason to believe is unaware of such exposure or risk of exposure. The information must be kept confidential by those to whom we are required or allowed to disclose it. Other state laws regarding disclosure include, but are not limited to, reporting abuse of children, reporting mental health or infectious diseases to the department of corrections, and requiring written consent for the disclosure of mental health and alcohol or substance abuse records in many circumstances. These state law requirements are state law specific examples of the following permitted uses of your PHI.

For Appointment Reminders and Treatment Alternatives

We may use information about you to provide you with medical treatment or services. We may disclose health information about you to doctors, nurses, technicians, medical students, or other personnel who are involved in taking care of you at the office of Wichita Dermatology & Aesthetics. For example, a doctor treating you for a broken leg may need to know if you have diabetes because diabetes may slow the healing process. In addition, the doctor may need to tell the dietitian if you have diabetes so that we can arrange for appropriate meals. Different departments may also share health information about you in order to coordinate the different things you need, such as prescriptions, lab work, and x-rays. We may also disclose health information about you to other health care providers who request such information for purposes of providing medical treatment to you.

For Treatment

We may use and disclose your PHI to treat you. Examples of use of your PHI for your treatment purposes is recording information about you in a health record or consultation with another provider regarding your care.

For Payment

We may use and disclose your PHI for our payment purposes. An example of such a disclosure is providing your insurer information about services you received so that it will pay us or reimburse you for those services. We may also disclose your PHI to others as authorized by HIPAA for their payment purposes.

For Health Care Operations

We may use and disclose your PHI for various operational purposes. For example, your PHI may be disclosed to risk or quality improvement personnel to evaluate our performance in caring for you. In addition, we may disclose your PHI to others as authorized by HIPAA for their operational purposes.

To Others Involved in Your Healthcare

We have policies and procedures that provide for the release of information about your care or payment for such care to a member of your family, a relative, a close friend, or any other person involved in your care or payment for your care when you are not present or able to give authorization for the release of information. If you are present for such a disclosure (whether in person or on a telephone call), we will either seek your verbal agreement to the disclosure or provide you an opportunity to object to it.

As Required by Law

We may use or disclose your PHI to the extent we are required to do so by federal, state, or local law. For example, we may disclose your PHI for the following purposes: (i) judicial and administrative proceedings pursuant to legal authority; (ii) to report information related to victims of abuse, neglect or domestic violence; (iii) to assist law enforcement officials in their law enforcement duties; and/or (iv) to provide legally required notices of unauthorized access to or disclosure of your PHI.

For Public Health Activities

We may disclose your PHI for public health activities such as assisting public health authorities or other legal authorities to prevent or control disease, injury, or disability or for other health oversight activities authorized by law.

For Health and Safety

We may use or disclose your PHI if we, in good faith, believe it is necessary to prevent or lessen a serious and imminent threat to your health or safety or to the health or safety of others. Any disclosure, however, would only be made to someone reasonably able to help prevent or lessen the threat.

Correctional Institutions

We may disclose your PHI to a correctional institution or law enforcement official if you are in their custody if the disclosure is necessary for certain purposes, including the provision of your healthcare and the safety and health of others.

Business Associates

Information may be shared with third party “business associates” that perform various activities on our behalf. Whenever such an arrangement involves the use or disclosure of your PHI, we will have a written contract with such third party that contains terms designed to protect the privacy of your PHI.

Worker’s Compensation

We may disclose your protected health information as authorized to comply with workers’ compensation laws and other similar legally established programs.

Other Uses and Disclosures of Health Information

We can use and disclose your PHI for the following other purposes: (i) organ donation; (ii) to coroners; (iii) research; and (iv) government functions. We may use or disclose your PHI, as necessary, in order to contact you for fundraising activities. You have the right to opt out of receiving fundraising communications. However, these are not uses or disclosures that we would typically make.

Other Uses and Disclosures Require Your Written Authorization

The following uses and disclosures of your PHI will be made only with your written authorization: (i) most uses and disclosures of psychotherapy notes; (ii) uses and disclosures of PHI for marketing purposes; and (iii) disclosures that constitute a sale of your PHI. Other uses and disclosures of health information not covered by this notice or the laws that apply to our office will be made only with your written authorization. You may revoke this authorization at any time in writing, except to the extent that action has already been taken in reliance on the use or disclosure permitted by the authorization. If you revoke your authorization, we will no longer use or disclose your PHI for the reasons covered by your written authorization. Of course, we are unable to take back any disclosures we have already made with your permission.

Your Rights Regarding Your PHI

Right to Request Restrictions

You have the right to request that we place restrictions on the way we use and disclose your PHI for treatment, payment or healthcare operations or as described in the section of this notice entitled “To Others Involved in Your Healthcare.” You must make your request for restrictions in writing on the form provided by our office. However, we are not required to agree to these restrictions, except that we must comply with a requested restriction if (i) the disclosure is to a health plan for purposes of carrying out payment or health care operations (and is not for purposes of carrying out treatment), except as otherwise required by law and (ii) the PHI pertains solely to a health care item or service for which we have been paid out of pocket in full. If we do agree to a requested restriction, we may not use or disclose your PHI in violation of that restriction unless it is needed for an emergency.

Confidential Communications

You have the right to ask us to communicate with you about your PHI by alternative means or to alternative locations. You must make your confidential communication request in writing on the form provided by our office. We must accommodate any reasonable request for confidential communications.

Access to PHI

You have the right to look at or receive a copy of your PHI contained in a “designated record set,” with a few exceptions. You must make your request in writing on the form provided by our office and provide us with the specific information we need to fulfill your request. We may deny your request in certain limited circumstances, and in some cases, you may have the right to have the denial reviewed by a licensed health care professional who was not involved with the initial denial of the request.

Amendment of PHI

You have the right to request that we amend any PHI about you that is contained in a “designated record set” and which is incomplete or inaccurate. You must make your request for amendment in writing on the form provided by our office. If we agree that the original information was incomplete or inaccurate, we will correct our records. If we do not agree, you may submit a short statement of dispute, which we will include in any future disclosure of your PHI or, alternatively, you may request that we provide your request for amendment and the denial of such request with any future disclosures of the PHI at issue. We have the right to prepare a rebuttal to any statement of dispute submitted by you.

Accounting of Certain Disclosures

You have the right to request that we provide you with an accounting of certain disclosures we have made of your PHI by making a request in writing on the form provided by our office. The written request must state the time period desired for the accounting, which must be less than a 6-year period for paper records and which must be less than a 3-year period for electronic health records.

Right to a Paper Copy of This Notice

You have the right to a paper copy of this notice. You may ask us to give you a copy of this notice at any time.

To obtain the forms necessary to exercise your rights, contact the HIPAA Privacy Officer at (316) 682-7546. All completed request forms should be sent to Wichita Dermatology & Aesthetics, Attn: HIPAA Privacy Officer, 1911 N. Webb, Wichita, Kansas 67206.

We may change the terms of this notice at any time. The new notice will be effective for all PHI that we maintain, including PHI that was created or received prior to the date of such change. We will make any new Privacy Policy Notice to Clients available at our office whenever we make a material change in the privacy practices described in this notice. We are required to abide by the terms of the Privacy Policy Notice to Clients currently in effect.

Right to Receive Notice of a Breach

We are required to notify you by first class mail or by e-mail (if you have indicated a preference to receive information by e-mail) of any breaches of unsecured PHI as soon as possible, but in any event, no later than 60 days following the discovery of the breach. “Unsecured PHI” is information that is not secured through the use of a technology or methodology identified by the Secretary of the U.S. Department of Health and Human Services (“DHHS”) to render the PHI unusable, unreadable, and undecipherable to unauthorized users.

Your Rights Regarding Electronic Health Information Technology

Wichita Dermatology & Aesthetics participates in electronic health information technology or HIT. This technology allows a provider or a health plan to make a single request through a health information organization or HIO to obtain electronic records for a specific patient from other HIT participants for purposes of treatment, payment, or health care operations. HIOs are required to use appropriate safeguards to prevent unauthorized uses and disclosures. You have two options with respect to HIT. First, you may permit authorized individuals to access your electronic health information through an HIO. If you choose this option, you do not have to do anything. Second, you may restrict access to all of your information through an HIO (except as required by law). If you wish to restrict access, you must submit the required information either online at http://www.KanHIT.org  or by completing and mailing a form. This form is available at http://www.KanHIT.org. You cannot restrict access to certain information only; your choice is to permit or restrict access to all of your information. If you have questions regarding HIT or HIOs, please visit http://www.KanHIT.org for additional information. If you receive health care services in a state other than Kansas, different rules may apply regarding restrictions on access to your electronic health information. Please communicate directly with your out-of-state health care provider regarding those rules.

Questions and Complaints

For additional information or if you have any questions regarding our privacy policy, please write to us at: Wichita Dermatology & Aesthetics, Attn: HIPAA Privacy Officer, 1911 N. Webb, Wichita, Kansas 67206 or call us at (316) 682-7546.

If you are concerned that your privacy rights have been violated, or if you disagree with a decision we made about access to your PHI, you may file a complaint with the HIPAA Privacy Officer at the above address or by phone at (316) 682-7546. You also have the right to file a complaint with the Secretary of DHHS. All complaints must be submitted in writing and should be submitted within 180 days of when you knew or should have known that the alleged violation occurred. Send your complaint to DHHS (OCR), 601 East 12th Street, Room 248, Kansas City, MO 64106; or contact the OCR above at (816) 426-7065 (TDD); (816) 426-3686 (FAX); or send the information to the following electronic message address: OCRComplaint@hhs.gov. You may request a Health Information Privacy Complaint Form Packet at the above OCR office, or you may obtain this form via the Internet at http://www.hhs.gov/ocr/privacy/hipaa/complaints/hipcomplaintpackage.pdf/. You will not be penalized for filing a complaint.