Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
You can also download a copy of this document in PDF form.
If you have any questions about this Notice please contact our Executive Director Corporate Integrity who is Lawrence R. Hensley, 512-375-3849 or at the email address Privacy@UTCH.clinic.
This Notice of Privacy Practices describes how we may use and disclose your protected health information to carry out treatment, payment or health care operations and for other purposes that are permitted or required by law. It also describes your rights to access and control your protected health information. “Protected health information” is information about you, including demographic information, that may identify you and that relates to your past, present or future physical or mental health or condition and related health care services.
We are required to abide by the terms of this Notice of Privacy Practices. We may change the terms of our notice, at any time. The new notice will be effective for all protected health information that we maintain at that time. Upon your request, we will provide you with any revised Notice of Privacy Practices. You may request a revised version by accessing our website, or calling the office and requesting that a revised copy be sent to you in the mail or asking for one at the time of your next appointment.
- Uses and Disclosures of Protected Health Information
Your protected health information may be used and disclosed by your physician, our office staff and others outside of our office who is involved in your care and treatment for the purpose of providing health care services to you. Your protected health information may also be used and disclosed to pay your health care bills and to support the operation of your physician’s practice.
Following are examples of the types of uses and disclosures of your protected health information that your physician’s office is permitted to make. These examples are not meant to be exhaustive, but to describe the types of uses and disclosures that may be made by our office.
Treatment: We will use and disclose your protected health information to provide, coordinate, or manage your health care and any related services. This includes the coordination or management of your health care with another provider. For example, we would disclose your protected health information, as necessary, to a home health agency that provides care to you. We will also disclose protected health information to other physicians who may be treating you. For example, your protected health information may be provided to a physician to whom you have been referred to ensure that the physician has the necessary information to diagnose or treat you. In addition, we may disclose your protected health information from time-to-time to another physician or health care provider (e.g., a specialist or laboratory) who, at the request of your physician, becomes involved in your care by providing assistance with your health care diagnosis or treatment to your physician.
Payment: Your protected health information will be used and disclosed, as needed, to obtain payment for your health care services provided by us or by another provider. This may include certain activities that your health insurance plan may undertake before it approves or pays for the health care services we recommend for you such as: making a determination of eligibility or coverage for insurance benefits, reviewing services provided to you for medical necessity, and undertaking utilization review activities. For example, obtaining approval for a hospital stay may require that your relevant protected health information be disclosed to the health plan to obtain approval for the hospital admission.
Health Care Operations: We may use or disclose, as needed, your protected health information in order to support the business activities of your physician’s practice. These activities include, but are not limited to, quality assessment activities, employee review activities, training of medical students, licensing, fundraising activities, and conducting or arranging for other business activities.
We will share your protected health information with third party “business associates” that perform various activities (for example, billing or transcription services) for our practice. Whenever an arrangement between our office and a business associate involves the use or disclosure of your protected health information, we will have a written contract that contains terms that will protect the privacy of your protected health information.
We may use or disclose your protected health information, as necessary, to provide you with information about treatment alternatives or other health-related benefits and services that may be of interest to you. You may contact our Privacy Officer to request that these materials not be sent to you.
We may use or disclose your demographic information and the dates that you received treatment from your physician, as necessary, in order to contact you for fundraising activities supported by our office. If you do not want to receive these materials, please contact our Privacy Officer and request that these fundraising materials not be sent to you.
Other Permitted and Required Uses and Disclosures That May Be Made Without Your Authorization or Opportunity to Agree or Object
We may use or disclose your protected health information in the following situations without your authorization or providing you the opportunity to agree or object. These situations include:
Required By Law: We may use or disclose your protected health information to the extent that the use or disclosure is required by law. The use or disclosure will be made in compliance with the law and will be limited to the relevant requirements of the law. You will be notified, if required by law, of any such uses or disclosures.
Public Health: We may disclose your protected health information for public health activities and purposes to a public health authority that is permitted by law to collect or receive the information. For example, a disclosure may be made for the purpose of preventing or controlling disease, injury or disability.
Communicable Diseases: We may disclose your protected health information, if authorized by law, to a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading the disease or condition.
Health Oversight: We may disclose protected health information to a health oversight agency for activities authorized by law, such as audits, investigations, and inspections. Oversight agencies seeking this information include government agencies that oversee the health care system, government benefit programs, other government regulatory programs and civil rights laws.
Abuse or Neglect: We may disclose your protected health information to a public health authority that is authorized by law to receive reports of child abuse or neglect. In addition, we may disclose your protected health information if we believe that you have been a victim of abuse, neglect or domestic violence to the governmental entity or agency authorized to receive such information. In this case, the disclosure will be made consistent with the requirements of applicable federal and state laws.
Food and Drug Administration: We may disclose your protected health information to a person or company required by the Food and Drug Administration for the purpose of quality, safety, or effectiveness of FDA-regulated products or activities including, to report adverse events, product defects or problems, biologic product deviations, to track products; to enable product recalls; to make repairs or replacements, or to conduct post marketing surveillance, as required.
Legal Proceedings: We may disclose protected health information in the course of any judicial or administrative proceeding, in response to an order of a court or administrative tribunal (to the extent such disclosure is expressly authorized), or in certain conditions in response to a subpoena, discovery request or other lawful process.
Law Enforcement: We may also disclose protected health information, so long as applicable legal requirements are met, for law enforcement purposes. These law enforcement purposes include (1) legal processes and otherwise required by law, (2) limited information requests for identification and location purposes, (3) pertaining to victims of a crime, (4) suspicion that death has occurred as a result of criminal conduct, (5) in the event that a crime occurs on the premises of our practice, and (6) medical emergency (not on our practice’s premises) and it is likely that a crime has occurred.
Coroners, Funeral Directors, and Organ Donation: We may disclose protected health information to a coroner or medical examiner for identification purposes, determining cause of death or for the coroner or medical examiner to perform other duties authorized by law. We may also disclose protected health information to a funeral director, as authorized by law, in order to permit the funeral director to carry out their duties. We may disclose such information in reasonable anticipation of death. Protected health information may be used and disclosed for cadaveric organ, eye or tissue donation purposes.
Research: We may disclose your protected health information to researchers when their research has been approved by an institutional review board that has reviewed the research proposal and established protocols to ensure the privacy of your protected health information.
Criminal Activity: Consistent with applicable federal and state laws, we may disclose your protected health information, if we believe that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. We may also disclose protected health information if it is necessary for law enforcement authorities to identify or apprehend an individual.
Military Activity and National Security: When the appropriate conditions apply, we may use or disclose protected health information of individuals who are Armed Forces personnel (1) for activities deemed necessary by appropriate military command authorities; (2) for the purpose of a determination by the Department of Veterans Affairs of your eligibility for benefits, or (3) to foreign military authority if you are a member of that foreign military services. We may also disclose your protected health information to authorized federal officials for conducting national security and intelligence activities, including for the provision of protective services to the President or others legally authorized.
Workers’ Compensation: We may disclose your protected health information as authorized to comply with workers’ compensation laws and other similar legally-established programs.
Inmates: We may use or disclose your protected health information if you are an inmate of a correctional facility and your physician created or received your protected health information in the course of providing care to you.
Uses and Disclosures of Protected Health Information Based upon Your Written Authorization
Other uses and disclosures of your protected health information will be made only with your written authorization, unless otherwise permitted or required by law as described below. You may revoke this authorization in writing at any time. If you revoke your authorization, we will no longer use or disclose your protected health information for the reasons covered by your written authorization. Please understand that we are unable to take back any disclosures already made with your authorization.
Other Permitted and Required Uses and Disclosures That Require Providing You the Opportunity to Agree or Object
We may use and disclose your protected health information in the following instances. You have the opportunity to agree or object to the use or disclosure of all or part of your protected health information. If you are not present or able to agree or object to the use or disclosure of the protected health information, then your physician may, using professional judgment, determine whether the disclosure is in your best interest.
Facility Directories: Unless you object, we will use and disclose in our facility directory your name, the location at which you are receiving care, your general condition (such as fair or stable), and your religious affiliation. All of this information, except religious affiliation, will be disclosed to people that ask for you by name. Your religious affiliation will be only given to a member of the clergy, such as a priest or rabbi.
Others Involved in Your Health Care or Payment for your Care: Unless you object, we may disclose to a member of your family, a relative, a close friend or any other person you identify, your protected health information that directly relates to that person’s involvement in your health care. If you are unable to agree or object to such a disclosure, we may disclose such information as necessary if we determine that it is in your best interest based on our professional judgment. We may use or disclose protected health information to notify or assist in notifying a family member, personal representative or any other person that is responsible for your care of your location, general condition or death. Finally, we may use or disclose your protected health information to an authorized public or private entity to assist in disaster relief efforts and to coordinate uses and disclosures to family or other individuals involved in your health care.
- Your Rights
Following is a statement of your rights with respect to your protected health information and a brief description of how you may exercise these rights.
You have the right to inspect and copy your protected health information. This means you may inspect and obtain a copy of protected health information about you for so long as we maintain the protected health information. You may obtain your medical record that contains medical and billing records and any other records that your physician and the practice uses for making decisions about you. As permitted by federal or state law, we may charge you a reasonable copy fee for a copy of your records.
Under federal law, however, you may not inspect or copy the following records: psychotherapy notes; information compiled in reasonable anticipation of, or use in, a civil, criminal, or administrative action or proceeding; and laboratory results that are subject to law that prohibits access to protected health information. Depending on the circumstances, a decision to deny access may be reviewable. In some circumstances, you may have a right to have this decision reviewed. Please contact our Privacy Officer if you have questions about access to your medical record.
You have the right to request a restriction of your protected health information. This means you may ask us not to use or disclose any part of your protected health information for the purposes of treatment, payment or health care operations. You may also request that any part of your protected health information not be disclosed to family members or friends who may be involved in your care or for notification purposes as described in this Notice of Privacy Practices. Your request must state the specific restriction requested and to whom you want the restriction to apply.
Your physician is not required to agree to a restriction that you may request. If your physician does agree to the requested restriction, we may not use or disclose your protected health information in violation of that restriction unless it is needed to provide emergency treatment. With this in mind, please discuss any restriction you wish to request with your physician. You may request a restriction by placing the requested restriction(s) in writing and submit them to your UTC Health & Rehab physician.
The HIPAA health privacy rule was updated September 23, 2013. One of the changes in the rule is a new provision called “Pay Out of Pocket,” also called the “Right to Restrict Disclosure.” This provision gives patients the right to request that their health care provider not report or disclose their information to their health insurers when they pay for medical services in full at the time of service. The following conditions must be met.
- The patient makes a Request to Restrict (see attached Request to Restrict Use or Disclosure of PHI Form)disclosure;
- The disclosure is to a health plan for payment or health care operations;
- The disclosure is not required by law, and
- The protected health information pertains solely to health care for which the patient (or someone on behalf of the patient) has paid for in full out of pocket.
You have the right to request to receive confidential communications from us by alternative means or at an alternative location. We will accommodate reasonable requests. We may also condition this accommodation by asking you for information as to how payment will be handled or specification of an alternative address or other method of contact. We will not request an explanation from you as to the basis for the request. Please make this request in writing to our Privacy Officer Lawrence R. Hensley, 8900 Shoal Creek Blvd, Suite # 300, Austin, Texas 78757 or to Privacy@UTCH.clinic.
You may have the right to have your physician amend your protected health information. This means you may request an amendment of protected health information about you in a designated record set for so long as we maintain this information. In certain cases, we may deny your request for an amendment. If we deny your request for amendment, you have the right to file a statement of disagreement with us and we may prepare a rebuttal to your statement and will provide you with a copy of any such rebuttal. Please contact our Privacy Officer if you have questions about amending your medical record.
You have the right to receive an accounting of certain disclosures we have made, if any, of your protected health information. This right applies to disclosures for purposes other than treatment, payment or health care operations as described in this Notice of Privacy Practices. It excludes disclosures we may have made to you if you authorized us to make the disclosure, for a facility directory, to family members or friends involved in your care, or for notification purposes, for national security or intelligence, to law enforcement (as provided in the privacy rule) or correctional facilities, as part of a limited data set disclosure. You have the right to receive specific information regarding these disclosures that occur after April 14, 2003. The right to receive this information is subject to certain exceptions, restrictions and limitations.
You have the right to obtain a paper copy of this notice from us, upon request, even if you have agreed to accept this notice electronically.
You have the right to be notified if your Protected Health Information (PHI) is distributed to people or entities other than for treatment, payment or health care operations. The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires UTC Health & Rehab and their business associates to provide notification following a breach of unsecured protected health information.
Following a breach of unsecured protected health information, UTC Health & Rehab will provide notification of the breach to affected individuals, the Secretary of Health and Human Services and, in certain circumstances, to the media. In addition, business associates must notify UTC Health & Rehab if a breach occurs at or by the business associate.
UTC Health & Rehab will notify affected individuals following the discovery of a breach of unsecured protected health information. UTC Health & Rehab must provide this individual notice in written form by first-class mail, or alternatively, by e-mail if the affected individual has agreed to receive such notices electronically. If UTC Health & Rehab has insufficient or out-of-date contact information for 10 or more individuals, the UTC Health & Rehab must provide substitute individual notice by either posting the notice on the home page of its web site for at least 90 days or by providing the notice in major print or broadcast media where the affected individuals likely reside. UTC Health & Rehab must include a toll-free phone number that remains active for at least 90 days where individuals can learn if their information was involved in the breach. If the UTC Health & Rehab has insufficient or out-of-date contact information for fewer than 10 individuals, the UTC Health & Rehab may provide substitute notice by an alternative form of written notice, by telephone, or other means.
These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what UTC Health & Rehab is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for UTC Health & Rehab (or business associate, as applicable).
With respect to a breach at or by a business associate, while UTC Health & Rehab is ultimately responsible for ensuring individuals are notified, UTC Health & Rehab may delegate the responsibility of providing individual notices to the business associate.
UTC Health & Rehab that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction. UTC Health & Rehab will likely provide this notification in the form of a press release to appropriate media outlets serving the affected area. Like individual notice, this media notification will be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and will include the same information required for the individual notice.
Notice to the Secretary of Health and Human Services
In addition to notifying affected individuals and the media (where appropriate), UTC Health & Rehab will notify the Secretary of breaches of unsecured protected health information. UTC Health & Rehab will notify the Secretary by visiting the HHS web site (http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html) and filling out and electronically submitting a breach report form. If a breach affects 500 or more individuals, UTC Health & Rehab will notify the Secretary without unreasonable delay and in no case later than 60 days following a breach. If, however, a breach affects fewer than 500 individuals, UTC Health & Rehab may notify the Secretary of such breaches on an annual basis. Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches are discovered.
Notification by a Business Associate
If a breach of unsecured protected health information occurs at or by a business associate, the business associate must notify UTC Health & Rehab following the discovery of the breach. A business associate must provide notice to UTC Health & Rehab without unreasonable delay and no later than 60 days from the discovery of the breach. To the extent possible, the business associate should provide UTC Health & Rehab with the identification of each individual affected by the breach as well as any other available information required to be provided by UTC Health & Rehab in its notification to affected individuals.
You may complain to us or to the Secretary of Health and Human Services if you believe your privacy rights have been violated by us. You may file a complaint with us by notifying our Privacy Officer of your complaint. We will not retaliate against you for filing a complaint.
You may contact our Privacy Officer, Lawrence R. Hensley at (512) 375-3849 or at email address Privacy@UTCH.clinic for further information about the complaint process. Concerns about compliance may be posted to Compliance@UTCH.clinic.
This notice was published and becomes effective on the 29th day of July, 2013 and updated on the 13th day of January 2015