HIPAA NOTICE OF PRIVACY PRACTICES
Effective Date: October 1, 2020
This notice describes how medical information about you may be used and disclosed and how
you can get access to this information. PLEASE REVIEW IT CAREFULLY.
Your medical information is personal. Desert Peaks Surgery Center (“DPSC”) and its employees are dedicated to maintaining the privacy of your personal health information (“PHI”), as required by applicable federal and state laws. These laws require us to provide you with this Notice of Privacy Practices, and to inform you of your rights and our obligations concerning PHI, which is information that identifies you and that relates to your physical or mental health condition. We are required to follow the privacy practices described below while this Notice is in effect.
Permitted Disclosures of PHI. We may disclose your PHI for the following reasons:
- Treatment. We may disclose your PHI to a physician or other health care DPSC providing treatment to you. For example, we may disclose medical information about you to physicians, nurses, technicians or personnel who are involved with the administration of your care.
- Payment. We may disclose your PHI to bill and collect payment for the services we provide to you. For example, we may send a bill to you or to a third party payor (e.g., your health insurance company) for the rendering of services by us. The bill may contain information that identifies you, your diagnosis and procedures and supplies used. We may need to disclose this information to insurance companies to establish insurance eligibility benefits for you. We may also provide your PHI to our Business Associates, such as billing companies, claims processing companies and others that process our health care claims.
- Health Care Operations. We may disclose your PHI in connection with our health care operations. Health care operations include quality assessment activities, reviewing the competence or qualifications of health care professionals, evaluating DPSC performance, and other business operations. For example, we may use your PHI to evaluate the performance of the health care services you received. We may also provide your PHI to accountants, attorneys, consultants and others to make sure we comply with the laws that govern us.
- Emergency Treatment. We may disclose your PHI if you require emergency treatment or are unable to communicate with us.
- Family and Friends. We may disclose your PHI to a family member, friend or any other person who you identify as being involved with your care or payment for care, unless you object.
- Required by Law. We may disclose your PHI for law enforcement purposes and as required by state or federal law. For example, the law may require us to report instances of abuse, neglect or domestic violence; to report certain injuries such as gunshot wounds; or to disclose PHI to assist law enforcement in locating a suspect, fugitive, material witness or missing person. We will inform you or your representative if we disclose your PHI because we believe you are a victim of abuse, neglect or domestic violence, unless we determine that informing you or your representative would place you at risk. In addition, we must provide PHI to comply with an order in a legal or administrative proceeding. Finally, we may be required to provide PHI in response to a subpoena discovery request or other lawful process, but only if efforts have been made, by us or the requesting party, to contact you about the request or to obtain an order from a court or administrative body to protect the requested PHI.
- Serious Threat to Health or Safety. We may disclose your PHI if we believe it is necessary to avoid a serious threat to the health and safety of you or the public.
- Public Health. We may disclose your PHI to public health or other authorities charged with preventing or controlling disease, injury or disability, or charged with collecting public health data.
- Health Oversight Activities. We may disclose your PHI to a Health Oversight Agency for activities authorized by law. These activities include audits; civil, administrative or criminal investigations or proceedings; inspections; licensure or disciplinary actions; or other activities necessary for oversight of the health care system, government programs and compliance with civil rights laws.
- Research. We may disclose your PHI for certain research purposes, but only if we have protections and protocols in place to ensure the privacy of your PHI.
- Workers’ Compensation. We may disclose your PHI to comply with laws relating to workers’ compensation or other similar programs.
- Specialized Government Activities. If you are active military or a veteran, we may disclose your PHI as required by military command authorities. We may also be required to disclose PHI to authorized federal officials for the conduct of intelligence or other national security activities.
- Coroners, Medical Examiners, Funeral Directors. We may disclose your PHI to coroners, or medical examiners for the purposes of identifying a deceased person or determining the cause of death, and to funeral directors as necessary to carry out their duties.
- Disaster Relief. Unless you object, we may disclose your PHI to a governmental agency or private entity (such as FEMA or Red Cross) assisting with disaster relief efforts.
- Daily Operations. On the day of your appointment, we may ask you to sign your name on a log or “Sign in Sheet” where it could be viewed by other individuals. Throughout your appointment, your full name may be called in our reception area(s) where others may overhear.
-
- We may use and disclose medical information to contact you as a reminder that you have an appointment for medical care or that you are due to receive periodic care.
- We may contact you by phone, voicemail message, e-mail or in writing. These notifications could be (potentially) intercepted by others. We will disclose as little information as possible, but messages may include notification of optical goods ready for pick up, appointment reminders, access to our patient portal, review of post-operative instructions or other important information.
Disclosures Requiring Written Authorization.
- Not Otherwise Permitted. In any other situation not described in Section (a) above, we may not disclose your PHI without your written authorization.
- Psychotherapy Notes. We must receive your written authorization to disclose psychotherapy notes, except for certain treatment, payment or health care operations activities.
- Marketing and Sale of PHI. We must receive your written authorization for any disclosure of PHI for marketing purposes or for any disclosure which is a sale of PHI.
Your Rights.
- Right to Receive a Paper Copy of This Notice. You have the right to receive a paper copy of this Notice upon request.
- Right to Access PHI. You have the right to inspect and copy your PHI for as long as we maintain your medical record. You must make a written request for access to the DPSC representative at the address listed at the end of this Notice. We may charge you a reasonable fee for the processing of your request and the copying of your medical record. In certain circumstances we may deny your request to access your PHI, and you may request that we reconsider our denial. Depending on the reason for the denial, another licensed health care professional chosen by us may review your request and the denial.
- Right to Request Restrictions. You have the right to request a restriction on the use or disclosure of your PHI for the purpose of treatment, payment, or health care operations, except for in the case of an emergency. You also have the right to request a restriction on the information we disclose to a family member or friend who is involved with your care or the payment of your care. However, we are not legally required to agree to such a restriction.
- Right to Restrict Disclosure for Services Paid by You in Full. You have the right to restrict the disclosure of your PHI to a Health Plan if the PHI pertains to health care services for which you paid in full directly to us.
- Right to Request Amendment. You have the right to request that we amend your PHI if you believe it is incorrect or incomplete, for as long as we maintain your medical record. We may deny your request to amend if:
- we did not create the PHI;
- is not information that we maintain,
- is not information that you are permitted to inspect or copy (such as psychotherapy notes), or
- we determine that the PHI is accurate and complete.
- Right to an Accounting of Disclosures. You have the right to request an accounting of disclosures of PHI made by us (other than those made for treatment, payment or health care operations purposes) during the 6 years prior to the date of your request. You must make a written request for an accounting, specifying the time period for the accounting, to the DPSC representative at the address listed at the end of this Notice.
- Right to Confidential Communications. You have the right to request that we communicate with you about your PHI by certain means or at certain locations. For example, you may specify that we call you only at your home phone number, and not at your work number. You must make a written request, specifying how and where we may contact you, to the HIPAA Privacy Officer at the address listed at the end of this Notice.
- Right to Notice of Breach. You have the right to be notified if we or one of our Business Associates becomes aware of a breach of your unsecured PHI.
Changes to this Notice. We reserve the right to change this Notice at any time in accordance with applicable law. Prior to a substantial change to this Notice related to the uses or disclosures of your PHI, your rights or our duties, we will revise and distribute this Notice. The new notice will be available upon request, in our office, and on our website.
Acknowledgment of Receipt of Notice. We will ask you to sign an acknowledgment that you received this Notice.
Questions and Complaints. If you would like more information about our privacy practices or have questions or concerns, please contact us. If you are concerned that we may have violated your privacy rights, or you disagree with a decision we made regarding the use, disclosure, or access to you PHI, you may complain to us by contacting the Privacy Officer at the address and phone number at the end of this Notice. You also may submit a written complaint to the U.S. Department of Health and Human Services. We will provide you with the address to file such a complaint upon request.
We support your right to the privacy of your PHI. We will not retaliate in any way if you choose to file a complaint with us or with the U.S. Department of Health and Human Services. Please direct any of your questions or complaint:
DESERT PEAKS SURGERY CENTER WILL IN NO WAY PENALIZE YOU FOR FILING A COMPLAINT
Notice to Patients – Policy for Medical Record Retention, Maintenance and Destruction
Purpose
To provide Record Retention policies and procedures for all of the company’s sites consistent with all applicable regulatory guidelines.
Policy
- Apply effective management techniques to maintain complete, accurate and high quality records.
- Records shall be retained in accordance with all applicable laws, regulations and this policy.
- Records that have satisfied their required period of retention and are no longer required shall be destroyed in an appropriate manner consistent with this policy.
- Records are classified with the following types:
- Outpatient Treatment Centers/Clinics (OTC) – Medical Records and Fee Tickets
- AmbulatorySurgeryCenters(ASC)–MedicalRecordsandFeeTickets
- Revenue Cycle Management (RCM) – Explanation of Benefits and Fee Tickets o
- Finance – Accounting, General Ledger, Tax Documents, Contracts, Leases and Other Miscellaneous
- People Services (PS) – Payroll, Personnel and I9s
Procedures
(1) Record Retention Schedules
-
- All records will be maintained and retained in accordance with federal and state laws and regulations.
- The Records Retention Guide (See Section 5) will be revised and updated as required. All revisions must be reviewed and approved by the Medical Executive Committee.
- Active/Inactive records are to be reviewed periodically to determine if they meet the criteria and legal timeframe for destruction. Records that are no longer required as active will be reviewed and assessed for storage in a designated offsite storage facility.
- General Retention Requirements: See Exhibit A
(2) Record Retention
- Offsite Storage Facilities:
- Offsite storage facilities are utilized to store records in a secure location that protects them from the following:
- Ordinary hazards, such as fire, water, mildew, rodents and insects;
- Man-made hazards, such as theft, accidental loss, and sabotage;
- Disasters, such as fire, flood, earthquakes, hurricanes, wind, and explosions; and
- Unauthorized use, disclosure and destruction
- Records stored in the boxes must be adequately described and includethe following information in order to facilitate their reference, review and destruction:
a. Department/Practice Name/Location (as applicable)
b. Date range of records
c. Description of records contained in box
d. Alpha range of patient names (when applicable)
- Offsite storage facilities are utilized to store records in a secure location that protects them from the following:
- Onsite Record Storage:
1. All records must be appropriately labeled
2. Records are to be stored in secure cabinets or rooms that protect them from the following:- Ordinary hazards, such as fire, water, mildew, rodents andinsects;
- Man-made hazards, such as theft, accidental loss, andsabotage;
- Disasters, such as fire, flood, earthquakes, hurricanes, wind,and explosions; and
- Unauthorized use, disclosure and destruction
3. Records will be secured at the end of the day.
4. Access will be limited to those working directly with the patientand/or coordinating the patient’s care.
3. Electronic Record Storage
A. The company will select appropriate media and systems for storing records
which will meet the following retention requirements:
1. Permit easy retrieval in a timely fashion; and
2. Retain records in a usable format until their authorized disposition date.
(4) Record Destruction
- Records that have satisfied their legal, fiscal, administrative, and archivalrequirements may be destroyed.
- Records that cannot be destroyed include records of patient visits and/ormedical care currently subject to governmental audit or in litigation, or records identified as “permanent retention”. In the event of a lawsuit or government investigation, the applicable records that are not permanent cannot be destroyed until the lawsuit or investigation has been finalized. Once the litigation/investigation has been finalized, the records may be destroyed in accordance with the Records Retention Guide section of this document.
- As per Medicare HMO plan requirements, records older than 10 years are eligible for destruction with the following exceptions:
- The record is not being utilized for litigation or government investigation;
- For the adult patient, medical records are retained as original records or on electronic storage media for ten (10) years following the most recent patient visit or entry in the medical record or in the event of patient’s death, in absence of any legal considerations or state regulations requiring a longer period of retention; and
For the minor patient, medical records are retained as original records or on electronic storage media for either ten (10) years after discharge or after the patient has reached the age of twenty- three (23), whichever date occurs last, in absence of any legal considerations or state regulations requiring a longer period of retention.
- Records will be destroyed by a contracted HIPAA compliant vendor that will guarantee the records are destroyed and are no longer recognizable. The vendor will provide a signed certification of destruction form indicating the types and quantities of records destroyed, the method of destruction, the destruction date, and agreeing to maintain the confidentiality of the documents it destroyed.
- An executed Business Associate Agreement with the company performing the destruction of records must be in place.
- For New Mexico patients, a log must be kept of all charts destroyed, including the patient’s name and date of record destruction in accordance and under the same time frame established in N.M. Admin. Code 16.10.17.10(D).
(5) Record Retention Guide A. Medical Records
- Managers will ensure paper medical records being stored onsite are purged annually for completed charts that are at least one-year-old. These records are to be moved to an offsite storage location as defined above.
- Only complete medical records may be stored off-site or on electronic media.
- All new patient medical records will be created in the EHR system with the exception of sites not utilizing an EHR system.
- Existing paper records for active patients (patients who have a visit within the last 10 years) will be scanned in and attached to the electronic record.
- Paper copies of medical records converted to electronic media may be destroyed no earlier than 30 days after electronic transfer has occurred and only once the facility staff has completed a quality assurance process and verified that the electronic copy is an identical replication of the paper document. See N.M. Admin. Code 16.10.17.10(D).
- Medical records stored on electronic media may be stored on or off- site but must be maintained under the same confidentiality standards and safe storage constraints as paper medical record charts.
Questions / Concerns:
HIPAA Privacy Officer: Rose Willis
63 S Rockford Drive, Ste. 220, Tempe, AZ 85288
Compliance Line: 866-262-8614
HIPAA@AmericanVisionPartners.com
Desert Peaks Surgery Center will in no way penalize you for filing a complaint.
If you have any questions regarding this notice or our health information privacy policies, please contact the Desert Peaks Surgery Center Compliance Officer at 866-262-8614.
Nondiscrimination Policy
Southwestern Eye Center does not discriminate against any person on the basis of race, color, national origin, disability, or age in admission, treatment, or participation in its programs, services and activities, or in employment. For further information about this policy, contact our compliance officer, 866-262-8614