Notice of Privacy Practices for Protected Health Information
The HIPAA Privacy Rule gives individuals a fundamental new right to be informed of the privacy practices of their health plans and of most of their health care providers, as well as to be informed of their privacy rights with respect to their personal health information. Health plans and covered health care providers are required to develop and distribute a notice that provides a clear explanation of these rights and practices. The notice is intended to focus individuals on privacy issues and concerns, and to prompt them to have discussions with their health plans and health care providers and exercise their rights.
How the Rule Works
General Rule. The Privacy Rule provides that an individual has a right to adequate notice of how a covered entity may use and disclose protected health information about the individual, as well as his or her rights and the covered entity’s obligations with respect to that information. Most covered entities must develop and provide individuals with this notice of their privacy practices. The Privacy Rule does not require the following covered entities to develop a notice:
- Health care clearinghouses, if the only protected health information they create or receive is as a business associate of another covered entity. See 45 CFR 164.500(b)(1).
- A correctional institution that is a covered entity (e.g., that has a covered health care provider component).
- A group health plan that provides benefits only through one or more contracts of insurance with health insurance issuers or HMOs, and that does not create or receive protected health information other than summary health information or enrollment or disenrollment information. See 45 CFR 164.520(a).
Content of the Notice. Covered entities are required to provide a notice in plain language that describes:
- How the covered entity may use and disclose protected health information about an individual.
- The individual’s rights with respect to the information and how the individual may exercise these rights, including how the individual may complain to the covered entity.
- The covered entity’s legal duties with respect to the information, including a statement that the covered entity is required by law to maintain the privacy of protected health information.
- Whom individuals can contact for further information about the covered entity’s privacy policies.
The notice must include an effective date. See 45 CFR 164.520(b) for the specific requirements for developing the content of the notice. A covered entity is required to promptly revise and distribute its notice whenever it makes material changes to any of its privacy practices. See 45 CFR 164.520(b)(3), 164.520(c)(1)(i)(C) for health plans, and 164.520(c)(2)(iv) for covered health care providers with direct treatment relationships with individuals.
Providing the Notice.
- A covered entity must make its notice available to any person who asks for it.
- A covered entity must prominently post and make available its notice on any web site it maintains that provides information about its customer services or benefits.
- Health Plans must also:
Provide the notice to individuals then covered by the plan no later than April 14, 2003 (April 14, 2004, for small health plans) and to new enrollees at the time of enrollment.
Provide a revised notice to individuals then covered by the plan within 60 days of a material revision.
Notify individuals then covered by the plan of the availability of and how to obtain the notice at least once every three years.
- Covered Direct Treatment Providers must also:
Provide the notice to the individual no later than the date of first service delivery (after the April 14, 2003 compliance date of the Privacy Rule) and, except in an emergency treatment situation, make a good faith effort to obtain the individual’s written acknowledgment of receipt of the notice. If an acknowledgment cannot be obtained, the provider must document his or her efforts to obtain the acknowledgment and the reason why it was not obtained.
When first service delivery to an individual is provided over the Internet, through e-mail, or otherwise electronically, the provider must send an electronic notice automatically and contemporaneously in response to the individual’s first request for service. The provider must make a good faith effort to obtain a return receipt or other transmission from the individual in response to receiving the notice.
In an emergency treatment situation, provide the notice as soon as it is reasonably practicable to do so after the emergency situation has ended. In these situations, providers are not required to make a good faith effort to obtain a written acknowledgment from individuals.
Make the latest notice (i.e., the one that reflects any changes in privacy policies) available at the provider’s office or facility for individuals to request to take with them, and post it in a clear and prominent location at the facility.
- A covered entity may e-mail the notice to an individual if the individual agrees to receive an electronic notice. See 45 CFR 164.520(c) for the specific requirements for providing the notice.
- Any covered entity, including a hybrid entity or an affiliated covered entity, may choose to develop more than one notice, such as when an entity performs different types of covered functions (i.e., the functions that make it a health plan, a health care provider, or a health care clearinghouse) and there are variations in its privacy practices among these covered functions. Covered entities are encouraged to provide individuals with the most specific notice possible.
- Covered entities that participate in an organized health care arrangement may choose to produce a single, joint notice if certain requirements are met. For example, the joint notice must describe the covered entities and the service delivery sites to which it applies. If any one of the participating covered entities provides the joint notice to an individual, the notice distribution requirement with respect to that individual is met for all of the covered entities. See 45 CFR 164.520(d).
Stone Ridge Recovery is committed to ensuring that individuals with disabilities can access all of the services, facilities, privileges, advantages, and accommodations offered by Stone Ridge Recovery through its website, www.stoneridgerecovery.com, and its mobile applications. We are actively working to increase the accessibility and usability of our website, and in doing so adhere to many of the available standards and guidelines to the greatest extent possible.
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED
AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.
PLEASE REVIEW IT CAREFULLY
This notice is effective as of April 15, 2003
USES AND DISCLOSURE OF HEALTH INFORMATION
Stone Ridge Recovery is committed to protecting the privacy of the personal and health information we collect or create as part of providing health care services to our clients, known as “Protected Health Information” or “PHI”. PHI typically includes your name, address, date of birth, billing arrangements, care, and other information that relates to your health, health care provided to you, or payment for health care provided to you. PHI DOES NOT include information that is de-identified or cannot be linked to you.
This notice of Health Information Privacy Practices (the “Notice”) describes Stone Ridge Recovery’s duties with respect to the privacy of PHI, Stone Ridge Recovery’s use of and disclosure of PHI, client rights and contact information for comments, questions, and complaints.
STONE RIDGE RECOVERY’S PRIVACY PROCEDURES AND LEGAL OBLIGATIONS
Stone Ridge Recovery obtains most of its PHI directly from you, through care applications, assessments and direct questions. We may collect additional personal information depending upon the nature of your needs and consent to make additional referrals and inquiries. We may also obtain PHI from community health care agencies, other governmental agencies or health care providers as we set up your service arrangements.
Stone Ridge Recovery is required by law to provide you with this notice and to abide by the terms of the Notice currently in effect. Stone Ridge Recovery reserves the right to amend this Notice at any time to reflect changes in our privacy practices. Any such changes will be applicable to and effective for all PHI that we maintain including PHI we created or received prior to the effective date of the revised notice. Any revised notice will be mailed to you or provided upon request.
Stone Ridge Recovery is required by law to maintain the privacy of PHI. Stone Ridge Recovery will comply with federal law and will comply with any state law that further limits or restricts the uses and disclosures discussed below. In order to comply with these state and federal laws, Stone Ridge Recovery has adopted policies and procedures that require its employees to obtain, maintain, use and disclose PHI in a manner that protects client privacy.
USES AND DISCLOSURES WITH YOUR AUTHORIZATION
Except as outlined below, Stone Ridge Recovery will not use or disclose your PHI without your written authorization. The authorization form is available from Stone Ridge Recovery (at the address and phone number below). You have the right to revoke your authorization at any time, except to the extent that Stone Ridge Recovery has taken action in reliance on the authorization.
The law permits Stone Ridge Recovery to use and disclose your PHI for the following reasons without your authorization:
For Your Treatment: We may use or disclose your PHI to physicians, psychologists, nurses and other authorized healthcare professionals who need your PHI in order to conduct an examination, prescribe medication or otherwise provide health care services to you.
To Obtain Payment: We may use or disclose your PHI to insurance companies , government agencies or health plans to assist us in getting paid for our services . For example, we may release information such as dates of treatment to an insurance company in order to obtain payment.
For Our Health Care Operations: We may use or disclose your PHI in the course of activities necessary to support our health care operations such as performing quality checks on your employee services. We may also disclose PHI to other persons not in Stone Ridge Recovery’s workforce or to companies who help us perform our health services (referred to as “Business Associates”) we require these business associates to appropriately protect the privacy of your information .
As Permitted or Required By The Law: In some cases we are required by law to disclose PHI. Such as disclosers may be required by statute, regulation court order, government agency, we reasonably believe an individual to be a victim of abuse, neglect or domestic violence: for judicial and administrative proceedings and enforcement purposes.
For Public Health Activities: We may disclose your PHI for public health purposes such as reporting communicable disease results to public health departments as required by law or when required for law enforcement purposes.
For Health Oversight Activities: We may disclose your PHI in connection with governmental oversight, such as for licensure, auditing and for administration of government benefits.
To Avert Serious Threat to Health and Safety: We may disclose PHI if we believe in good faith that doing so will prevent or lessen a serious or imminent threat to the health and safety of a person or the public.
Disclosures of Health Related Benefits or Services: Sometimes we may want to contact you regarding service reminders, health related products or services that may be of interest to you, such as health care providers or settings of care or to tell you about other health related products or services offered at Stone Ridge Recovery. You have the right not to accept such information.
Incidental Uses and Disclosures: Incidental uses and disclosures of PHI are those that cannot be reasonably prevented, are limited in nature and that occur as a by-product of a permitted use or disclosure. Such incidental used and disclosures are permitted as long as Stone Ridge Recovery use reasonable safeguards and use or disclose only the minimum amount of PHI necessary.
To Personal Representatives: We may disclose PHI to a person designated by you to act on your behalf and make decisions about your care in accordance with state law. We will act according to your written instructions in your chart and our ability to verify the identity of anyone claiming to be your personal representative.
To Family and Friends: We may disclose PHI to persons that you indicate are involved in your care or the payment of care. These disclosures may occur when you are not present, as long as you agree and do not express an objection. These disclosures may also occur if you are unavailable, incapacitated, or facing an emergency medical situation and we determine that a limited disclosure may be in your best interest. We may also disclose limited PHI to public or private entity that is authorized to assist in disaster relief efforts in order for that entity to locate a family member or other person that may be involved in caring for you. You have the right to limit or stop these disclosures.
YOUR RIGHTS CONCERNING PRIVACY
Access to Certain Records: You have the right to inspect and copy your PHI in a designated record set except where State law may prohibit client access. A designated record set contains medical and billing and case management information. If we do not have your PHI record set but know who does, we will inform you how to get it. If our PHI is a copy of information maintained by another health care provider, we may direct you to request the PHI from them. If Stone Ridge Recovery produces copies for you, we may charge you up to $1.00 per page up to a maximum fee of $50.00. Should we deny your request for access to information contained in your designated record set, you have the right to ask for the denial to be reviewed by another healthcare professional designated by Stone Ridge Recovery .
Amendments to Certain Records: You have the right to request certain amendments to your PHI if, for example, you believe a mistake has been made or a vital piece of information is missing. Stone Ridge Recovery is not required to make the requested amendments and will inform you in writing of our response to your request.
Accounting of Disclosures: You have the right to receive an accounting of disclosures of your PHI that were made by Stone Ridge Recovery for a period of six (6) years prior to the date of your written request. This accounting does not include for purposes of treatment, payment, health care operations or certain other excluded purposes, but includes other types of disclosures, including disclosures for public health purposes or in response to a subpoena or court order.
Restrictions: You have the right to request that we agree to restrictions on certain uses and disclosures of your PHI, but we are not required to agree to your request. You cannot place limits on uses and disclosures that we are legally required or allowed to make.
Revoke Authorizations: You have the right to revoke any authorizations you have provided, except to the extent that Stone Ridge Recovery has already relied upon the prior authorization.
Delivery by Alternate Means or Alternate Address: You have the right to request that we send your PHI by alternate means or to an alternate address.
Complaints & How to contact us: If you believe your privacy rights have been violated, you have the right to file a complaint by contacting Stone Ridge Recovery at the address and/or phone number indicated below. You also have the right to file a complaint with the Secretary of the United States Department of Health and Human services in Washington, D.C. Stone Ridge Recovery will not retaliate against you for filing a complaint.
If you believe your privacy rights have been violated, you may make a complaint by contacting Ryan Love, HIPAA Privacy Officer at (610) 844-1261 or the Secretary for the Department of Health and Human Services. No individual will be retaliated against for filing a complaint.
The U.S.Department of Health and Human Services
200 Independence Avenue, S.W.
Washington, D.C. 20201
Toll Free: 1-877-696-6775
Please be aware that mail sent to the Washington D.C area offices takes an additional 3-4 days to process due to changes in mail handling resulting from the Anthrax crisis of October 2001.