Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
This notice will go into effect on March 1, 2022, and will remain so unless new notice provisions effective for all protected health information are enacted accordingly. This document supersedes any previous notice of privacy practice.
Under the federal Health Insurance Portability and Accountability Act (HIPAA), we are required to give you this notice and to abide by its terms. We also want you to know all of this so that you can make the best decisions for yourself. This notice explains when, why, and how we would use and/or disclose your protected health information (PHI). Use of PHI is when we share, apply, utilize, examine, or analyze your PHI within this practice. Disclosure of PHI is when we release, transfer, give, or reveal your PHI to a third party outside of this practice.
- Personal Health Information (PHI) is health information about you that contains identifiers, such as your name, social security number, or other information that reveals who you are. It may be information about your past, present, or future health or conditions, or the tests and treatment you received, or about payments for health care. This information goes into your medical or health care records.
- In this notice, “we” and “us” include any health care professional authorized to enter information into your medical record, all employees, staff, and other personnel at this practice who may need access to your information. We must abide by this notice. All subsidiaries, business associate (e.g., a billing service), sites and locations of this practice may share PHI with each other for treatment, payment purposes, or health care operations described in this Notice. Except where treatment is involved, only the minimum necessary information needed to accomplish the task will be shared.
It is our legal duty and priority to safeguard your protected health information (PHI). In general, our communications with you are confidential and protected by law. We can only release your PHI with your written permission, or under certain circumstances permitted or required by law. When we make a disclosure of your PHI, we will always try to limit the information that we disclose to only the minimum amount necessary to meet our obligations.
Uses and disclosures for treatment, payment, and health care operations
After you read this notice, you will be asked to sign it, indicating that you consent to the use and disclosure of your PHI as outlined in this notice. We use information we collect about you primarily to provide you with treatment, to arrange payment our services, and for some business functions called “Health Care Operations” (activities that are related to running this practice). In other words, we need information about you and your condition to provide care to you. You have to agree to let us collect the information, use it, and share it to care for you properly. Therefore, you must sign this form before we can begin to treat you. If you do not agree and consent, we cannot treat you.
- Treatment is when we provide, coordinate, or manage your health care and other services related to your health care. For example, with your written permission (authorization), I may disclose your PHI to your medical doctor to coordinate your care and to ensure that he/she has the necessary information to treat you.
- Your PHI may used and/or disclosed, as needed, in activities related to billing and collecting payment for services that we provide to you. This may include the use of billing service, claims processing companies, and others that process health care claims for our office. We may send your PHI to your insurance company in order to get payment for the health care services that we have provided to you.
- Health Care Operations are activities that relate to the performance and operation of this practice. We may use or disclose, as needed, your PHI to facilitate the efficient and correct operation of our practice. We may provide your PHI to our “business associates,” such as our attorneys, accountants, consultants, secretary, and others to make sure that we are in compliance with applicable laws. To protect your privacy, our business associates have agreed in their contract with us to safeguard your health information.
Uses and disclosures that require your written authorization
Any other uses and disclosures of your PHI beyond those listed above will be made only with your written authorization (permission), unless otherwise permitted or required by law as described below. You may revoke your authorization at any time, in writing.
- If you request that we disclose and/or release your PHI to a third party (e.g., a family member), you must make that request in writing. Please note that we can decline your request, and in such circumstances, we will provide you, in writing, the reasons for the decline. If you have signed an authorization to disclose your PHI to a third party, you may later revoke that authorization, in writing, to stop any future uses or disclosures, except as permitted by law.
Uses and disclosures that do not require your consent or authorization
We may use and/or disclose your PHI without your written authorization for the following reasons:
- To avoid harm (e.g. disclosure to law enforcement personnel to prevent or mitigate a serious threat to the health or safety of a person or the public). We will only share information with persons who are able to help prevent or reduce the threat.
- If disclosure is compelled or permitted by the fact that you are in such mental or emotional condition as to be dangerous to yourself or the person or property of others, in order to prevent the threatened danger.
- If disclosure is mandated by the California Child Abuse and Neglect Reporting law or by the California Elder/Dependent Adult Abuse Reporting law.
- To seek emergency medical treatment for you (e.g. if you are unconscious or unable to speak) provided that I attempt to get your consent after treatment is rendered.
Appointment reminders and health related benefits or services. We are permitted to contact you, without your prior authorization, to provide appointment reminders or information about alternative or other health-related benefits and services that may be of interest to you.
- When disclosure is required by federal, state, or local law, judicial, board, or administrative proceedings; or law enforcement.
- If disclosure is compelled by a party to a proceeding before a court of an administrative agency pursuant to its lawful authority.
- If disclosure is required by a search warrant lawfully issued to a governmental law enforcement agency.
- If disclosure is compelled by you or your legal representative pursuant to California Health and Safety Codes or to corresponding federal statutes of regulations.
- For public health activities. In the event of your death, if a disclosure is permitted or compelled, we may need to give the county coroner information about you.
- For health oversight activities (e.g. to assist the government in the course of an investigation or inspection of a health care organization or provider or assess compliance with HIPAA).
- For specific government functions. We may disclose PHI of military personnel and veterans under certain circumstances or other individuals in the interests of national security (e.g. protecting the President of the U.S.)
- For research purposes. In limited circumstances, we may disclose PHI (e.g. when it has been de-identified).
- If an arbitrator or arbitration panel compels disclosure, when arbitration is lawfully requested by either party, pursuant to subpoena duces tectum (e.g., a subpoena for mental health records) or any other provision authorizing disclosure in a proceeding before an arbitrator or arbitration panel.
- For worker’s compensation purposes. We may provide PHI to comply with Worker’s Compensation laws.
Certain categories of information have extra protections by law and require special written authorizations for disclosures.
- Psychotherapy notes. In some cases, your health providers may take “psychotherapy notes” — notes that they keep separately from your PHI about your conversations with them during an individual, group, and/or joint session. Under most circumstances, the use and disclosure of psychotherapy notes will require your written authorization. You can make a written request for a copy of these notes for you. The provider may decline your request, provide you a copy of these notes, or provide you a summary the notes.
- HIV Information. We will obtain a written authorization from you before releasing information related to HIV/AIDS, unless otherwise permitted or required by law.
- Alcohol/drug use and treatment. We will obtain a written authorization from you before releasing information related to your alcohol and/or drug use/treatment, unless otherwise permitted or required by law.
- You may revoke all of such authorizations (of PHI, psychotherapy Notes, HIV information, and/or Alcohol and Drug Use/treatment) at any time, provided each revocation is in writing, signed by you, and signed by a witness. You may not revoke an authorization to the extent that (1) we have relied on that authorization; or (2) if the authorization was obtained as a condition of obtaining insurance coverage; the law provides the insurer the right to contest the claim under the policy.
- Right to inspect and copy. In general, you have the right to see your PHI that is in our possession, or to get copies of it. However, you must request it in writing. You will receive a response from us within 10 business days of us receiving your written request. Under certain circumstances, we may feel we must deny your request, and if we do, we will give you, the reasons for it. If you ask for copies of your PHI, we will charge you $1 per page plus professional time prorated for completing your request. We may provide you instead with a summary or explanation of the PHI, if clinically appropriate.
- Right to request restrictions. You have the right to request restrictions on certain uses/disclosures of your PHI. However, we are not required to agree to the request. If we do agree to your request, we will put those limits in writing and abide by them except in emergency situations or where legally required or permitted.
- You have the right to restrict certain disclosures of your PHI to your health insurance plan when you fully pay out-of-pocket for our services.
- Right to receive confidential communications by alternative means. You can request and receive confidential information by alternative means and locations. For example, you can request that your PHI be sent to your work address instead of your home address. We are obliged to agree to your request, providing that we can give you the PHI, in the format and/or to the location you requested, without undue inconvenience.
- Right to an accounting. You have the right to obtain a list of the disclosures of your PHI that we have made. The list will not include uses or disclosures to which you have already consented (i.e., those for treatment, payment, or health care operations, sent directly to you) OR made for national security purposes, to corrections or law enforcement personnel. Disclosure records will be held for six years for adults or until one year after a child patient turns 21 years old.
- We will respond to your request for an accounting of disclosures within 60 days of receiving your written request. The list we give you will include disclosures made in the previous six years unless you indicate a shorter period. The list will include the date of the disclosure, to whom PHI was disclosed (including their address, if known), a description of the information disclosed, and the reason for the disclosure. We will provide the list to you at no cost, unless you make more than one request in the same year. In this case, we will charge you a reasonable sum based on a set fee for each additional request.
- Right to amend. If you believe that there is some error in your PHI or that important information has been omitted, you have the right to request that we correct the existing information or add the missing information. Your request and the reason for the request must be made in writing. You will receive a response within 60 days of our receipt of your request. We may deny your request, in writing, if we find that: the PHI is (a) correct and complete, (b) forbidden to be disclosed, (c) not part of our records, or (d) written by someone other than your providers at this practice. Our denial must be in writing and must state the reasons for the denial. It must also explain your right to file a written statement objecting to the denial. If you do not file a written objection, you still have the right to ask that your request and my denial be attached to any future disclosures of your PHI. If we approve your request, we will make the change(s) to your PHI. Additionally, we will tell you that the changes have been made, and we will advise all others who need to know about the change(s) to your PHI.
- Right to notification of breach. You will be notified if (a) there’s a breach involving your PHI (a use or disclosure of your PHI in violation of the HIPAA Privacy Rule), (b) your PHI has not been encrypted to government standards, and (c) our risk assessment fails to show that there is a low probability that your PHI is compromised.
- Right to a paper copy. You have the right to obtain a paper copy of the Notice of Privacy Practices from us upon request. You may request to view a copy of it in our offices or to receive a copy by e-mail at any time.
Our commitment to you
- We are required by law to maintain the privacy of PHI and to provide you with a notice of our legal duties and privacy practices with respect to PHI.
- We reserve the right to change the terms of the privacy policies and practices described in this notice at any time. Any changes will apply to the PHI already on file with us. Before we make any changes to my policies, we will immediately change this notice. You will be notified of the changes made and provided with an updated copy, either at your next appointment or by mail at the address you provided to us.
- We take steps to safeguard against PHI breach. When we become aware of or suspect a breach of your PHI (a use or disclosure of your PHI in violation of the HIPAA Privacy Rule), we or a business associate will conduct a risk assessment. We will keep a written record of that risk assessment. While the business associate may conduct a risk assessment of a breach of PHI in its control, we will provide any required notice to patients and Department of Health and Human Services. After any breach, particularly one that requires notice, we will re-assess its privacy and security practices to determine what changes should be made to prevent the re-occurrence of such breaches.
If you believe that we may have violated your privacy rights or if you object to a decision we made about access to your PHI, you can make a written complaint with the Privacy Officer at this office or send a written complaint to the Secretary of the Department of Health and Human Services at 200 Independence Avenue S.W. Washington, D.C. 20201. You will not be penalized or discriminated against filing a complaint.
- If you have any questions, complaints, or concerns about this notice or would like to know how to file a complaint with the Secretary of the Department of Health and Human Services, please contact the privacy officer at this office:
Maya Matheis, PhD
PO Box 26401
Honolulu, HI 96825