NOTICE OF PRIVACY PRACTICES
UBMD PHYSICIANS’ GROUP
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
EFFECTIVE DATE OF THIS NOTICE: April 14, 2003 REVISED DATE OF THIS NOTICE: September 6, 2019
1. UBMD Physicians’ Group (“UBMD”) LEGAL OBLIGATIONS
We are required by law to maintain the privacy of your protected health information (PHI). This includes information that can be used to identify you that we have created or received about your past, present or future health or condition, the provision of health care for you, or the payment of this health care.
We are required by law to provide you with a Notice of Privacy Practices (NPP) which describes our legal duties and privacy practices with respect to PHI. This notice will tell you about the ways in which we may use and disclose PHI about you. It also describes your rights and our obligations regarding the use and disclosure of your PHI. With some exceptions, we may not use or disclose any more of your PHI than is necessary to accomplish the purpose of the use or disclosure. We are legally required to follow the privacy practices that are described in this NPP. We are required to post the NPP within our facility and website and we are required to abide by the terms of the NPP that is currently in effect.
Please note, however, that special privacy protections apply to HIV/AIDS related information, alcohol and substance abuse treatment information, mental health information and genetic information, which are not set forth in this notice. Uses and disclosures for these purposes reflect other more stringent, applicable laws. For more information please contact the person listed in Section 4. Contact, of this NPP.
We reserve the right to change the terms of the NPP and our privacy policies at any time. Any changes made will apply to the PHI we already have about you as well as any information we create or receive in the future. We will promptly post the revised NPP, with a new effective date. Upon your request, a copy of the revised NPP will be made available to you.
In the event of a breach, we will notify you promptly and in no case later than 60 days after the discovery of the breach that may have compromised the privacy or security of your PHI.
2. HOW UBMD MAY USE OR DISCLOSE YOUR PROTECTED HEALTH INFORMATION (PHI)
Uses and Disclosures Relating to Treatment, Payment or Health Care Operations. The following categories describe different ways that we may use or disclose your PHI. Examples are provided where appropriate, although it is impossible to list every use and disclosure in each category.
Treatment: We will use and disclose your PHI to provide, coordinate, or manage your health care and any related services. This includes coordination or management of your health care with another physician. We will also disclose PHI to other physicians or health care professionals who may be treating you. For example, to a physician to whom you have been referred to ensure that he/she has the necessary information to diagnose or treat you.
Payment: We may use and disclose PHI about you so that the treatment and services you receive may be billed and payment may be collected from you, an insurance company, or a third party. For example, we may need to disclose PHI to a health plan in order for the health plan to pay for the services rendered to you. We may also tell your health plan about a treatment or procedures you are going to receive in order to obtain prior approval or to determine whether your health plan will cover the services.
Health Care Operations: We may use and disclose PHI about you for UBMD operations. These uses and disclosures are necessary to run our UBMD in an efficient manner and ensure that all patients receive quality care. For example, your medical records and PHI may be used in the evaluation of health care services, and the appropriateness and quality of health care treatment. In addition, medical records are audited for timely documentation and correct billing. We may also disclose PHI about you to medical students and residents for review and learning purposes.
Appointment Reminders: We may use and disclose medical information to contact you as a reminder that you have an appointment for treatment or medical care. For example, we may provide a written or telephone reminder that your next appointment is coming up.
UBMD Physicians’ Group, which several practices are a member of, share an integrated electronic medical record so that your caregivers at various UBMD Physicians’ Group offices can provide you with high quality, coordinated care. Access to the integrated medical record is expressly restricted to those clinicians and staff involved in your care, or to those who need the information for payment or health care operations or other purposes as set forth in this Notice.
To the extent we are required to disclose your PHI to contractors, agents and other business associates who need the information in order to assist us with obtaining payment or carrying out our business operations, we will have a written agreement to ensure that our business associates also protect the privacy of your PHI.
Other Uses and Disclosures that Require Your Prior Written Authorizations.
Other uses and disclosures of your PHI will be made only with your written authorization, unless otherwise permitted or required by law as described in this NPP. If you choose to sign an authorization to disclose your PHI, you may revoke such authorization in writing, at any time, except to the extent that action has been taken in reliance on the use or disclosure indicated in the authorization.
Other Uses and Disclosures Where You Have the opportunity to Agree or Object.
Disclosures to Family, Friends or Others (Individuals Involved in your Care or Payment of your Care): We may release PHI about you to a friend or family member who is involved in your medical care or the payment of your health care, unless you object in whole or part. If you are unable to agree or object to such a disclosure, we may disclose such information as necessary if we determine that it is in your best interest based on our professional judgment. We may use or disclose PHI to notify or assist in notifying a family member, personal representative or any other person that is responsible for your care of your location, general condition or death. Finally, we may use or disclose your PHI to an authorized public or private entity to assist in disaster relief efforts and to coordinate uses and disclosures to family or other individuals involved in your health care.
Other Uses and Disclosures that May Be Made Without Your Consent, Authorization or Opportunity to Object. We may use and disclose your PHI without your consent or authorization for the following reasons:
Required by Law: We will disclose PHI about you when required to do so by federal, state or local law and the use or disclosure complies with and is limited to the relevant requirements of such law.
For Public Health Activities: We will report information about births and deaths; to prevent or control various diseases; to report child abuse and neglect; to report reactions to medications or problems with products; to notify people of recalls of products they may be using; or to notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease. All such disclosures will be made in accordance with the requirements of federal, state or local law.
About Victims of Abuse, Neglect or Domestic Violence: We may release your PHI to a public health authority that is authorized to receive reports of abuse, neglect or domestic violence.
For Health Oversight Activities: We may disclose PHI about you to a health oversight agency for activities authorized by law. These health oversight activities include, for example, audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system, government programs, eligibility or compliance, and to enforce health-related civil rights and criminal laws.
Lawsuits and Disputes: We may disclose your PHI if we are subpoenaed or ordered to do so by a court or administrative tribunal that is handling a lawsuit or other dispute.
For Law Enforcement Purposes: We may release your PHI if asked to do so by a law enforcement official for any of the following reasons: in response to a court order, subpoena, warrant, summons or similar process; to identify or locate a suspect, fugitive, material witness, or missing person; about the victim of a crime if, under certain limited circumstances, we are unable to obtain the person's consent; about a death we believe may be the result of criminal conduct; about criminal conduct that occurred on our property; and in emergency circumstances to report a crime; the location of the crime or victims; or the identity, description or location of the person who committed the crime.
For Coroners, Medical Examiners and Funeral Directors: We may release PHI to a coroner or medical examiner when authorized by law. This may be necessary, for example, to determine the cause of death. We may also release PHI to funeral directors as necessary to carry out their duties.
For Organ or Tissue Donation Purposes: If you are an organ donor, we may release PHI to organ procurement organizations to assist them in organ, eye or tissue donation and transplants.
To Avert a Serious Threat to Health or Safety: In order to avoid a serious threat to the health or safety of a person or the public, we may provide PHI to law enforcement personnel or persons able to prevent or lessen such harm.
Specialized Government Functions: We may disclose PHI for national security purposes to authorized federal officials authorized by law. In addition we may disclose PHI to authorized federal officials so they may provide protection to the President, other authorized persons or foreign head of state or to conduct special investigations.
Military and Veterans Activities: If you are a member of the armed forces, we may release PHI about you as required by military command authorities. We may also release PHI about foreign military personnel to the appropriate foreign military authority.
Inmates and Correctional Institutions: If you are an inmate or you are detained by a law enforcement officer, we may disclose your PHI to the prison officers or law enforcement officers if necessary to provide you with health care, or to maintain safety, security and good order at the place where you are confined. This includes sharing PHI that is necessary to protect the health and safety of other inmates or persons involved in supervising or transporting inmates.
Workers’ Compensation: We may release PHI about you for workers’ compensation or similar programs. These programs provide benefits for work-related injuries or illness.
Emergency Situations: We may use or disclose your PHI if you need emergency treatment and we are unable to obtain your consent. If this happens, we will try to obtain your consent as soon as we reasonably can after we treat you.
Communication Barriers: We may use or disclose your PHI if we are unable to obtain your consent because of substantial communication barriers, and we believe you would want us to treat you if we could communicate with you.
Research: Under certain circumstances, we may use and disclose medical information about you for research purposes. For example, a research project may involve comparing the health and recovery of all patients who received one medication to those who received another, for the same condition. All research projects, however, are subject to a special approval process that may give us permission to disclose your information. This process evaluates a proposed research project and its use of medical information, trying to balance the research needs with the patients’ need for privacy of their medical information. Before we use or disclose medical information for research, the project will have been approved through this research approval process. We may, however, disclose medical information about you to people preparing to conduct a research project, for example, to help them look for patients with specific medical needs or on decedents. Other than under other these limited circumstances, we will ask for your written authorization before using your PHI for research purposes.
Health–Related Benefits or Services: We may use or disclose PHI to give you information about treatment alternatives or other health care services or benefits we offer and/or provide or that may be of interest to you.
Marketing: We will not disclose your PHI for marketing purposes unless you give us permission.
Fundraising: We may use PHI to contact you in an effort raise funds for our UBMD and its operations. We may also disclose PHI to other foundations or business associates so that these foundations or business associates may contact you in raising money for our UBMD. We would only release information such as name, address and phone number, the dates you received treatment or services, outcomes, and the name of the health care professional who treated you. You have the opportunity to opt out of receiving any fundraising communications. To opt out, please contact the person listed in Section 4. Contact, of this NPP.
De-identified Information: We may also disclose your PHI if it has been de-identified or if it is not possible for anyone to connect the information back to you.
Incidental Disclosure: While we will take reasonable steps to safeguard the privacy of your PHI, certain disclosures of your PHI may occur during, or as an unavoidable result of our otherwise permissible uses and disclosures of your PHI. For example, during the course of a treatment session, other patients in the treatment area may see, or overhear discussion of, your PHI.
3. INDIVIDUAL RIGHTS
The Right to Request Restrictions on Certain Uses and Disclosures of PHI.
You have the right to request a restriction or limitation on the PHI we use or disclose about you for treatment, payment or health care operations. You also have the right to request a limit on the PHI we disclose about you to someone who is involved in your care or the payment for your care, like a family member or friend. We will consider your request for restrictions, but we are not legally required to accept it. If we accept your request, we will comply with your request except in emergency situations. To request restrictions, you must make your request in writing to the contact person listed in Section 4. Contacts of this NPP. The request must include 1. what information you want to limit; 2. whether you want to limit our use, disclosure or both; and 3. to whom you want the limits to apply, for example, disclosures to your spouse.
The Right to Receive Confidential Communications of PHI.
You have the right to request that we communicate with you about medical matters in a certain way or at a certain location. For example, you can ask that we only contact you at work or by mail. You do not have to state a reason for your request. We will accommodate all reasonable requests. Your request must be in writing and specify how or where you wish to be contacted. To make a request please contact the person listed in Section 4. Contact, in this NPP.
The Right to Restrict Disclosure of PHI When You Pay For a Service in Full.
If you pay for a service or healthcare item out-of-pocket in full, you can ask us not to share that information for the purpose of payment or our operations with your health insurer. We will say “yes” unless a law requires us to share that information.
The Right to Inspect and Copy PHI.
You have the right to access (inspect and/or copy) medical information that may be used to make decisions about your care. Usually, this includes medical and billing records, but does not include psychotherapy notes that are maintained in separate files.
To inspect and copy medical information that may be used to make decisions about you, you must submit your request in writing to the contact person listed in Section 4. Contact, in this NPP. We will respond to your request to inspect within 10 days. We will respond to your request to copy within 30 days. If you request a copy of the information electronically or on paper, we may charge a fee for the costs of copying, mailing or other supplies associated with your request. In addition, instead of providing the PHI you requested, we may provide you with a summary or explanation of the PHI as long as you agree to that and to any associated costs in advance. In certain situations, we may deny your request. If we do, we will tell you, in writing, our reasons for the denial, explain your right to have the denial reviewed, and the process by which you may complain to UBMD or Secretary of the Department of Health and Human Services (See Section 5. Complaints, of this NPP). If you request that the denial be reviewed, another licensed health care professional chosen by UBMD will review your request and the denial. The person conducting the review will not be the person who denied your initial request. We will comply with the outcome of the review.
The Right to Amend PHI.
If you feel that medical information maintained about you is incorrect or incomplete, you may request that we amend the information. You have the right to request an amendment for as long as the information is kept by UBMD.
You must provide the request and your reason for the request in writing to the contact person listed in Section 4. Contact, in this NPP. We will ordinarily respond within 60 days of receiving your request. If we need additional time to respond, we will notify you in writing within 60 days to explain the reason for the delay and a date by which you will have a final answer to your request, which shall be no later than 90 days from the date of the original request. We may deny your request for an amendment if it is not in writing or does not include a reason to support the request. In addition, we may deny your request if you ask us to amend information that 1. was not created by us, unless the person or entity that created the information is no longer available to make the amendment; 2. is not part of the medical information kept by or for UBMD; 3. is not part of the information which you would be permitted to inspect or copy; or 4. is accurate and complete. Our written denial will state the reasons for the denial, explain your right to file a written statement of disagreement with the denial, and the process by which you may complain to UBMD or Secretary of the Department of Health and Human Services (See Section 5. Complaints, of this NPP). This statement must be submitted in writing to the contact person listed in Section 4. Contact, of this NPP. If you do not file such a statement, you have the right to request that your request and our denial be attached to all future disclosures of your PHI. If we approve your request, we will make the change to your PHI, tell you that we have done so and tell others that need to know about the changes to your PHI.
The Right to Receive an Accounting of Disclosures of PHI.
You have the right to request an “accounting of disclosures.” This is a list of the disclosures we made of your PHI, but will not include uses or disclosures that you have already been informed of in this NPP, such as those made for treatment, payment or health care operations, directly to you, or to your family or pursuant to a signed authorization. The list also will not include uses and disclosures made for national security purposes, to corrections or law enforcement personnel or those made before April 14, 2003.
To request this list or accounting of disclosures, please submit your request in writing to the person listed in Section 4. Contact, of this NPP. Your request must state the time period which may not be longer than six years prior to the day of the request and may not include dates before April 14, 2003. Your request should indicate in what form you want the list (for example, on paper or electronically). The first list you request within a 12 month period will be free. For additional lists, we may charge you for the costs of providing the list. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time before any costs are incurred. We will respond to your request within 60 days. The list you receive will include 1. date of the disclosure; 2. to whom the PHI was disclosed, including their address, if known; and 3. a brief description of the PHI disclosed and the reason for the disclosure.
The Right of an Individual to Receive a Paper Copy of this NPP.
You have the right to a paper copy of this NPP. You may ask us to give you a copy of this NPP at any time. Even if you have agreed to receive this notice electronically, you are still entitled to a paper copy of this notice.
To obtain a paper copy of this NPP, please contact the person listed in Section 4. Contact.
4. CONTACT
If you have any questions about this NPP or our privacy practices please contact:
Compliance Officer
UBMD
77 Goodell Street, Suite 310
Buffalo, NY 14203
716.888.4705
5. COMPLAINTS
If you think your privacy rights have been violated or you disagree with a decision we made about access to your PHI, you may file a complaint with UBMD by contacting the person listed above in Section 4. You may also send a written complaint to the Secretary of the Department of Health and Human Services at Office of the Secretary, Department of Health & Human Services, 200 Independence Avenue, S.W., Washington, DC 20201. All complaints must be submitted in writing.
You will not be penalized for filing a complaint.
Marketing and Fundraising
Policy Statement
It is the policy of UBMD not to use or disclose identifiable health information for marketing purposes without the authorization of the individuals to whom the health information relates. It is further the policy of UBMD to allow patients to choose not to have their identifiable health information used for the purpose of institutional fundraising.
Policy Purpose
The purpose of this policy is to assure that identifiable health information is not used or disclosed for marketing purposes without an individual’s permission, except as noted below, and to assure that identifiable health information is not used or disclosed for fundraising purposes where an individual has specifically objected to inclusion of their health information for such activities.
Marketing is defined as “making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. ” Generally, if the communication is “marketing,” then the communication can occur only if UBMD first obtains an individual’s HIPAA compliant authorization. In addition, marketing also means “an arrangement between a covered entity, in exchange for direct or indirect remuneration, for the other entity or it’s affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service.”
Marketing does not include (1) communications to an individual by the practice plan for treatment, case management or care coordination, or to direct or recommend alternative treatments, therapies, health care providers, or care settings where the practice plan is not receiving remuneration from 3rd party for these communications; (2) promotional gifts of nominal value provided by the practice plan; (3) communications describing health-related products and services provided by the practice plan where the practice plan is receiving remuneration for these communications; (4) communications that occur in face-to-face encounters with patients; (5) communication made to provide refill reminders or otherwise communicate about a drug or biologic that is currently being prescribed for the individual, only if any financial remuneration received by the covered entity in exchange for making the communication is reasonably related to the covered entity’s cost of making the communication.
Fundraising is defined as “the organized activity of raising funds for an institutional cause.”
Policy Standard
In the normal course of business, UBMD may communicate orally with individuals or through written correspondence about products or services that relate directly to their care and treatment as long as no remuneration from a 3rd party is received for this communication, except in the case of prescription drugs, where remuneration can be minimal (for expenses incurred as a result of the communication) and must be related to a drug already prescribed, and/or make referrals to other physicians, therapists, or specialists for purposes of treatment. This is considered a part of continuing patient care.
UBMD may further communicate with patients and other individuals regarding products ad services offered by the practice plan, may provide patients with promotional gifts of nominal value, or may otherwise communicate face-to-face with patients regarding products and services of interest to either party.
UBMD may, from time to time, engage in certain communications and fundraising activities requiring the use of identifiable health information, specifically demographic information, information related to dates of service, department of service patient was in, outcomes of service, and names of doctors involved in services to patient. This may involve the disclosure of identifiable health information to a business associate or institutional foundation necessary for compiling targeted lists and groups of individuals. UBMD may not use or disclose any other PHI for any other purposes unless a statement about such disclosures is included in the Notice of Privacy Practices.
Individuals will be allowed to “opt-out” of fundraising communications. Those individuals who choose not to have their health information used for fundraising purposes will be excluded from further fundraising communications.
Any other use or disclosure of identifiable health information for marketing or fundraising efforts will require specific individual authorization.
Procedures