Notice of Privacy Practices
Introduction
St. Liz Hospice (referred to in this Notice as "We" or the "Agency") is committed to safeguarding the Privacy and Security of your Protected Health Information ("PHI"). We have adopted policies consistent with HIPAA's Privacy and Security laws, as amended by HITECH and the Omnibus regulations ("HIPAA Standards"), to protect the use and disclosure of your PHI.
Use means accessing, sharing, employing, applying, utilizing, examining, or analyzing your PHI within the Agency. Disclosure means our releasing, transferring, providing access to, or divulging in any other manner your PHI to a third party outside of the Agency.
Please read this Notice, available in paper form, and also posted on our website.
Not every use or disclosure of PHI, with or without authorization, may be listed in this Notice. Generally, uses or disclosures not specified in this Notice require authorization. We encourage you to share this Notice with your family or Personal Representative. If you have any questions, please call our HIPAA Privacy Officer at (213) 365-6499.
Use and Disclose of PHI
We will create, receive, or access your PHI, which we may use or disclose to other Covered Entities and their Business Associates for treatment, payment, and healthcare operations, without your need to sign an authorization.
Treatment - we will use your PHI to coordinate care within the Agency and disclose PHI to coordinate care outside of the Agency by health care professionals involved in your care. For example, physicians involved in your care will need information about your symptoms to prescribe appropriate medications. Other healthcare providers involved in your care include (but are not limited to) hospitals, pharmacists, and durable medical equipment suppliers. We may disclose medical information about you with family members, Personal Representatives, or others actively assisting you unless you request restrictions.
Payment - we will use and disclose PHI when checking with your health plan or third-party payer about eligibility, coverage, pre-certification, or when billing and submitting claims for payment of treatment we provided. For example, your health insurer may ask us to provide information regarding your healthcare status so that it reimburses you or the Agency. We also may need to obtain prior approval from your insurer and explain your need for home care and the services. We will provide it to you. You may ask us not to submit a claim containing certain PHI to your health plan or a third-party payer. We will honor your request if you pay your claim out-of-pocket in full. HIPAA permits us to disclose information to collection agencies if you do not pay your bill.
Health Care Operations - we may use and disclose PHI for our operations to facilitate the function of the Agency necessary to provide quality care to our patients. Healthcare operations include quality assessment and improvement activities, activities to improve health and reduce costs, protocol development, case management and coordination, preventive services, peer review, training activities, risk management, compliance, legal and accounting services, licensing, accreditation, certification, business management, and planning. For example, we may use health information to evaluate staff performance.
Business Associates - we may contract with outside persons or entities called Business Associates who may access, receive, create, use, or disclose PHI to perform services for us. Business Associates, including their agents and subcontractors, must protect the privacy and security of your PHI to the same extent we do.
Minimum Necessary - except when PHI is used or disclosed for treatment. We will limit the use or disclosure of your PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request of PHI.
Communicating With You, Your Family, and Representative
Communicating with You - we may contact you for scheduling or reminding you of appointments and home visits. We or one of our Business Associates may also contact you about treatment and education alternatives and options, programs, and services that may interest you. If you do not want to be contacted, you may opt out by calling our HIPAA Privacy Officer at (213) 365-6499. If you opt-out, we will not contact you further. Opting out will not affect any care, treatment, or services we provide to you. We will not sell your PHI to third parties for marketing.
Fundraising and Marketing Activities - we may contact you about fundraising or other marketing activities. If you do not want to be contacted or receive fundraising/marketing materials, you may opt-out by contacting our HIPAA Privacy Officer at (213) 365-6499. Opting out will not affect any care, treatment, or services we provide to you.
You May Request That We Contact You by Alternate Means - you may request us to contact you by alternate means or at a different telephone number, address, or email address from what you usually utilize. Let us know if you do not want us to send information to you at your home address or a particular email address, call you at home, or leave a message. You do not have to explain the reason for your request.
Family Members - most patients allow us to discuss their PHI with family members, guardians, persons named in a health care power of attorney or advanced directive (living will), Personal Representatives, or others assisting in your care or helping you with your medical bills. It may include discussing or answering questions a family member (spouse, adult children, parents, guardians, or Personal Representatives) may have about your condition, treatment, medication, refills, or appointments. It also may include answering questions about your bill. We will assume that you will permit us to talk with family members and those assisting you unless you direct us not to. We will communicate with family members or others involved in your care in emergencies or if required by the Law.
Deceased Patients - we may disclose the PHI of deceased patients to the probate court's appointed Executor or Administrator of the deceased patient's estate. We also may disclose PHI to the patient's spouse, family, Personal Representative, or others involved in the patient's care or management of the patient's affairs unless doing so is inconsistent with the patient's expressed wishes known to us. We may disclose the PHI of any deceased patient without authorization after 50 years.
Use and Disclosure of PHI by Authorization
We will not use or disclose your PHI for any purpose other than treatment, payment, or health care operations without your signed authorization except as stated in this Notice or otherwise required by Law. We will not condition your treatment on your signing an authorization. We will not disclose psychotherapy notes without a signed authorization unless required by Law. We will not release medical records if we are subpoenaed unless you sign an authorization or the lawyers signs a qualified protective order, or if we receive a court or administrative order. You may authorize us to disclose PHI to persons not covered entities or Business Associates under HIPAA. Once that information is disclosed to a non-covered person, HIPAA no longer applies. A person or entity not covered by HIPAA may use or re-disclose medical information it receives in any way that is not prohibited by Law.
You may cancel your authorization in writing at any time by notifying us in person or faxing us the written cancellation at (888) 415-5250. Once We receive your written cancellation, we will no longer disclose your PHI. We are not responsible for any use or disclosure of PHI according to the authorization before we receive your written cancellation.
Use and Disclosure of PHI When Permitted or Required by Law
We may use or disclose PHI without authorization, as permitted or required by law, including the following:
Public Health Agencies - State law may require us to disclose PHI to public health agencies for reporting births and deaths to help control disease, injury, or disability. The law requires us to report suspected abuse, neglect, or domestic violence cases.
Health Oversight and Regulatory Agencies - we will disclose PHI to certain state and federal governmental regulatory and health oversight agencies for reviewing health care systems, civil rights, privacy laws, and compliance with other governmental programs' purposes.
National and Homeland Security - we will disclose information concerning patients to authorized federal officials for intelligence and other National and Homeland Security purposes.
Protective Services for the President and Others - we may disclose medical information about you to authorized federal officials so they may provide protection to the President, other authorized persons, or foreign heads of state and officials or conduct special investigations.
Military - we may disclose PHI to the Armed Forces to assist in notifying the patient's family member of their location, general condition, or death.
Coroners, Medical Examiners, and Funeral Directors - we may disclose PHI to coroners, medical examiners, or funeral directors for them to perform legally authorized responsibilities.
Law Enforcement - we may disclose PHI to law enforcement officials when it: (1) is limited to identification purposes; (2) applies to victims of crime; (3) involves a suspicion that injury or death has occurred because of criminal conduct; (4) is needed in a criminal investigation; (5) necessary to prevent or lessen the threat to the health or safety of a person or the public; (6) in response to a valid court order; (7) to identify or locate a suspect, fugitive or missing person; (8) to report a crime on Agency premises; or (9) is required by law.
Emergency or Disaster - if the President declares an emergency or disaster, and the Secretary of HHS declares a public health emergency, the Secretary may waive our obligation to comply with any or all of the following privacy requirements to (1) obtain the patient's agreement to speak to family members or friends involved in the patient's care; (2) distribute a Notice; (3) honor a patient's right to request privacy restrictions; or (4) honor the patient's right to request confidential communications. The waiver only applies if the Agency is in the emergency area for the emergency period and up to 72 hours until the Agency implements its disaster protocol.
Prevent Threat of Serious Harm - we may disclose PHI if a reasonable belief exists that it may prevent or lessen a serious and imminent threat to the health or safety of you, another person, or the public, and disclosure is made to a person(s) reasonably able to prevent or lessen the threat, including the target of the threat.
Organ and Tissue Donation - if you are an organ or tissue donor, We may disclose medical information to the organizations that handle: (1) organ procurement; (2) organ, eye, or tissue transplantation; or (3) an organ donation bank, as applicable, to facilitate organ or tissue donation and transplantation.
Workers' Compensation - State law permits us to disclose health information, without a separate authorization, when an employee files a Workers' Compensation claim or seeks benefits for work-related injuries or illnesses
Right to Receive a Paper Copy of This Notice
You or your Personal Representative have a right to a separate paper copy of this Notice at any time, even if you or your representative have received this Notice previously. To obtain a separate paper copy, please contact the HIPAA Privacy Officer at (213) 365-6499.
Rights to Request Restrictions on Certain Uses and Disclosures of PHI
You may request that we do not disclose certain PHI to family members, Personal Representatives, friends, or others. HIPAA's Privacy Rule gives us the ability to deny a patient's request to restrict the use or disclosure of PHI when it is being used or disclosure to other covered entities for treatment purposes.
We will honor your request to restrict the use or disclosure of PHI when submitting a claim to insurance or health plan for reimbursement if you agree in writing to pay out-of-pocket the claim in full. We will consider all other requests for restricted use or disclosure of PHI on a case-by-case basis. If we cannot accommodate your request, we will let you know.
Right to Access, Inspect, and Receive a Copy of Your Own PHI
Generally, you have the right to inspect and have a copy of your own PHI in Agency records. There are exceptions. You may not have the right to inspect or copy psychotherapy notes or information compiled for civil, criminal, or administrative proceedings. Your right may not extend to information covered by other laws or information obtained from someone other than another health care provider. We may deny access if, in our judgment, seeing that information could endanger the life or safety of you or another. We may charge you at the rate the law permits for copying records.
You may request access to your PHI in writing and giving or sending it to us. We will consider all requests according to our legal responsibilities under the Privacy Rule.
We usually will respond within 30 days from when we receive the request. Sometimes, it may take more than 30 days in which case we will act as soon as reasonably practical. If we grant your request, we will set an appointment to inspect your PHI.
If you request access to PHI maintained in an electronic record, we will provide an electronic "machine-readable copy" in a standard format enabling the ePHI to be processed and analyzed by a computer to accommodate individual requests for specific formats.
Alternatively, you may ask for a written summary of your health information instead of inspecting or copying your records. We may charge you for the summary. If we are unable to grant your request, we will notify you in writing of the basis for the denial and your rights for review.
Right to Amend Incorrect or Incomplete Facts in Your PHI
You may request that incorrect or incomplete PHI in your record be amended by mailing your written request to us at 1910 W Sunset Blvd., Ste 420, Los Angeles, CA 90026.
We will timely respond to your request. We will grant your request if PHI that We created is incorrect or incomplete. We will not amend your health information if it was not created by us if it would not be available for you to inspect, or if the information is accurate and complete.
If we grant your request, we will amend the PHI. We will inform you that we have made the amendment and will inform persons who have received and may have relied on PHI that it has been amended.
If we deny your request, we will: (1) tell you in writing the reason for denial; (2) inform you of your right to submit a written statement of disagreement, which we will keep with your record and will include with future disclosures; and (3) inform you of your right to file a complaint.
If you file a statement of disagreement, we may prepare a written rebuttal. If you have questions about this right, please contact our HIPAA Privacy Officer at (213) 365-6499.
Right to Receive an Accounting of Disclosures of PHI
You have a right to receive an accounting of disclosures. We have made to others of your PHI up to six (6) years before the date on which the request for an accounting is made. There are certain exceptions and limitations, including but not limited to disclosures made: (1) for treatment, payment, or health care operations; (2) to the Individual (or Personal Representative) of his or her own PHI; and (3) according to a signed authorization.
You may request an accounting of disclosures by contacting our HIPAA Privacy Officer at (213) 365-6499. The first accounting you request within 12 months will be free. We may charge you for the cost of preparing the list for additional accountings.
Right to Receive a Breach Notification
We will promptly notify you by first-class mail at your last known address if we discover a breach of unsecured PHI, which includes the unauthorized acquisition, access, use, or disclosure of your PHI unless we determine by risk assessment that a low probability exists that the compromise of your PHI would cause you financial, reputational, or other harm.
We will include in the breach notification a brief description of what happened, a description of the types of unsecured PHI involved, steps you should take to protect yourself from potential harm, a brief description of what we are doing to investigate the breach and mitigate potential harm as well as contact information for you to ask questions and learn additional information.
Concern and Complaint Resolution
We are committed to protecting your PHI. Despite our best efforts, questions, concerns, or problems may arise. If you have a concern or believe your privacy rights have been violated or breached, we encourage you to contact us immediately. You may send us a written complaint or call our HIPAA Privacy Officer at (213) 365-6499.
We take all concerns and complaints very seriously and will investigate each promptly. If we made a mistake or learn of unauthorized disclosure or breach, we will do what we can to correct it and take steps to prevent mistakes or problems in the future. If we did not make a mistake, we will provide you with an explanation. We will make every effort to get back to you within 30 days.
We will never retaliate against you or your Personal Representative for expressing a concern or filing a complaint relating to your privacy rights. If you are not satisfied with our response or want to contact the Office for Civil Rights for the Department of Health and Human Services in Washington, D.C. without contacting us first, you must do so in writing within 180 days of the suspected violation or breach.
Changes to This Notification, Effective Date, Contact Person
We reserve the right to change this Notice at any time, which we may make effective for PHI, and we already used or disclosed any PHI. We may create, receive, use, or disclose in the future. We will make material amendments based on changes in the HIPAA laws. We will post a current version of our Notice of Privacy Practices (with the effective date) on our website www.stlizhospice.com, or at the Agency. We will offer you a copy of our most current Notice whenever you are accepted for treatment.
The original Notice of Privacy Practices was effective April 14, 2003. The amended Notice of Privacy Practices was effective September 23, 2013. The Agency has designated the HIPAA Privacy Officer as its contact person for all issues regarding patient privacy and your rights under the Federal privacy standards. You may contact this person at 1910 W Sunset Blvd., Ste. 420, Los Angeles, CA 90026, or call (213) 365-6499.