Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
Excelsior is required by law to maintain your health information’s privacy and provide you with this notice of our legal duties and privacy practices concerning your health information. Excelsior must comply with all terms described in this Notice of Privacy Practice and is required by law to provide you with a copy. This Notice of Privacy Practices describes how we may use and disclose your “protected health information” (PHI) to carry out treatment, payment, or health care operations and for the purposes that are permitted or required by law. This notice also describes your rights to control and access protected health information.
I. How we may use and disclose your PHI
Excelsior abides by all federal and state laws about your Protected Health Information confidentiality. Excelsior will seek a signed “Release of Information” form from a service participant (and guardian when required) before disclosing PHI to a third party unless Excelsior is expressly allowed or required by state or federal regulations to do so without authorization.
a. Excelsior may use and share your information as we provide treatment.
45 CFR defines treatment as the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another. (45 CFR 164.501).
For example, we may need to disclose information to providers within your treatment team at Excelsior to coordinate your care. In addition, we may disclose your PHI to another health care provider (e.g., your primary care physician, pharmacy, or laboratory) for purposes of your treatment or to facilitate continuity of care with subsequent providers upon your discharge from services. Generally, this collaboration will only occur with your informed and written authorization.
b. Excelsior may use and share your information for payment.
We may use and disclose your PHI in order to obtain payment or be reimbursed for services. This may include providing information to a third-party payer or, in the case of unpaid fees, submitting your name and amount owed to a collection agency. The HIPAA Privacy Rule allows for the disclosure of PHI during common payment activities, which include, but are not limited to:
i. Determining eligibility or coverage under a plan and adjudicating claims;
ii. Risk adjustments;
iii. Billing and collection activities;
iv. Reviewing health care services for medical necessity, coverage, justification of charges, and the like;
v. Utilization review activities; and
vi. Disclosures to consumer reporting agencies (limited to specified identifying information about the individual, their payment history, and identifying information about the covered entity).
c. Excelsior may use and share your information for “Health Care Operations”
45 CFR supports that we may use or disclose your PHI in order to support the business activities of our professional practice, including; disclosures to others for health care education, or to provide planning, quality assurance, peer review, or administrative, legal, financial, or actuarial services to assist in the delivery of health care, provided we have a written contract with the business that prohibits it from re-disclosing your PHI and requires it to safeguard the privacy of your PHI. We may also contact you to remind you of your appointments.
For example, we use information in your health record to assess the care and outcomes in your cases and the competence of the caregivers. We will use this information in an effort to continually improve the quality and effectiveness of the health care and services that we provide.
II. Disclosures that do NOT require your consent.
a. Required by Law:
Excelsior may use or disclose your PHI to the extent that the use or disclosure is required or authorized by law, made in compliance with the law, and limited to the relevant requirements of the law. Examples of this type of disclosure include healthcare licensure-related reports, public health reports, and law enforcement reports. Under the law, Excelsior must make certain disclosures of your PHI to you upon your request. In addition, Excelsior must make disclosures to the U.S. Secretary of the Department of Health and Human Services to investigate or determine compliance with the requirements of privacy rules.
b. Health Oversight:
Excelsior may disclose PHI to a health oversight agency for activities authorized by law, such as audits, investigations, and inspections. Oversight agencies include government agencies that oversee the health care system, government benefit programs such as Medicare or Medicaid, SCRBHO or its successor, other government programs regulating health care and civil rights laws.
c. Public Health:
Excelsior may disclose your PHI to federal, state, or local authorities or other entities charged with preventing or controlling disease, injury, or disability for public health activities. These activities may include disclosures to report reactions to medications or other products to the U.S. Food and Drug Administration or other authorized entity; disclosures to notify individuals of recalls, exposure to a disease, or risk for contracting or spreading a disease or condition.
d. Legal Proceedings:
Excelsior may disclose your PHI in response to a court or administrative order and, under certain conditions, a subpoena, discovery request, or other lawful processes.
e. Law Enforcement:
Excelsior may disclose your PHI for law enforcement purposes as required by law or in response to a court order and in certain conditions, a subpoena, warrant, summons, or similar process; to identify or locate a suspect, fugitive, material witness, or missing person; about a death resulting from criminal conduct; about crimes on the premises or against a member of our workforce; and in emergency circumstances, to report a crime, the location, victims, or the identity, description, or location of the perpetrator of a crime.
f. United States Department of Health and Human Services:
Under federal law, Excelsior is required to disclose your PHI to the U.S. Department of Health and Human Services to determine if we are in compliance with federal laws and regulations regarding the privacy of health information.
Under certain circumstances, Excelsior may use or disclose your PHI for research purposes. However, we will only do so if the research project has been approved by an institutional review board or privacy board that has established protocols to ensure the privacy of your PHI.
h. Coroners, Medical Examiners, and Funeral Directors:
Excelsior may release your PHI to assist in identifying a deceased person or determine a cause of death.
i. Administrator or Executor:
Excelsior may disclose your PHI to an administrator, executor, or other similarly authorized individuals under applicable state law upon your death.
j. Organ or Tissue Procurement Organizations:
Consistent with applicable law, Excelsior may disclose your PHI to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of organs for tissue donation and transplant.
Excelsior may use or disclose your PHI to assist in a disaster relief effort so that your family, personal representative, or friends may be notified about your condition, status, and location.
l. Correctional Institution:
If you are or become an inmate of a correctional institution, Excelsior may disclose to the institution or its agents the PHI necessary for your health and the health and safety of others.
m. To Avert a Serious Threat to Health or Safety:
Excelsior may use and disclose your PHI to appropriate authorities to prevent a serious threat to your health and safety or the health and safety of another person or the public.
n. Military, National Security, and Intelligence Activities:
If you are a member of the armed forces, Excelsior may disclose your PHI:
(a) as required by appropriate military command authorities;
(b) to determine your eligibility for benefits provided by the Department of Veterans Affairs. We may disclose your PHI to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law, including protective services for the President of the United States of America.
o. Workers’ Compensation:
Excelsior may disclose PHI about you to comply with the Washington State Workers’ Compensation Law. For example, we may release information to an employer regarding a workplace injury or illness or to the Department of Labor and Industries regarding a workers’ compensation claim.
III. Other Uses and Disclosures
Your PHI’s other uses and disclosures will be made only with your written authorization. You may revoke your authorization in writing at any time. Such revocation of the authorization will not be effective for actions Excelsior may have relied on your authorization of the use or disclosure.
a. Confidentiality of Substance Use Disorder Health Information:
Per 42 CFR Part 2 rules and requirements, all records relating to the identity, diagnosis, prognosis, or treatment of any patient in a substance abuse program that is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States are protected by federal law and regulations. As a general rule, Excelsior may not tell a person outside the programs that you attend any of these services or disclose any information identifying you as an alcohol or drug user unless:
i. You authorize the disclosure in writing
ii. The disclosure is allowed by a court order
iii. The disclosure is made to medical personnel in a medical emergency or qualified personnel iv. for research, audit, or program evaluation
v. The disclosure is made pursuant to an agreement with a qualified service organization/business associate, as appropriate.
vi. You commit or threaten to commit a crime either at our program or against any person who works for our substance use disorder programs.
IV. Your rights regarding your PHI
Although your health records are the physical property of the health care provider who completed them, you have the following rights concerning the information contained therein:
a. Right to Inspect and Copy:
You have the right to inspect and copy your health information upon request. Usually, this would include clinical and billing records, but not psychotherapy notes. You must submit your request in writing, and we will begin the process for you to review the materials within ten working days. Third-party information (material not generated by the agency) will be removed prior to viewing. We may deny your request to inspect or copy your health information in certain limited circumstances. If we deny you access, we will explain why and what your rights are, including how to seek review. If we grant access, we will tell you what, if anything, you have to do to get access. We reserve the right to charge a reasonable, cost-based fee for making copies.
b. Right to Amend:
If you feel the PHI maintained by us is incomplete or incorrect, you may request that we amend it. To request an amendment, you must submit a written request to the Excelsior Compliance Support Specialist. The request must identify (a) which information you seek to amend, (b) what corrections you would like to make, and (c) why the information needs to be amended. We may deny your request if it is not in writing or does not include a reason to support the request. Excelsior may also deny your request if you ask us to amend PHI in which:
i. We did not create the record.
ii. The records are not part of the health information we maintain to make decisions about your care.
iii. The records are not part of the health information that you would be permitted to inspect or copy.
iv. The record is accurate and complete.
Excelsior will respond to your request in writing. In our response, we will either: (a) agree to make the amendment or (b) inform you of our denial, explain our reason, and outline appeal procedures. If denied, you have the right to file a statement of disagreement with the decision. Excelsior will provide a rebuttal to your statement and maintain appropriate records of your disagreement and our rebuttal.
c. Right to an Accounting of Disclosures:
You may request an account of your PHI disclosures made for treatment purposes or made as a result of your authorization. Your request must state a time period no longer than 6 years from the date of the request. Excelsior may charge a reasonable fee if you request more than one accounting in any 12-month period.
d. Right to Request Restrictions:
You have the right to ask Excelsior not to use or disclose any part of your PHI for treatment, payment, healthcare operations, or to family members involved in your care. Your request for restrictions must be in writing. Excelsior is not required to agree to such restrictions. You also have the right to restrict certain disclosures of your PHI to your health plan if you pay out of pocket in full for the health care we provide to you.
e. Right to Request Confidential Communications:
You may request that Excelsior communicate with you about your health care only in a particular location or through a specific method. For example, you may request that we contact you only in writing at a specific address. To request confidential communication of your PHI, submit a written request to the Compliance Support Specialist. Excelsior will accommodate all reasonable requests. You do not need to give us a reason for the request, but your request must specify how or where you wish to be contacted.
f. Right to a Paper Copy of this Notice:
You have the right to obtain a paper copy of this Notice of Privacy Practices at any time. You may ask any staff member to supply you with a paper copy.
g. Right to Approve PHI Information Shared with Other Providers in an Integrated Health Plan:
If you are a beneficiary of a health plan under which there is an integrated health plan network and of which Excelsior is an identified provider, we will share healthcare information with other network providers, as allowed by current state and federal regulations. For healthcare information covered by 42 CFR Part 2, Excelsior will only release such information if you have authorized it to share that information within the health plan network providers or directly with Excelsior.
h. Right to PHI Breach Notification:
You have the right to be notified if the use or disclosure of your PHI was compromised. If through a risk assessment, Excelsior deems that there is a low probability that the use or disclosure compromised unsecured PHI, then breach notification is unnecessary.
If you believe Excelsior has violated your privacy rights, you may file a complaint with us by contacting our HIPAA Privacy Officer at (509) 559-3100. You may also submit a complaint to the Washington Department of Health or the U.S. Secretary of Health and Human Services. Excelsior will not retaliate against you for filing a complaint.
VI. Changes to this Notice
Excelsior reserves the right to change the terms of our Notice of Privacy Practices and to make the new provisions effective for all individually identifiable health information that we maintain. Excelsior will post a copy of the most current Notice of Privacy Practices. You may also obtain a copy and request that it be provided to you via mail at any time.