The Privacy Rule does not require the following covered entities to develop a notice:
1. Health care clearinghouses, if the only protected health information they create or receive is as a business associate of another covered entity.
2. A correctional institution that is a covered entity (e.g., that has a covered health care provider component).
3. A group health plan that provides benefits only through one or more contracts of insurance with health insurance issuers or HMOs, and that does not create or receive protected health information other than summary health information or enrollment or disenrollment information.

It is the policy of our practice that all physicians and staff preserve the integrity and the confidentiality of protected health information (PHI) pertaining to our patients. The purpose of this policy is to ensure that our practice and its physicians and staff have the necessary medical and PHI to provide the highest quality medical care possible while protecting the confidentiality of the PHI of our patients to the highest degree possible. Patients should not be afraid to provide information to our practice and its physicians and staff for purposes of treatment, payment and healthcare operations (TPO). To that end, our practice and its physicians and staff will:

Adhere to the standards set forth in the Notice of Privacy Practices.

Collect, use and disclose PHI only in conformance with state and federal laws and current patient covenants and/or authorizations, as appropriate. Our practice and its physicians and staff will not use or disclose PHI for uses outside of practice's TPO, such as marketing, employment, life insurance applications, etc. without an authorization from the patient.

Use and disclose PHI to remind patients of their appointments unless they instruct us not to.

Recognize that PHI collected about patients must be accurate, timely, complete, and available when needed. Our practice and its physicians and staff will implement reasonable measures to protect the integrity of all PHI maintained about patients.

Recognize that patients have a right to privacy.

Our practice and its physicians and staff respect the patient's individual dignity at all times.

Our practice and its physicians and staff will respect patient's privacy to the extent consistent with providing the highest quality medical care possible and with the efficient administration of the facility.

Act as responsible information stewards and treat all PHI as sensitive and confidential. Consequently, our practice and its physicians and staff will - Treat all PHI data as confidential in accordance with professional ethics, accreditation standards, and legal requirements.

Not disclose PHI data unless the patient (or his or her authorized representative) has properly authorized the release or the release is otherwise authorized by law.

Recognize that, although our practice "owns" the medical record, the patient has a right to inspect and obtain a copy of his/her PHI. In addition, patients have a right to request an amendment to his/her medical record if he/she believes his/her information is inaccurate or incomplete.

Our practice and its physicians and staff will - Permit patient's access to their medical records when their written requests are approved by our practice. If we deny their request, then we must inform the patients that they may request a review of our denial. In such cases, we will have an on-site healthcare professional review the patients' appeals.

Provide patients an opportunity to request the correction of inaccurate or incomplete PHI in their medical records in accordance with the law and professional standards.

All physicians and staff of our practice will maintain a list of certain disclosures of PHI for purposes other than TPO for each patient and those made pursuant to an authorization as required by HIPAA rules.

We will provide this list to patients upon request, so long as their requests are in writing.

All physicians and staff of our practice will adhere to any restrictions concerning the use or disclosure of PHI that patients have requested and have been approved by our practice.

All physicians and staff of our practice must adhere to this policy. Our practice will not tolerate violations of this policy. Violation of this policy is grounds for disciplinary action, up to and including termination of employment and criminal or professional sanctions in accordance with our practice's personnel rules and regulations.

Our practice may change this privacy policy in the future.

Any changes will be effective upon the release of a revised privacy policy and will be made available to patients upon request.

HIPAA Policy • HIPPA policy: - OCR HIPAA Privacy December 3, 2002 Revised April 3, 2003 1 NOTICE OF PRIVACY PRACTICES FOR PROTECTED HEALTH INFORMATION [45 CFR 164.520] Background The HIPAA Privacy Rule gives individuals a fundamental new right to be informed of the privacy practices of their health plans and of most of their health care providers, as well as to be informed of their privacy rights with respect to their personal health information. Health plans and covered health care providers are required to develop and distribute a notice that provides a clear explanation of these rights and practices. The notice is intended to focus individuals on privacy issues and concerns, and to prompt them to have discussions with their health plans and health care providers and exercise their rights. How the Rule Works General Rule. The Privacy Rule provides that an individual has a right to adequate notice of how a covered entity may use and disclose protected health information about the individual, as well as his or her rights and the covered entity s obligations with respect to that information. Most covered entities must develop and provide individuals with this notice of their privacy practices. The Privacy Rule does not require the following covered entities to develop a notice: C Health care clearinghouses, if the only protected health information they create or receive is as a business associate of another covered entity. See 45 CFR 164.500(b)(1). C A correctional institution that is a covered entity (e.g., that has a covered health care provider component). C A group health plan that provides benefits only through one or more contracts of insurance with health insurance issuers or HMOs, and that does not create or receive protected health information other than summary health information or enrollment or disenrollment information. See 45 CFR 164.520(a). Content of the Notice. Covered entities are required to provide a notice in plain language that describes: OCR HIPAA Privacy December 3, 2002 Revised April 3, 2003 2 C How the covered entity may use and disclose protected health information about an individual. C The individual s rights with respect to the information and how the individual may exercise these rights, including how the individual may complain to the covered entity. C The covered entity s legal duties with respect to the information, including a statement that the covered entity is required by law to maintain the privacy of protected health information. C Whom individuals can contact for further information about the covered entity s privacy policies. The notice must include an effective date. See 45 CFR 164.520(b) for the specific requirements for developing the content of the notice. A covered entity is required to promptly revise and distribute its notice whenever it makes material changes to any of its privacy practices. See 45 CFR 164.520(b)(3), 164.520(c)(1)(i)(C) for health plans, and 164.520(c)(2)(iv) for covered health care providers with direct treatment relationships with individuals. Providing the Notice. C A covered entity must make its notice available to any person who asks for it. C A covered entity must prominently post and make available its notice on any web site it maintains that provides information about its customer services or benefits. C Health Plans must also: < Provide the notice to individuals then covered by the plan no later than April 14, 2003 (April 14, 2004, for small health plans) and to new enrollees at the time of enrollment. < Provide a revised notice to individuals then covered by the plan within 60 days of a material revision. < Notify individuals then covered by the plan of the availability of and how to obtain the notice at least once every three years. C Covered Direct Treatment Providers must also: OCR HIPAA Privacy December 3, 2002 Revised April 3, 2003 3 < Provide the notice to the individual no later than the date of first service delivery (after the April 14, 2003 compliance date of the Privacy Rule) and, except in an emergency treatment situation, make a good faith effort to obtain the individual s written acknowledgment of receipt of the notice. If an acknowledgment cannot be obtained, the provider must document his or her efforts to obtain the acknowledgment and the reason why it was not obtained. < When first service delivery to an individual is provided over the Internet, through e-mail, or otherwise electronically, the provider must send an electronic notice automatically and contemporaneously in response to the individual s first request for service. The provider must make a good faith effort to obtain a return receipt or other transmission from the individual in response to receiving the notice. < In an emergency treatment situation, provide the notice as soon as it is reasonably practicable to do so after the emergency situation has ended. In these situations, providers are not required to make a good faith effort to obtain a written acknowledgment from individuals. < Make the latest notice (i.e., the one that reflects any changes in privacy policies) available at the provider s office or facility for individuals to request to take with them, and post it in a clear and prominent location at the facility. C A covered entity may e-mail the notice to an individual if the individual agrees to receive an electronic notice. See 45 CFR 164.520(c) for the specific requirements for providing the notice. Organizational Options. C Any covered entity, including a hybrid entity or an affiliated covered entity, may choose to develop more than one notice, such as when an entity performs different types of covered functions (i.e., the functions that make it a health plan, a health care provider, or a health care clearinghouse) and there are variations in its privacy practices among these covered functions. Covered entities are encouraged to provide individuals with the most specific notice possible. C Covered entities that participate in an organized health care arrangement may choose to produce a single, joint notice if certain requirements are met. For example, the joint notice must describe the covered entities and the service OCR HIPAA Privacy December 3, 2002 Revised April 3, 2003 4 delivery sites to which it applies. If any one of the participating covered entities provides the joint notice to an individual, the notice distribution requirement with respect to that individual is met for all of the covered entities. See 45 CFR 164.520(d). Frequently Asked Questions To see Privacy Rule FAQs, click the desired link below: FAQs on Notice of Privacy Practices FAQs on ALL Privacy Rule Topics (You can also go to http://answers.hhs.gov/cgi-bin/hhs.cfg/php/enduser/std_alp.php, then select "Privacy of Health Information/HIPAA" from the Category drop down list and click the Search button.)