PanoramaOrthopedics & Spine Center
Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
PanoramaOrthopedics & Spine Center(POSC) understands the importance of privacy, and is committed to maintaining the confidentiality of your medical information. We make a record of the medical care we provide, and may receive such records from others. We use these records to provide or enable other health care providers to provide quality medical care, to obtain payment for services provided to you as allowed by your health plan and to enable us to meet our professional and legal obligations to operate this medical practice properly.
We are required by law to provide you with this Notice explaining POSC’s privacy practices with regard to your medical information and how we may use and disclose your protected health information (PHI) for treatment, payment, and for health care operations, as well as for other purposes that are permitted or required by law. You have certain rights regarding the privacy of your protected health information and we also describe those rights in this Notice.
We are required by law to make sure that medical information about you is kept private. We are required to give you this Notice of our legal duties and privacy practices with respect to medical information about you. We are required to abide by the terms of the Notice currently in effect.
POSC reserves the right to change the provisions of our Notice and make new provisions effective for all PHI we maintain. If POSC makes a material change to our Notice, we will post the changes promptly on our website at https://www.panoramaortho.com.
If you have any questions about this policy or your rights, contact the Privacy Officer at 303-233-1223 or in writing at 660 Golden Ridge Road, Suite 250; Golden, CO 80403.
What is Protected Health Information?
Protected Health Information (PHI) consists of individually identifiable health information, which may include demographic information POSC collects from you or creates or receives by a health care provider, a health plan, your employer, or a health care clearinghouse and that relates to: (1) your past, present or future physical or mental health or condition; (2) the provision of health care to you; or (3) the past, present or future payment for the provision of health care to you.
This Notice of Privacy Practices became effective on March 16, 2012 and replaces our prior Notice of Privacy Practices.
Ways in Which We May Use and Disclose Your Protected Health Information
We will use and disclose your protected health information to provide, coordinate, or manage your health care and any related services. We will also disclose your health information to other providers who may be treating you. Additionally we may from time to time disclose your health information to another provider who has been requested to be involved in your care. For example – we may share information about you with: referring physicians, your primary care physician, a specialist, or pharmacy.
We will use and disclose your protected health information to obtain payment for the health care services we provide you. For example – we may include information with a bill to a third-party payer that identifies you, your diagnosis, procedures performed, and supplies used in rendering the service.
Health Care Operations
We will use and disclose your protected health information to support the business activities of our facilities. For example – we may use medical information about you to review and evaluate our treatment and services or to evaluate our staff’s performance while caring for you. In addition, we may disclose your health information to third party business associates who perform billing, consulting, transcription, or other services for our facility.
Other Ways We May Use and Disclose Your Protected Health Information
As Required by Law
We will use and disclose your protected health information when required to by federal, state, or local law.
We may use and disclose protected health information to remind you about appointments. If you are not home, we may leave this information with the person answering the phone or on your answering machine.
There are some services provided in our organization through contracts with business associates, third parties that perform functions or activities on our behalf that require access to protected health information. Examples include radiography services, billing clearinghouses, attorney/legal services, consultants, and patient satisfaction surveys. When these services are contracted, we may disclose your health information so the organization we contract with can perform the job we’ve asked them to do. We require the business associate to appropriately safeguard your information and to enter into a contract, called a “business associate agreement” that requires the business associate to comply with the appropriate provisions of HIPAA..
Lawsuits and Disputes
We may disclose medical information about you in response to a court or administrative order or if we are a party to litigation involving your medical care. We may also disclose medical information about you in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have been made to tell you about the request or to obtain a court order protecting the information requested.
Health Oversight Activities
When authorized by law, we may disclose your protected health information to a health oversight agency for purposes of audits, civil or criminal investigations, licensure, and other inspections.
Victims of Abuse, Neglect, or Domestic Violence
When required by law or if you agree to the report and if we believe that you have been a victim of abuse, neglect, or domestic violence, we may use and disclose your protected health information to notify a government agency.
To Avert a Serious Threat to Public Health or Safety
We may disclose your health information to (a) a public health authority that is authorized by law to collect information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority, (b) a public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect, (c) to a person subject to the jurisdiction of the Food and Drug Administration (FDA) with respect to a FDA-regulated product or activity for which that person has responsibility, for the purpose of activities related to the quality, safety or effectiveness of such FDA-regulated product or activity such as the collection or reporting of adverse events, product defects or problems, the tracking of FDA-regulated products, to enable product recalls, repairs, or replacement, or to conduct post marketing surveillance or (d) in relation to a public health investigation into whether a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition so long as the investigating health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation.
We may disclose information to researchers when their research has been approved by an Institutional Review Board that has reviewed the research proposal and established protocols to ensure the privacy of your health information.
We will use and disclose your protected health information for worker’s compensation or similar programs that provide benefits for work-related injuries or illness.
Uses and disclosures that require POSC give you the opportunity to object or “opt out”
Others Involved in Your Care
We may provide relevant portions of your Protected Health Information (PHI) to a family member, a relative, a close friend, or any other person you identify as being involved in your medical care or payment for care. In an emergency or when you are not capable of agreeing or objecting to these disclosures, we will disclose PHI as we determine is in your best interest, but will tell you about it after the emergency, and give you the opportunity to object to future disclosures to family and friends.
Marketing and Fundraising and the Sale of PHI
We will not use or disclose your protected health information for marketing purposes unless you have provided us authorization. We do not consider nominal promotional gifts as marketing. We also reserve the right to discuss products or services we feel would be beneficial to your care. We may contact you regarding fundraising information. We will not use any protected health information without prior authorization. If you do not wish to be contacted for these efforts, please notify us. We will not sell your PHI or receive anything of value in return for providing your information for marketing or fundraising campaigns without your written authorization.
Should we receive any records or claims that contain genetic test information we may not use or disclose that information without authorization from the patient unless the use or disclosure is authorized by law to provide patient care.
Uses or Disclosures Not Covered by this Notice
Uses or disclosures of your health information not covered by this Notice or the laws that apply to us may only be made with your written authorization. You may revoke such authorization in writing at any time and we will no longer disclose health information about you for the reasons stated in your revocation. Disclosures made in reliance on the authorization prior to the revocation are not affected by the revocation.
Patient Rights Related to Protected Health Information
You have the following rights as to your protected health information in our files to:
Request an Amendment
You have the right to request that we amend your medical information if you feel that it is incomplete or inaccurate. You must make this request in writing to our Medical Records Department, stating what information is incomplete or inaccurate and the reasoning that supports your request.
We are permitted to deny your request if it is not in writing or does not include a reason to support the request. We may also deny your request if:
- The information was not created by us, or the person who created it is no longer available to make the amendment.
- The information is not part of the record which you are permitted to inspect and copy.
- The information is not part of the designated record set kept by POSC or if it is the opinion of the health care provider that the information is accurate and complete.
You have the right to request a restriction of how we use or disclose your medical information for treatment, payment, or health care operations. For example – you could request that we not disclose information about a prior treatment to a family member or friend who may be involved in your care or payment for care. Your request must be made in writing to our Medical Records Department.
We are not required to agree to your request if we feel it is in your best interest to use or disclose that information. If we do agree, we will comply with your request except for emergency treatment.
As stated later in this Notice, under HITECH, if a patient pays in full for his/her services out of pocket he/she can demand that the information regarding the service not be disclosed to the patient’s third party payer since no claim is being made against the third party payer.
Inspect and Copy
You have the right to inspect and copy the protected health information that we maintain about you in our designated record set for as long as we maintain that information. This designated record set includes your medical and billing records, as well as any other records we use for making decisions about you. We may charge you a fee for the costs of copying, mailing, or other supplies used in fulfilling your request.
If you wish to inspect or copy your medical information, you must submit your request in writing to our Medical Records Department at 660 Golden Ridge Road, Suite 250; Golden, CO 80403. We will have 30 days to respond to your request for information that we maintain at our facility. If the information is stored off-site, we are allowed up to 60 days to respond but must inform you of this delay.
As stated later, HITECH expands this right, giving individuals the right to access their own e-health record in an electronic format and to direct POSC to send the e-health record directly to a third party. POSC may only charge for labor costs under electronic transfers of e-health records.
An Accounting of Disclosures
You have the right to request a list of the disclosures of your health information we have made outside of our facility that were not for treatment, payment, or health care operations. Your request must be in writing and must state the time period for the requested information. You may not request information for any dates prior to April 14, 2003, nor for a period of time greater than six years (our legal obligation to retain information).
Your first request for a list of disclosures within a 12-month period will be free. If you request an additional list within 12-months of the first request, we may charge you a fee for the costs of providing the subsequent list. We will notify you of such costs and afford you the opportunity to withdraw your request before any costs are incurred.
Request Confidential Communications
You have the right to request how we communicate with you to preserve your privacy. For example – you may request that we call you only at your work number, e-mail or by mail at a special address or postal box. Your request must be made in writing and must specify how or where we are to contact you. We will accommodate all reasonable requests.
File a Complaint
If you believe we have violated your medical information privacy rights, you have the right to file a complaint with our facility or directly to the Secretary of the United States Department of Health and Human Services: U.S. Department of Health & Human Services | 200 Independence Avenue, S.W. | Washington, D.C. 20201. Phone: (202) 619-0257 Toll Free: (877) 696-6775.
To file a complaint with our facility, you must make it in writing. Provide as much detail as you can about the suspected violation and send it to Panorama Orthopedics & Spine Center; Attn: Privacy Officer; 660 Golden Ridge Road; Suite 250; Golden, CO 80403. You will not be retaliated against for filing a complaint.
A Paper Copy of This Notice
You have the right to receive a paper copy of this Notice, even if you agreed to receive this Notice electronically. You may request a copy of this Notice at any time by contacting our office in writing or by phone.
POSC is including the Health Information Technology for Economic and Clinical Health Act (HITECH Act) provisions to its Notice as follows:
HITECH Notification Requirements
Under a federal law amending HIPAA, the HITECH Act, POSC is required to notify patients whose unsecured PHI has been breached, that is, in general terms, disclosed to an unauthorized person, unless we determine that an exception to the requirement under the HITECH applies. Notification must occur by first class mail within 60 days of the event. A breach occurs when an unauthorized use or disclosure that compromises the privacy or security of PHI poses a significant risk for financial, reputational, or other harm to the individual. This Notice must:
(1) Contain a brief description of what happened, including the date of the breach and the date of discovery;
(2) The steps the individual should take to protect themselves from potential harm resulting from the breach;
(3) A brief description of what POSC is doing to investigate the breach, mitigate losses, and to protect against further breaches.
POSC’s Business Associate Agreements have been amended to provide that all HIPAA security administrative safeguards, physical safeguards, technical safeguards and security policies, procedures, and documentation requirements apply directly to the business associate.
HITECH states that if a patient pays in full for their services out of pocket they can demand that the information regarding the service not be disclosed to the patient’s third party payer since no claim is being made against the third party payer, unless the disclosure is required by law.
Access to E-Health Records
HITECH expands this right, giving individuals the right to access their own e-health record in an electronic format and to direct POSC to send the e-health record directly to a third party. POSC may only charge for labor costs under the new rules.
Accounting of E-Health Records for Treatment, Payment, and Health
POSC does not currently have to provide an accounting of disclosures of PHI to carry out treatment, payment, and health care operations. However, starting January 1, 2014, under present law, the Act will require POSC to provide an accounting of disclosures through an e-health record to carry out treatment, payment, and health care operations. This new accounting requirement is limited to disclosures within the three-year period prior to the individual’s request.
POSC must either: (1) provide an individual with an accounting of such disclosures it made and all of its business associates disclosures; or (2) provide an individual with an accounting of the disclosures made by POSC and a list of business associates, including their contact information, who will be responsible for providing an accounting of such disclosures upon request.