Panorama Orthopedics & Spine  Center

Notice of Privacy Practices

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED  AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE  REVIEW IT CAREFULLY.

PanoramaOrthopedics & Spine Center(POSC) understands the importance of  privacy, and is committed to maintaining the confidentiality of your medical  information. We make a record of the medical care we provide, and may receive  such records from others. We use these records to provide or enable other health  care providers to provide quality medical care, to obtain payment for services  provided to you as allowed by your health plan and to enable us to meet our  professional and legal obligations to operate this medical practice  properly.

We are required by law to provide you with this Notice explaining POSC’s  privacy practices with regard to your medical information and how we may use and  disclose your protected health information (PHI) for treatment, payment, and for  health care operations, as well as for other purposes that are permitted or  required by law. You have certain rights regarding the privacy of your protected  health information and we also describe those rights in this Notice.

We are required by law to make sure that medical information about you is  kept private. We are required to give you this Notice of our legal duties and  privacy practices with respect to medical information about you. We are required  to abide by the terms of the Notice currently in effect.

POSC reserves the right to change the provisions of our Notice and make new  provisions effective for all PHI we maintain. If POSC makes a material change to  our Notice, we will post the changes promptly on our website at  https://www.panoramaortho.com.

If you have any questions about this policy or your rights, contact the  Privacy Officer at 303-233-1223 or in writing at 660 Golden Ridge Road, Suite  250; Golden, CO 80403.

What is Protected Health Information?

Protected Health Information (PHI) consists of individually identifiable  health information, which may include demographic information POSC collects from  you or creates or receives by a health care provider, a health plan, your  employer, or a health care clearinghouse and that relates to: (1) your past,  present or future physical or mental health or condition; (2) the provision of  health care to you; or (3) the past, present or future payment for the provision  of health care to you.

Effective Date

This Notice of Privacy Practices became effective  on March 16, 2012 and  replaces our prior Notice of Privacy Practices.

Ways in Which We May Use and Disclose Your Protected Health  Information

Treatment

We will use and disclose your protected health information to provide,  coordinate, or manage your health care and any related services. We will also  disclose your health information to other providers who may be treating you.  Additionally we may from time to time disclose your health information to  another provider who has been requested to be involved in your care. For example  – we may share information about you with: referring physicians, your primary  care physician, a specialist, or pharmacy.

Payment

We will use and disclose your protected health information to obtain payment  for the health care services we provide you. For example – we may include  information with a bill to a third-party payer that identifies you, your  diagnosis, procedures performed, and supplies used in rendering the  service.

Health Care Operations

We will use and disclose your protected health information to support the  business activities of our facilities. For example – we may use medical  information about you to review and evaluate our treatment and services or to  evaluate our staff’s performance while caring for you. In addition, we may  disclose your health information to third party business associates who perform  billing, consulting, transcription, or other services for our facility.

Other Ways We May Use and Disclose Your Protected Health  Information

As Required by Law

We will use and disclose your protected health information when required to  by federal, state, or local law.

Appointment Reminders

We may use and disclose protected health information to remind you about  appointments. If you are not home, we may leave this information with the person  answering the phone or on your answering machine.

Business Associates

There are some services provided in our organization through contracts with  business associates, third parties that perform functions or activities on our  behalf that require access to protected health information. Examples include  radiography services, billing clearinghouses, attorney/legal services,  consultants, and patient satisfaction surveys. When these services are  contracted, we may disclose your health information so the organization we  contract with can perform the job we’ve asked them to do. We require the  business associate to appropriately safeguard your information and to enter into  a contract, called a “business associate agreement” that requires the business  associate to comply with the appropriate provisions of HIPAA..

Lawsuits and Disputes

We may disclose medical information about you in response to a court or  administrative order or if we are a party to litigation involving your medical  care. We may also disclose medical information about you in response to a  subpoena, discovery request, or other lawful process by someone else involved in  the dispute, but only if efforts have been made to tell you about the request or  to obtain a court order protecting the information requested.

Health Oversight Activities

When authorized by law, we may disclose your protected health information to  a health oversight agency for purposes of audits, civil or criminal  investigations, licensure, and other inspections.

Victims of Abuse, Neglect, or Domestic Violence

When required by law or if you agree to the report and if we believe that you  have been a victim of abuse, neglect, or domestic violence, we may use and  disclose your protected health information to notify a government agency.

To Avert a Serious Threat to Public Health or Safety 

We may disclose your health information to (a) a public health authority that  is authorized by law to collect information for the purpose of preventing or  controlling disease, injury, or disability, including, but not limited to, the  reporting of disease, injury, vital events such as birth or death, and the  conduct of public health surveillance, public health investigations, and public  health interventions; or, at the direction of a public health authority, to an  official of a foreign government agency that is acting in collaboration with a  public health authority, (b) a public health authority or other appropriate  government authority authorized by law to receive reports of child abuse or  neglect, (c) to a person subject to the jurisdiction of the Food and Drug  Administration (FDA) with respect to a FDA-regulated product or activity for  which that person has responsibility, for the purpose of activities related to  the quality, safety or effectiveness of such FDA-regulated product or activity  such as the collection or reporting of adverse events, product defects or  problems, the tracking of FDA-regulated products, to enable product recalls,  repairs, or replacement, or to conduct post marketing surveillance or (d) in  relation to a public health investigation into whether a person who may have  been exposed to a communicable disease or may otherwise be at risk of  contracting or spreading a disease or condition so long as the investigating  health authority is authorized by law to notify such person as necessary in the  conduct of a public health intervention or investigation.

Research

We may disclose information to researchers when their research has been  approved by an Institutional Review Board that has reviewed the research  proposal and established protocols to ensure the privacy of your health  information.

Worker’s Compensation

We will use and disclose your protected health information for worker’s  compensation or similar programs that provide benefits for work-related injuries  or illness.

Uses and disclosures that require POSC give you the opportunity to  object or “opt out”

Others Involved in Your Care

We may provide relevant portions of your Protected Health Information (PHI)  to a family member, a relative, a close friend, or any other person you identify  as being involved in your medical care or payment for care. In an emergency or  when you are not capable of agreeing or objecting to these disclosures, we will  disclose PHI as we determine is in your best interest, but will tell you about  it after the emergency, and give you the opportunity to object to future  disclosures to family and friends.

Marketing and Fundraising and the Sale of PHI

We will not use or disclose your protected health information for marketing  purposes unless you have provided us authorization.  We do not consider nominal  promotional gifts as marketing.  We also reserve the right to discuss products  or services we feel would be beneficial to your care.  We may contact you  regarding fundraising information.  We will not use any protected health  information without prior authorization.  If you do not wish to be contacted for  these efforts, please notify us.  We will not sell your PHI or receive anything  of value in return for providing your information for marketing or fundraising  campaigns without your written authorization.

Genetic Information

Should we receive any records or claims that contain genetic test information  we may not use or disclose that information without authorization from the  patient unless the use or disclosure is authorized by law to provide patient  care.

Uses or Disclosures Not Covered by this Notice

Uses or disclosures of your health information not covered by this Notice or  the laws that apply to us may only be made with your written authorization. You  may revoke such authorization in writing at any time and we will no longer  disclose health information about you for the reasons stated in your revocation.  Disclosures made in reliance on the authorization prior to the revocation are  not affected by the revocation.

Patient Rights Related to Protected Health Information

You have the following rights as to your protected health information in our  files to:

Request an Amendment

You have the right to request that we amend your medical information if you  feel that it is incomplete or inaccurate. You must make this request in writing  to our Medical Records Department, stating what information is incomplete or  inaccurate and the reasoning that supports your request.

We are permitted to deny your request if it is not in writing or does not  include a reason to support the request. We may also deny your request if:

  • The information was not created by us, or the person who created it is no  longer available to make the amendment.
  • The information is not part of the record which you are permitted to inspect  and copy.
  • The information is not part of the designated record set kept by POSC or if  it is the opinion of the health care provider that the information is accurate  and complete.

Request Restrictions

You have the right to request a restriction of how we use or disclose your  medical information for treatment, payment, or health care operations. For  example – you could request that we not disclose information about a prior  treatment to a family member or friend who may be involved in your care or  payment for care. Your request must be made in writing to our Medical Records  Department.

We are not required to agree to your request if we feel it is in your best  interest to use or disclose that information. If we do agree, we will comply  with your request except for emergency treatment.

As stated later in this Notice, under HITECH, if a patient pays in full for  his/her services out of pocket he/she can demand that the information regarding  the service not be disclosed to the patient’s third party payer since no claim  is being made against the third party payer.

Inspect and Copy

You have the right to inspect and copy the protected health information that  we maintain about you in our designated record set for as long as we maintain  that information. This designated record set includes your medical and billing  records, as well as any other records we use for making decisions about you. We  may charge you a fee for the costs of copying, mailing, or other supplies used  in fulfilling your request.

If you wish to inspect or copy your medical information, you must submit your  request in writing to our Medical Records Department at 660 Golden Ridge Road,  Suite 250; Golden, CO  80403. We will have 30 days to respond to your request  for information that we maintain at our facility. If the information is stored  off-site, we are allowed up to 60 days to respond but must inform you of this  delay.

As stated later, HITECH expands this right, giving individuals the right to  access their own e-health record in an electronic format and to direct POSC to  send the e-health record directly to a third party. POSC may only charge for  labor costs under electronic transfers of e-health records.

An Accounting of Disclosures

You have the right to request a list of the disclosures of your health  information we have made outside of our facility that were not for treatment,  payment, or health care operations. Your request must be in writing and must  state the time period for the requested information. You may not request  information for any dates prior to April 14, 2003, nor for a period of time  greater than six years (our legal obligation to retain information).

Your first request for a list of disclosures within a 12-month period will be  free. If you request an additional list within 12-months of the first request,  we may charge you a fee for the costs of providing the subsequent list. We will  notify you of such costs and afford you the opportunity to withdraw your request  before any costs are incurred.

Request Confidential Communications

You have the right to request how we communicate with you to preserve your  privacy. For example – you may request that we call you only at your work  number, e-mail or by mail at a special address or postal box. Your request must  be made in writing and must specify how or where we are to contact you. We will  accommodate all reasonable requests.

File a Complaint

If you believe we have violated your medical information privacy rights, you  have the right to file a complaint with our facility or directly to the  Secretary of the United States Department of Health and Human Services: U.S.  Department of Health & Human Services | 200 Independence Avenue, S.W. |  Washington, D.C. 20201. Phone: (202) 619-0257 Toll Free: (877) 696-6775.

To file a complaint with our facility, you must make it in writing. Provide  as much detail as you can about the suspected violation and send it to Panorama  Orthopedics & Spine Center; Attn: Privacy Officer; 660 Golden Ridge Road;  Suite 250; Golden, CO 80403.  You will not be retaliated against for filing a  complaint.

A Paper Copy of This Notice

You have the right to receive a paper copy of this Notice, even if you agreed  to receive this Notice electronically. You may request a copy of this Notice at  any time by contacting our office in writing or by phone.

HITECH Amendments

POSC is including the Health Information Technology for Economic and Clinical  Health Act (HITECH Act) provisions to its Notice as follows:

HITECH Notification Requirements

Under a federal law amending HIPAA, the HITECH Act, POSC is required to  notify patients whose unsecured PHI has been breached, that is, in general  terms,  disclosed to an unauthorized person, unless we determine that an  exception to the requirement under the HITECH applies. Notification must occur  by first class mail within 60 days of the event. A breach occurs when an  unauthorized use or disclosure that compromises the privacy or security of PHI  poses a significant risk for financial, reputational, or other harm to the  individual. This Notice must:
(1) Contain a brief description of what  happened, including the date of the breach and the date of discovery;
(2) The  steps the individual should take to protect themselves from potential harm  resulting from the breach;
(3) A brief description of what POSC is doing to  investigate the breach, mitigate losses, and to protect against further  breaches.

Business Associates

POSC’s Business Associate Agreements have been amended to provide that all  HIPAA security administrative safeguards, physical safeguards, technical  safeguards and security policies, procedures, and documentation requirements  apply directly to the business associate.

Cash Patients/Clients

HITECH states that if a patient pays in full for their services out of pocket  they can demand that the information regarding the service not be disclosed to  the patient’s third party payer since no claim is being made against the third  party payer, unless the disclosure is required by law.

Access to E-Health Records

HITECH expands this right, giving individuals the right to access their own  e-health record in an electronic format and to direct POSC to send the e-health  record directly to a third party. POSC may only charge for labor costs under the  new rules.

Accounting of E-Health Records for Treatment, Payment, and Health 

POSC does not currently have to provide an accounting of disclosures of PHI  to carry out treatment, payment, and health care operations. However, starting  January 1, 2014, under present law, the Act will require POSC to provide an  accounting of disclosures through an e-health record to carry out treatment,  payment, and health care operations. This new accounting requirement is limited  to disclosures within the three-year period prior to the individual’s  request.

POSC must either: (1) provide an individual with an accounting of such  disclosures it made and all of its business associates disclosures; or (2)  provide an individual with an accounting of the disclosures made by POSC and a  list of business associates, including their contact information, who will be  responsible for providing an accounting of such disclosures upon request.