Privacy Policy
EFFECTIVE DATE OF THIS NOTICE This notice went into effect on July 5th, 2024.
HIPAA NOTICE OF PRIVACY PRACTICES
THIS NOTICE DESCRIBES HOW HEALTH INFORMATION MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
I. INTRODUCTION
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information. The Privacy Rule also gives you a fundamental right to be informed of my privacy practices as well as your privacy rights with respect to your personal health information.
II. PRIVACY RULES
HIPAA requires that I must provide you with this Notice of my privacy practices. The Privacy Rule requires that the Notice (1) describes the ways in which I may use and disclose protected health information, (2) states my duty to protect your privacy, (3) reaffirms that I will abide by the terms of the Notice, (4) describes your rights, including the right to complain to HHS and to me if you believe that your privacy rights have been violated, and (5) includes a point of contact for further information and for making complaints to me.
III. WHAT IS “PROTECTED HEALTH INFORMATION” (PHI)?
The HIPAA Privacy Rule requires that I protect your "individually identifiable health information" held or transmitted in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI). PHI constitutes information created or noted by me that can be used to identify you. “Individually identifiable health information” is information, including demographic data, that relates to:
-
Your past, present or future physical or mental health or condition,
-
the provision of health care to you, or
-
the past, present, or future payment for the provision of health care to you,
-
and that identifies you or for which there is a reasonable basis to believe it can be used to identify you, including many common identifiers (e.g., name, address, birth date, Social Security Number).
IV. IT IS MY LEGAL DUTY TO SAFEGUARD YOUR PROTECTED HEALTH INFORMATION (PHI)
Your health information is personal and private. By law, I am required to ensure that your PHI is kept private. This Notice must explain when, why, and how I would use and/or disclose your PHI. Use of PHI means when I apply, utilize, examine, or analyze information within my practice for the purpose of providing professional services; PHI is disclosed when I release, transfer, give, or otherwise reveal it to a third party outside of my practice. With some exceptions, I may not use or disclose more of your PHI than is necessary to accomplish the purpose for which the use or disclosure is made; however, I am always legally required to follow the privacy practices described in this Notice. Please note that I reserve the right to change the terms of this Notice and my privacy policies at any time. Any changes will apply to PHI already on file with me. Before I make any important changes to my policies, I will immediately change this Notice and send a new copy of it to you via mail or email based on your preference.
V. HOW I WILL USE AND DISCLOSE YOUR PROTECTED HEALTH INFORMATION
Your privacy is of great importance to me and I pledge to abide by the privacy practices described in this Notice. I will use and disclose PHI for many different reasons. I will routinely use your information to address your symptoms, problems, and personal goals. I may use your information to select methods of treatment, other additional services for you, or recommend referrals to other professionals for services I do not provide. I may use your information to review my clinical practices for quality assurance purposes, to evaluate and improve the effectiveness of health care services that you receive.
Clinical standards, ethics, and law require appropriate written records of service. I create and retain written records relating to professional service that I provide so that I am better able to assist you with your needs and provide quality service to you. I document services to show that I actually provided services to you for which I bill. Personal information I receive about you may be entered into this record.
I may be required by clinical standards, professional ethics, or law to disclose limited information to specific professionals or agencies. Some of the uses or disclosures will require your prior written authorization, whereas, other rarely occurring circumstances will not. Below you will find the different categories of my uses and disclosures, with some examples. To respect your privacy, I will try to limit the amount of information that I use or disclose to that which is the “minimum necessary” to accomplish the purpose of the use or disclosure.
A. I am permitted to use or disclose your PHI without consent or authorization for the following reasons:
1. For treatment: In the event of an emergency, or with written release from you, I may disclose your PHI to physicians, psychiatrists, psychologists, and other licensed health care providers who provide you with health care services or are otherwise involved in your care. For example, your PHI may be shared with outside entities performing ancillary services relating to your treatment, such as psychiatrists or others involved in the provision or coordination of your care.
2. For health care operations: I may use/disclose your PHI to facilitate the efficient and correct operation of my practice. For example, I may use/disclose your PHI in order to evaluate the quality of health care services that you have received.
3. To obtain payment for treatment: I may use and disclose your PHI in order to bill and collect payment for the treatment and services I provided you. I could also provide your PHI to business associates, such as billing companies, claims processing companies, and others that process health care claims for my office.
4. To Prevent a Serious Threat to Health or Safety: I may use and disclose your PHI when necessary to prevent or lessen a serious and imminent threat to a person or the public. However, any such disclosure will only be to someone who is believed to be able to help prevent the threat, such as law enforcement, or to a potential victim.
5. Treatment Emergencies: For example: Your consent is not required for the disclosure of PHI to health care providers in order to protect you from immediate physical harm. In the event that I try to get your consent, but you are unable to communicate with me, I may disclose your PHI.
6. When disclosure is required by federal, state, or local law; judicial, board, or administrative proceedings; or law enforcement: For example: I may make a disclosure to the appropriate officials when a law requires me to report information to government agencies, law enforcement personnel, and/or in an administrative proceeding.
7. If disclosure is compelled by a party to a proceeding before a court of an administrative agency pursuant to its lawful authority.
8. If disclosure is required by a search warrant lawfully issued by a governmental law enforcement agency.
9. If disclosure is compelled by the patient or the patient’s representative pursuant to California Health and Safety Codes or to corresponding federal statutes or regulations, such as the Privacy Rule that requires this Notice.
10. If disclosure is compelled or permitted by the fact that you or your child are in such mental or emotional conditions as to be dangerous to yourself or themself or the person or property of others, and if I determine that disclosure is necessary to prevent the threatened danger.
11. If disclosure is mandated by the California Child Abuse and Neglect Reporting Law: For example, If I have reasonable suspicion of child abuse or neglect.
12. If disclosure is mandated by the California Elder/Dependent Adult Abuse Reporting Law: For example, If I have a reasonable suspicion of elder abuse or dependent adult abuse.
13. If disclosure is compelled or permitted by the fact that you, your child, or someone in a close relation to you (e.g., spouse, parent, sibling) tells me of a serious/imminent threat of physical violence by you against a reasonably identifiable victim or victims.
14. Decedents: For example, if a disclosure is permitted or compelled, I may disclose PHI to funeral directors as needed, and to coroners or medical examiners to identify a deceased person and perform other functions authorized by law.
15. For health oversight activities: For example, I may be required to provide information to assist the government in the course of an investigation or audit of a health care system.
16. For Worker’s Compensation purposes: I may provide PHI in order to comply with Worker’s Compensation laws.
17. Disclosures compelled by a court order or an order of an arbitration panel or administrative agency: When arbitration is lawfully requested by either party, pursuant to subpoena duces tectum (e.g., a subpoena for mental health records) or any other provision authorizing disclosure in a proceeding before an arbitrator or arbitration panel.
18. I am permitted to contact you, without your prior authorization, to schedule appointments or provide appointment reminders or information about alternative or other health-related benefits and services that may be of interest to you.
19. If disclosure is required or permitted by a health oversight agency for oversight activities authorized by law: For example, when compelled by U.S. Secretary of Health and Human Services to investigate or assess my compliance with HIPAA regulations.
20. If disclosure is otherwise specifically required by federal, state, or local laws that are not specifically mentioned in this Notice.
B. Uses and Disclosures Requiring You to Have an Opportunity to Agree or Object
-
Disclosures to family, friends, or others: I may provide your PHI to a family member, friends, or other individuals who you indicate are involved in your care or responsible for the payment of your health care, unless you object in whole or in part. Retroactive consent may be obtained in emergency situations.
C. Other Uses and Disclosures of PHI Requiring Your Prior Written Authorization
All other disclosures of your PHI will only be made with your written consent. Beyond the rare exceptions above, I will request your written authorization before using or disclosing any of your PHI. I will not even disclose the fact that you are (or were) a patient to any third party without your consent. Even if you have signed an authorization to disclose your PHI, you may later revoke that authorization, in writing, to stop any future uses and disclosures, except to the extent that I have already undertaken an action in reliance upon your authorization, of your PHI by me.
VI. YOUR RIGHTS REGARDING YOUR PROTECTED HEALTH INFORMATION (PHI)
You have the following rights with respect to your PHI:
1. The Right to See and Get Copies of Your Record
In general, you, or your patient representative, have the right to inspect and obtain a copy of your treatment records that are in my possession; however, you must request it in writing. In general, the time between receiving the written request and fulfilling it may vary depending on the nature of the request (e.g. inspection, copies) and the length of the treatment record. Under certain circumstances, I may feel I must deny your request, but if I do, I will document the date of the request and the reasons, including the anticipated adverse consequences, for refusing to permit inspection or provide copies of the record. I will also explain your right to have my denial reviewed. In the case that your request is denied, I shall permit inspection of your treatment records by, or provide copies to, another licensed health care providers designated by your written authorization. If you ask for copies of your records, I will charge you no more than $0.25 per page. I may see fit to provide you with a summary or explanation of the records, but only if you agree to it, as well as to the cost, in advance.
2. The Right to Request Limits on Uses and Disclosures of Your PHI
You have the right to ask that I limit how I use or disclose your PHI. Requests for restrictions must be in writing. While I will consider your request, I am not legally bound to agree to the restriction. To the extent that I do agree to any restrictions on my use/disclosure of your PHI, I will put the agreement in writing and abide by it except in emergency situations. I cannot agree to limit uses/disclosures that are required by law.
3. The Right to Choose How I Send Your PHI to You
It is your right to ask that your PHI be communicated to you via an alternate address (for example, sending information to your work address rather than your home address). I am obliged to agree to your request providing that I can give you the PHI, in the format you requested, without undue inconvenience. If the means you request would incur additional financial costs to me relative to local telephone or U.S. Mail (e.g. Fed-Ex, long distance calls), I am permitted to obtain payment from you for these additional costs.
4. The Right to Get a List of the Disclosures that I Have Made
You have a right to get a list of disclosures of your PHI that I have made. The list will not include uses or disclosures to which you have already consented, i.e., those for treatment, payment, or health care operations, sent directly to you, or to your family or personal representative; neither will the list include disclosures for incident to otherwise permitted or required disclosure. After July 5th, 2024, your request can relate to disclosures going as far back as six years.
I will respond to your request for an accounting of disclosures within sixty (60) days of receiving your request. The list I give you will include disclosures made in the previous six (6) years unless you indicate a shorter period. The list will include the date of disclosure, to whom PHI was disclosed, a description of the information disclosed, and the reason for disclosure. I will provide the list to you at no cost, unless you make more than one request in the same year, in which case I will charge you a reasonable sum based on a set fee for each additional request.
5. To Request Amendment of Your PHI
If you believe that there is a mistake or missing information in my record of your PHI, you may request, in writing, that I amend the record. You will receive a response within sixty (60) days of my receipt of your request. I may deny the request, in writing, for example, if I determine that the PHI is: (a) correct and complete; (b) forbidden to be disclosed, (c) not part of my records, or (d) written by someone other than me. My denial must be in writing, and will state the reasons for denial. If you do not file a written objection, you still have the right to ask that your request and my denial be attached to any future disclosures of your PHI. If I approve your request, I will make the change(s) to the PHI. Additionally, I will tell you that the changes have been made, and I will advise all others who need to know about the change(s) to the PHI.
6. Personal Representatives
In most cases, the Privacy Rule requires me to treat a “personal representative” the same as you, with respect to uses and disclosures of your PHI and associated rights under the Rule. A personal representative is a person legally authorized to make health care decisions on your behalf or to act for a deceased individual or the estate.
7. Minors
In most cases, parents are the personal representatives for their minor children. Therefore, in most cases, parents can exercise individual rights, such as access to the medical record, on behalf of their minor children. In certain exceptional cases, the parent is not considered the personal representative. In these situations, the Privacy Rule defers to State and other law to determine the rights of parents to access and control the PHI of their minor children.
8. The Right to Get this Notice by Email
You have the right to receive a paper copy of this Notice and/or an electronic copy by email upon request.
9. To Choose How I Contact You
You have the right to ask that I send you information at an alternative address or by an alternative means. I must agree to your request as long as it is reasonably easy for me to do so.
VII. SAFEGUARDS OF YOUR PRIVACY
Protection of patient confidentiality is an important practice. Below are the specific safeguards I take in my practice:
-
My duty of confidentiality and the psychotherapist-patient privilege survive the death of a client, by law.
-
Communication by you to me, whether by phone, mail, or in person, will be handled only by me.
-
I will attempt to leave voicemail messages that are discrete if I do not know who might access your messages.
-
I will not acknowledge you if you and I inadvertently see each other in a public place, unless you initiate.
-
Patient records are not left in places in my office where others will see their contents.
-
I shred all documents containing protected health information before discarding them.
-
I keep patient information pertaining to treatment, payment, or health care operations on a computer. When a computer is used for these purposes, it is password protected. I am the only person with access to the computer and the password. Any backup files are accessible only to me and hard copies of such records are locked in a file cabinet.
-
Whenever I transmit information about you electronically (for example, faxing information), it will be done with special safeguards to insure confidentiality.
-
I prefer using email only to arrange or modify appointments. Please do not email me content related to your therapy sessions, as email is not completely secure or confidential. If you elect to communicate with me by email at some point in our work together, please be aware that all emails are retained in the logs of your and my Internet service providers. While it is unlikely that someone will be looking at these logs, they are, in theory, available to be read by the system administrator(s) of the Internet service provider. You should also know that any emails I receive from you and any responses that I send to you become a part of your legal record. Secure messaging via Simple Practice is confidential and recommended instead of email.
-
By law, I keep client records for at least seven (7) years from the date of the last treatment session. When records are destroyed due to the number of years following client termination of treatment, they are destroyed and discarded in a manner that protects patient privacy and confidentiality.
-
I do not currently have employees or volunteers in my practice; however, in the event that I do in the future, I will require a written agreement from them to maintain your privacy.
-
Any institutions outside my office that will have access to your information, such as billing services, are similarly required to protect your information by contract or law.
-
I may occasionally find it helpful to consult other professionals about a case. During a consultation, I make every effort to avoid revealing the identity of my client. The consultant is also legally bound to keep the information confidential. If you do not object, I will not tell you about these consultations unless I feel that it is important to our work together.
-
If you welcome a family member to your appointment and disclose information in their presence, that information is considered disclosed to them. I will disclose your information in such a session with your verbal permission.
To maintain the highest ethical and legal standards of protecting your privacy, I will adhere to these policies and may amend them in the future as needed to remain current with law and ethics. Any changes will apply to all information I maintain at that time.
IX. HOW TO COMPLAIN ABOUT MY PRIVACY POLICIES
If, in your opinion, I may have violated your privacy rights, or if you object to a decision I have made about access to your PHI, you are entitled to file a complaint with the person listed in section X below or myself. You may also send a written complaint to the Secretary of the Department of Health and Human Services (200 Independence Avenue, S. W., Room 509F HHH Building, Washington, DC 20201) or online http://www.hhs.gov/ocr/privacy/hipaa/complaints/
If you file a complaint about my privacy practices, I will take no retaliatory action against you.
X. PERSON TO CONTACT FOR INFORMATION ABOUT THIS NOTICE OR TO COMPLAIN ABOUT MY PRIVACY PRACTICES:
I am the Privacy Officer for my practice; I am the person responsible for developing and implementing the privacy policies and procedures of my practice. I am also the “Contact Person” for my practice. If you have questions or believe your privacy has been violated, you are encouraged to address your concerns with me, Katie Strang, PsyD at 530-349-0035. You may also contact the Office for Civil Rights Regional Headquarters for California Regional Manager, Michael Leoz, U.S. Department of Health and Human Services: 90 7 Street, Suite 4-100, San Francisco, CA 94103, 800.368.1019. I will not limit your care or take any action against you if you complain.
EFFECTIVE DATE, RESTRICTIONS, AND CHANGES TO PRIVACY POLICY
This notice will go into effect on July 5th, 2024 and remain so unless new notice provisions effective for all protected health information are enacted accordingly.