HIPAA Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
This Notice of Privacy Practices describes how Homewood may use and disclose your Protected Health Information (PHI) to carry out treatment, payment or health care operations and for other purposes that are permitted or required by law. It also describes your rights to access and control your PHI. “Protected Health Information” is information about you, including demographic information, that may identify you and that relates to your past, present or future physical or mental health or condition and related health care services.
Homewood is required by law to protect the privacy of your PHI, to provide you with notice regarding our legal duties and privacy practices, and to notify you in the event of a breach of your PHI. Homewood is required to abide by the terms of this Notice of Privacy Practices. We may change the terms of our Notice, at any time. The new Notice will be effective for all PHI that Homewood maintains at that time. This Notice may also be revised if there is a material change to the uses or disclosures of PHI, your rights, our legal duties, or other privacy practices stated in this Notice. Any revised Notice will be posted on our website and in a prominent location within Homewood. Additionally, upon your request, we will provide you with a copy of our revised Notice of Privacy Practices. You may request a revised version by contacting Homewood Retirement Centers, Inc., Corporate Compliance Officer at (301) 582-1626 or 16107 Elliott Parkway, Williamsport, MD 21795. If you have any questions about this Notice, you may contact Corporate Compliance Officer at (301) 582-1626 or 16107 Elliott Parkway, Williamsport, MD 21795.
1. How We May Use and Disclose Personal Health Information About You
Your PHI may be used and disclosed by Facility staff and others outside of Homewood who are involved in your care and treatment for the purpose of providing health care services to you. Your PHI may also be used and disclosed to pay your health care bills and to support the operation of Homewood.
The following categories describe the ways that Homewood uses and discloses health information. Not every use or disclosure in a category will be listed. However, all of the ways Homewood is permitted to use and disclose information will fall into one of the categories.
- a. For Treatment. We may use or disclose your PHI to provide you with medical treatment. We may disclose health information about you to physicians, nurses, nursing assistants, therapists, pharmacists, medical records personnel, or other Facility personnel who are involved in taking care of you at Homewood. For example, we may share information about your medical diagnosis with the Registered Dietician to ensure you receive the appropriate meal planning. We may also share information about your medical condition with your physician or any physician consulting on your care to assist with establishing the most effective treatment plan for you. We may also disclose health information about you to people outside Homewood who may be involved in your medical care after you leave Homewood. This may include family members, home health personnel, or hospice agencies to provide care in your home.
- b. For Payment. We may use or disclose your PHI to bill and collect payment for services or treatments we provided to you. For example, we may contact your insurance company, health plan, or another third party to obtain payment for services we provided to you.
- c. For Health Care Operations. We may use or disclose your PHI to perform certain functions within our facility should these uses or disclosures become necessary to operate our facility and to ensure that you and others we provide care and services to continue to receive quality care and services. For example, we may take your photograph for medication identification purposes or use your health information to evaluate the effectiveness of the care and services you are receiving. We may disclose your PHI to our staff (nurses, nursing assistants, physicians, staff consultants, therapists, etc.) for auditing, care planning, treatment, and learning purposes. We may also combine your health information with information from other health care providers to study how our facility is performing in comparison to like facilities or what we can do to improve the care and services we provide to you. When information is combined, we remove all information that would identify you so that others may use the information in developing research on the delivery of health care services without learning your identity.
- d. For Business Associates. There are some services provided in our Facility through contracts with Business Associates. Some examples of contracted services include pharmacy services, therapy services, podiatry services, dental services, etc. When these services are contracted, we may disclose your health information so that they can perform the job we’ve asked them to do and bill you or your third-party payer for services rendered. Whenever an arrangement between Homewood and a Business Associate involves the use or disclosure of your PHI, we will have a written contract that contains terms that will protect the privacy of your PHI.
- e. For Treatment Alternatives or Health Related Benefits. We may use or disclose your PHI, as necessary, to provide you with information about treatment alternatives or other health-related benefits and services that may be of interest to you. For example, we may inform you about a newly released medication or treatment that has a direct relationship to the treatment or medical condition. You may contact our Privacy Officer to request that these materials not be sent to you.
2. Other Uses and Disclosures that Do Not Require Your Authorization
State and federal laws and regulations either require or permit us to use or disclose your PHI without your consent or authorization in certain circumstances. The uses or disclosures that we may make without your consent or authorization include the following:
- a. As Required By Law. We may use or disclose your PHI to the extent that the use or disclosure is required by law. The use or disclosure will be made in compliance with the law and will be limited to the relevant requirements of the law. You will be notified, if required by law, of any such uses or disclosures.
- b. Public Health Activities and Reporting. Federal and state laws may require or permit Homewood to disclose certain health information related to the following:
i. Public Health Risks or Communicable Diseases. We may disclose your PHI for public health activities and purposes to a public health authority that is permitted by law to collect or receive the information. For example, a disclosure may be made for the purpose of preventing or controlling disease, injury or disability. We may disclose your PHI, if authorized by law, to a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading the disease or condition.
ii. Health Oversight Activities. We may disclose PHI to a health oversight agency for activities authorized by law, such as audits, civil, criminal, or administrative investigations, inspections, licensure, or disciplinary actions. Oversight agencies seeking this information include government agencies that oversee the health care system, government benefit programs, other government regulatory programs and civil rights laws.
iii. Child Abuse. We may disclose your PHI to a public health or other appropriate government authority authorized by law to receive reports of child abuse or neglect.
iv. Abuse or Neglect. We may disclose your PHI to the appropriate government authority if we believe a resident has been the victim of abuse, neglect or domestic violence. In this case, the disclosure will be made consistent with the requirements of applicable federal and state laws.
v. Food and Drug Administration. We may disclose your PHI to a person or company required by the Food and Drug Administration for the purpose of quality, safety, or effectiveness of FDA-regulated products or activities including: to report adverse events, product defects or problems, biological product deviations, to track products; to enable product recalls; to make repairs or replacements, or to conduct post marketing surveillance, as required.
- c. Legal Proceedings. We may disclose PHI in the course of any judicial or administrative proceeding, in response to an order of a court or administrative tribunal (to the extent such disclosure is expressly authorized by such order), or in certain conditions in response to a subpoena, discovery request or other lawful process.
- d. Law Enforcement Purposes. We may disclose PHI for law enforcement purposes, to comply with laws regarding reporting of certain types of wounds and physical injuries, to comply with a summons, warrant, or subpoena. Under certain conditions, we may provide limited PHI in response to an investigative demand. We may also disclose the following limited information in response to a request by law enforcement in order to identify or locate a suspect, fugitive, or material witness: name, address, place and date of birth, social security number, blood type, type of injury, date of treatment and death, and any distinguishing or identifying physical characteristics. Upon request, we may also disclose your PHI to law enforcement if you are suspected to be a victim of a crime. In responding to such requests, we will comply with the requirements of applicable federal and state laws.
- e. Coroners, Medical Examiners, Funeral Directors, and Organ and Tissue Donation. We may disclose PHI to a coroner or medical examiner for identification purposes, determining cause of death or for the coroner or medical examiner to perform other duties authorized by law. We may also disclose PHI to a funeral director, as authorized by law, in order to permit the funeral director to carry out their duties. We may disclose such information in reasonable anticipation of death. If you are an organ donor, we may disclose PHI to organizations that handle organ procurement to facilitate donation and transplantation.
- f. Research. We may disclose your PHI for research purposes only when a privacy board or institutional review board has approved the research project. However, we may use or disclose your PHI to individuals preparing to conduct an approved research project in order to assist such individuals in identifying persons to be included in the research project. Researchers identifying persons to be included in the research project will be required to conduct all activities onsite.
- g. To Avert a Serious Threat to Health or Safety. Consistent with applicable federal and state laws, we may disclose your PHI, if we believe that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. We may also disclose PHI if it is necessary for law enforcement authorities to identify or apprehend an individual.
- h. Military and Veterans. If you are a member of the armed forces, we may disclose health information about you as required by military authorities or for the purpose of a determination by the Department of Veterans Affairs of your eligibility for benefits. We may also disclose health information about foreign military personnel to the appropriate foreign military authority.
- i. National Security. We may disclose your PHI to authorized Federal officials for intelligence, counterintelligence, and other national security activities authorized by law, including the provision of protective services to the President.
- j. Correctional Institutions and Other Law Enforcement Custodial Situations. Should you be an inmate of a correctional institution, or in custody of a law enforcement official, we may disclose to the institution, its agents, or the law enforcement official health information necessary for your health and the health and safety of others.
- k. Workers' Compensation. We may disclose your PHI as required and authorized by workers' compensation laws or other similar programs.
3. Uses and Disclosures that You May Object To
There are some ways in which Homewood uses your PHI that you may object to. If you do not wish to have your PHI disclosed for any of these purposes, you may object by providing written notification of your objection to providing your PHI for any of these purposes. The written notification must be provided to the Corporate Compliance Officer. Written objections should be addressed to Corporate Compliance Officer, C/O Homewood Retirement Centers, Inc., 16107 Elliott Parkway, Williamsport, MD 21795.
- a. Facility Directories. Unless you object, we may include information about you in Homewood Directory. This information may include your name, location in Homewood, your general condition (such as fair or stable), and your religious affiliation. All of this information, except religious affiliation, may be disclosed to people that ask for you by name. Your religious affiliation will be only given to a member of the clergy, such as a priest or rabbi.
- b. Individuals Involved in Your Health Care or Payment for your Care. Unless you object, we may disclose your PHI to your family members and friends who are involved in your care or who help pay for your care. We may also disclose your PHI to a disaster relief organization for the purposes of notifying your family and/or friends about your general condition, location, and/or status (i.e., alive or dead). If you are unable to agree or object to such a disclosure, we may disclose such information as necessary if we determine that it is in your best interest based on our professional judgment.
- c. Uses and Disclosures Related to Fundraising Activities. Unless you object, we may use certain PHI to contact you in an effort to raise money for our facility and its operations. Such fundraising communications shall provide, in a clear and conspicuous manner, the opportunity for you to opt out of receiving future fundraising communications. The information we may use will be limited to demographic information, including your name, address, age, gender, and contact information, dates for which you received treatment or services, and your health insurance status. If you do not wish to be contacted for participation in fundraising activities, you must provide us with a written notification.
4. Uses and Disclosures of Protected Health Information Requiring Authorization
Some uses and disclosures require the patient's written authorization. You may revoke this authorization in writing at any time except to the extent that we have already undertaken an action in reliance upon your authorization. If you revoke your authorization, we will no longer use or disclose your PHI for the reasons covered by your written authorization.
- a. Psychotherapy Notes. Psychotherapy Notes comprise a special category of PHI that is held to a higher standard of privacy protection than clinical records because they are separated from the rest of your medical record and are never intended to be shared with anyone else. We must receive your authorization for any use or disclosure of psychotherapy notes, except: use by the originator of the psychotherapy notes for treatment or health oversight activities; as set forth in sections 1 and 2 above; or as required by law.
- d. Marketing Communications. We must receive your authorization for any use or disclosure of PHI for marketing, except if the communication is in the form of a face-to-face communication made to you personally; or a promotional gift of nominal value provided by Homewood. It is not considered marketing to send you information related to your individual treatment, case management, care coordination or to direct or recommend alternative treatment, therapies, healthcare providers or settings of care. These may be sent without written permission. If the marketing is to result in financial remuneration to Homewood by a third party we will state this on the authorization.
- e. Sale of PHI. We must receive your authorization for any disclosure of your PHI which is a sale of PHI. Such authorization will state that the disclosure will result in remuneration to Homewood.
- f. Other Uses and Disclosures. Other uses and disclosures of your PHI not covered by one of the general categories in sections 2, 3, or 4 of this Notice will be made only with your written authorization, unless otherwise permitted or required by law as described in this Notice.
5. Our Duty to Notify in the Event of a Breach
We are required to notify you in the event that your unsecured PHI is breached. A “breach” is defined as the unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of the PHI, but does not include unintentional acquisition, access or use of such information, inadvertent disclosure of such information within a facility, and disclosure to a person not reasonably able to retain it. “Unsecured protected health information” refers to PHI that is not secured through the use of a valid encryption process approved by the Secretary of Health and Human Services or the destruction of the media on which the PHI is recorded or stored. Should any of your “unsecured” PHI held by us be “breached,” then we will fully comply with the HIPAA/HITECH breach notification requirements and we will notify you as follows:
- a. Timing and Method of Notification. We will notify you no later than calendar 60 days after discovery of such breach via first-class mail or e-mail, if specified by you as your preference. If the breach involves the information of more than 500 individuals, we will also provide notice to prominent media outlets. We will also notify the Secretary of Health and Human Services of the breach (immediately if the breach involves the information of more than 500 individuals or in an annual notification for all other breaches).
- b. Contents of Notification. Our notification to you will include:
- A brief description of what happened, including the date of breach and date of discovery (if known).
- A description of the types of unsecured PHI that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved).
- Any steps you should take to protect yourself from potential harm resulting from the breach.
- A brief description of what we are doing to investigate the breach, mitigate harm to the individuals whose PHI was breached, and protect against further breaches; and
- Contact procedures for you to ask questions or learn additional information, which will include a toll-free telephone number, an e-mail address, Web site, or postal address.
6. Your Rights Regarding Your Protected Health Information
Although your health record is the property of Homewood, the information belongs to you. You have the following rights regarding your health information:
- a. Right to Request Restrictions. You have the right to request a restriction of your PHI. This means you may ask us not to use or disclose any part of your PHI for the purposes of treatment, payment or health care operations. You may also request that any part of your PHI not be disclosed to family members or friends who may be involved in your care or for notification purposes as described in this Notice of Privacy Practices. You must submit your request in writing. In your request, you must state: what information you want to limit access to; whether you want to limit use, disclosure, or both; and to whom you want the limits to apply.
Homewood is not required to agree to a restriction that you may request. If Homewood does agree to the requested restriction, Homewood will comply with your request unless the information is needed to provide you emergency treatment.
- b. Right to Request Confidential Communications. You have the right to request to receive confidential communications from Homewood by alternative means or at an alternative location. Homewood will accommodate reasonable requests. Homewood will not request an explanation from you as to the basis for the request. To make this request you must notify the Corporate Compliance Officer, Homewood Retirement Centers, Inc. You may provide your request in writing to Homewood Retirement Centers, Inc., 16107 Elliott Parkway, Williamsport, MD 21795.
- c. Right to Inspect and Copy. With some exceptions, you have the right to inspect and copy your PHI. This means you may inspect and obtain a copy of PHI about you for so long as we maintain the PHI. As permitted by federal or state law, we may charge you a reasonable fee for the costs of copying your records.
- d. Denials. Under federal law, you may not inspect or copy the following records: psychotherapy notes; information compiled in reasonable anticipation of, or use in, a civil, criminal, or administrative action or proceeding; and laboratory results that are subject to law that prohibits access to PHI. Should we deny your request to inspect and/or copy your health information, we will provide you with written notice of our reasons of the denial and your rights for requesting a review of our denial. If such review is granted or is required by law, we will select a licensed health care professional not involved in the original denial process to review your request and our reasons for denial. We will abide by the reviewer’s decision concerning your inspection/copy requests.
- e. Right to Restrict Disclosures to a Health Plan Related to Items or Services Paid Out-of-Pocket in Full. We will comply with requests from you to restrict the disclosure of your PHI to health plans for purposes of carrying out payment of health care operations and the PHI pertains solely to a health care item or service for which the provider has been paid out of pocket in full.
- f. Right to Amend. If you feel that health information in your record is incorrect or incomplete, you have the right to ask Homewood to amend your PHI. This means you may request an amendment of PHI about you in a designated record set for so long as we maintain this information. In certain cases, Homewood may deny your request for an amendment. For example, your request may be denied if the information was not created by Homewood, or if the information is accurate and complete. If your request is denied, we will provide you with a written notification of the reason(s) of such denial and your rights to have the request, the denial, and any written response you may have relative to the information and denial process appended to your health information.
- g. Right to an Accounting of Disclosures. You have the right to request an accounting of disclosures of your PHI. Your request may not include releases for more than six (6) years prior to the date of your request. This accounting will not include any of the following disclosures we may have made: for treatment, payment, or health care operations; information released to you provided in response to a request to inspect your PHI; pursuant to your written authorization; information released to your family or other people involved in your care; for Homewood's directory; for national security purposes; to correctional institutions or law enforcement officials; or as part of a limited data set that does not contain identifiable data. Your request must be in writing and must specify the time period involved. We will respond to your request with sixty (60) days of the receipt of your written request. Should additional time be needed to reply, you will be notified of such extension. However, in no case will such extension exceed thirty (30) days. The first accounting you request during a twelve (12) month period will be free. There may be a reasonable fee for additional requests during the twelve (12) month period. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time before any costs are incurred.
- h. Right to a Paper Copy of This Notice. You have the right to obtain a paper copy of this notice from us, upon request, even if you have agreed to accept this notice electronically.
You may file a complaint with Homewood or with the Secretary of Health and Human Services if you believe your privacy rights have been violated. To file a complaint with Homewood, contact the Corporate Compliance Officer at (301)582-1626 or write to Corporate Compliance Officer, C/O Homewood Retirement Centers, 16107 Elliott Parkway, Williamsport, MD 21795. You will not be penalized or retaliated against for filing a complaint.