Notice of Privacy Policies
This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.
For purposes of this Notice “us”, “we” and “our” refers to the practice of John A. Lindsay, DDS, PA and “you” or “your” refers to our patients (or their legal representatives as determined by us in accordance with Florida informed consent law). When you receive health-care services from us, we will obtain access to your medical information (e.g., your health history). We are committed to maintaining the privacy of your health information and we have implemented numerous procedures to ensure that we do so.
Florida law and the Health Insurance Portability & Accountability Act of 1996 (HIPAA) require us to maintain the confidentiality of all of your health-care records and other individually identifiable health information used by or disclosed to us in any form, whether electronically, on paper or orally (“PHI” or Protected Health Information). HIPAA is a federal law that gives you significant new rights to understand and control how your health information is used. HIPAA and Florida law provide penalties for covered entities and records owners, respectively, that misuse or improperly disclose PHI.
Starting April 14, 2003, HIPAA requires us to provide you with this Notice of our legal duties and the privacy practices we are required to follow when you first come into our office for health-care services. If you have any questions about this Notice, please ask to speak to our Privacy Officer, Ms. Rebecca Johnson-Clements at 561-997-4080 or firstname.lastname@example.org.
Our doctors, clinical staff, Business Associates (outside contractors we hire), employees and other office personnel follow the policies and procedures set forth in this Notice. If your regular doctor is unavailable to assist you (e.g. illness, on-call coverage, vacation, etc.), we may provide you with the name of another health-care provider outside our practice for you to consult with by telephone. If we
Our Rules on How We May Use and Disclose Your Protected Health Information
do so, that provider will follow the policies and procedures set forth in this Notice or those established for his or her practice, so long as they substantially conform to those for our practice.
Under the law (§456.074, Fla. Stats., and HIPAA), we must have your signature on a written, dated Consent form and/or an Authorization form (not an Acknowledgement form) before we will use and disclose your PHI for certain purposes as detailed in the rules below.
Documentation – You will be asked to sign a Consent form and/or an Authorization form when you receive this Notice of Privacy Practices. If you did not sign such a form or need a copy of the one you signed, please contact our Privacy Officer. You may take back or revoke your Consent or Authorization at any time (unless we have already acted based on it) by submitting a Revocation form in writing to us at our address. Your revocation will take effect, when we actually receive it. We cannot give it retroactive effect, so it will not affect any use or disclosure that occurred in our reliance on your Consent or Authorization prior to revocation (e.g., if after we provide services to you, you revoke your Authorization or Consent in order to prevent us billing or collecting for those service, your revocation will have no effect because we relied on your Authorization or Consent to provide services before you revoked it).
General Rule – If you do not sign our Consent form or if you revoke it, as a general rule (subject to exceptions described below under “Healthcare Treatment, Payment and Operations Rule” and “Special Rules”), we cannot in any manner use or disclose to anyone (excluding you, but including payers and Business Associates) your PHI or any other information in your medical record. Under Florida law, we are unable to submit claims to payers under assignment of benefits without your signature on our Consent form. We will not condition treatment on your signing an Authorization, but we may be forced to decline you as a new patient or discontinue you as an active patient if you choose not to sign the Consent or revoke it.
Health-care Treatment, Payment and Operations Rule – With your signed Consent, we may use or disclose your PHI in order:
Special Rules – Notwithstanding anything else contained in this Notice, only in accordance with applicable law, and under strictly limited circumstances, we may use or disclose your PHI without your permission, Consent or Authorization for the following purposes:
Minimum Necessary Rule – Our staff will not use or access your PHI unless it is necessary to do their jobs (e.g., doctors uninvolved in your care will not access your PHI; ancillary clinical staff caring for you will not access your billing information; billing staff will not access your PHI except as needed to complete the claim form for the latest visit; janitorial staff will not access your PHI). Also, we disclose to others outside our staff only as much of your PHI as is necessary to accomplish the recipient’s lawful purposes. For example, we may use and disclose the entire contents of your medical record:
In accordance with the law, we presume that requests for disclosure of PHI from another Covered Entity (as defined in HIPAA) are for the minimum necessary amount of PHI to accomplish the requester’s purpose. Our Privacy Officer will individually review unusual or non-recurring requests for PHI to determine the minimum necessary amount of PHI and disclose only that. For non-routine requests of disclosures, the Plan’s Privacy Officer will make a minimum necessary determination based on, but not limited to, the following factors:
If we believe that a request from others for disclosure of your entire medical record is unnecessary, we will ask the requester to document why this is needed, retain that documentation and make it available to you upon request.
Incidental Disclosure Rule – We will take reasonable administrative, technical and security safeguards to ensure the privacy of your PHI when we use or disclose (e.g., we require employees to talk softly when discussing PHI with you, we use computer passwords and change them periodically [e.g., when an employee leaves us], we allow access to areas where PHI is stored or filed only when we are present to supervise and prevent unauthorized access).
Business Associate Rule – Business Associates and other third parties (if any) that receive your PHI from us will be prohibited from re-disclosing it unless required to do so by law or you give prior express written consent to the re-disclosure. Nothing in our Business Associate agreement will allow our Business Associate to violate this re-disclosure prohibition.
Super-confidential Information Rule – If we have PHI about you regarding HIV testing, alcohol- or substance-abuse diagnosis and treatment, or psychotherapy and mental-health records (super-confidential information under the law), we will not disclose it under the General or Health-care Treatment, Payment and Operations Rules (see above) without you first signing and properly completing our Consent form (i.e., you specifically must initial the type of super-confidential information we are allowed to disclose). If you do not specifically authorize disclosure by initialing the super-confidential information, we will not disclose it unless authorized under the Special Rules (see above) (e.g., we are required by law to disclose it). If we disclose super-confidential information (either because you have initialed the Consent form or the Special Rules authorize us to do so), we will comply with state and federal law that requires us to warn the recipient in writing that re-disclosure is prohibited.
Faxing, E-mailing and Website Rules – When you request us to fax or e-mail your PHI as an alternative communication and we agree to do so, we may fax or e-mail super-confidential information; we will not use fax or e-mail for emergency communication without knowing that the recipient is expecting the message; have only our Privacy Officer or your treating doctor fax or e-mail your PHI; have our Privacy Officer confirm that the fax number or e-mail address is correct before sending the message and ensure that the intended recipient has sole access to the fax machine or computer before sending the message; confirm receipt; locate our fax machine or computer in a secure location so unauthorized access and viewing is prevented; use a fax cover sheet so the PHI is not the first page to print out (because unauthorized persons may view the top page); and attach an appropriate privacy notice to the message. When viewing our website statistics in aggregate, that is, non-identifiable statistics will become available to us. These statistics will not be linked to you specifically. When submitting information via our website of a personally identifiable nature, that information will remain subject to this Notice’s provisions in other areas. Access to the website may be interrupted at any time and patients must not rely solely on its availability for access of practice information or access to this Notice.
Inactive Patient Records – We will retain your records for seven years from your last treatment or examination, at which point you will become an inactive patient in our practice and we may destroy your records at that time (but records of inactive minor patients will not be destroyed before the child’s eight birthday). We will do so only in accordance with the law (e.g., in a confidential manner, with a Business Associate agreement prohibiting re-disclosure if necessary).
Collections and Marketing – If we use or disclose your PHI for marketing (i.e., communications that encourage recipients to purchase or use a product or service) or collections purposes, we will do so only in accordance with the law.
Changes to Privacy Policies Rule – We reserve the right to change our privacy practices (by changing the terms of this Notice) at any time as authorized by law. The changes will be effective immediately upon us making them. They will apply to all PHI we create or receive in the future, as well as to all PHI created or received by us in the past (i.e., to PHI about you that we had before the changes took effect). If we make changes, we will post the changed Notice, along with its effective date, on our website. Also, upon request, you will be given a copy of our current Notice.
Authorization Rule – We will not use or disclose your PHI for any purpose or to any person other than as stated in the rules above without your signature on a specifically worded, written Authorization form (not a Consent or any Acknowledgement). If we need your Authorization, we must obtain it on our Authorization form, which is separate from any Consent or Acknowledgement we may have obtained from you. We will not condition treatment on whether you sign the Authorization (or not).
Your Rights Regarding Your Protected Health Information
If you got this Notice via e-mail or a Website, you have the right to get, at any time, a paper copy by asking our Privacy Officer. Also, you have the following additional rights regarding PHI we maintain about you:
To Inspect and Copy – You have the right to see and get a copy of your PHI including, but not limited to, medical and billing records by submitting a written request to our Privacy Officer on our Request to Inspect, Copy or Summarize form. Original records will not leave the premises, will be available for inspection only during our regular business hours, and only if our Privacy Officer is present at all times. You may ask us to give you the copies in a format other than photocopies (and we will do so unless we determine that it is impracticable) or ask us to prepare a summary in lieu of the copies. We may charge you a fee not to exceed Florida law to recover our costs (including postage, supplies and staff time as applicable, but excluding staff time for search and retrieval) to duplicate or summarize your PHI. We will respond to requests in a timely manner, without delay for legal review, in less than 30 days if submitted in writing on our form or otherwise, and in 10 business days or less if malpractice litigation or pre-suit production is involved. We may deny your request in certain limited circumstances (i.e., we do not have the PHI, it came from a confidential source, etc). If we deny your request, you may ask for a review of that decision. If required by law, we will select a licensed health-care professional (other than the person who denied your request initially) to review the denial and we will follow his or her decision. If we select a licensed health-care professional who is not affiliated with us, we will ensure a Business Associate agreement is executed that prevents re-disclosure of your PHI without your consent by the outside professional.
To Request Amendment/Correction – If another doctor involved in your care tells us in writing to change your PHI, we will do so as expeditiously as possible upon receipt of the changes and will send you written confirmation that we have made the changes. If you think PHI we have about you is incorrect, or that something important is missing from your records, you may ask us to amend or correct it (so long as we have it) by submitting a Request for Amendment/Correction form to our Privacy Officer. We normally will act on your request within 60 days from receipt, but we may extend our response time (within the 60-day period) no more than once and by no more than 30 days, in which case we will notify you in writing why and when we will be able to respond. If we grant your request, we will let you know within five business days, make the changes by noting (not deleting) what is incorrect or incomplete and adding to it the changed language, and send the changes within five business days to persons you ask us to and persons we know may rely on incorrect or incomplete PHI to your detriment (or already have). We may deny your request under certain circumstances (e.g., it is not in wirting, it does not give a reason why you want the change, we did not create the PHI you want changed and the entity that did cannot be contacted, it was compiled for the use in litigation, or we determine it is accurate and complete). If we deny your request, we will (in writing within five business days) tell you: why and how to file a complaint with us if you disagree, that you may submit a written disagreement with our denial (and we may submit a written rebuttal and give you a copy of it), that you may ask us to disclose your initial request and our denial when we make future disclosures of PHI pertaining to your request, and that you may complain to us and the U.S. Department of Health and Human Services.
To an Accounting of Disclosures – You may ask us for a list of those who got your PHI from us by submitting a Request for Accounting of Disclosures form to us. The list will not cover some disclosures (e.g., PHI given to you, given to your legal representative, given to others for treatment, payment for healthcare operations purposes). Your request must state in what form you want the list (e.g., paper or electronically) and the time period you want us to cover, which may be up to but no more than the last six years (excluding dates before April 14, 2003). If you ask us for this list more than once in a 12-month period, we may charge you a reasonable, cost-based fee to respond, in which case we will tell you the cost before we incur it and let you choose if you want to withdraw or modify your request to avoid the cost.
To Request Restrictions – You may ask us to limit how your PHI is used and disclosed (i.e. in addition to our rules as set forth in this Notice) by submitting a written Request for Restrictions on Use/Disclosure form to us (e.g., you may not want us to disclose your surgery to family members or friends involved in paying for our services or providing your home care). If we agree to these additional limitations, we will follow them except in an emergency where we will not have time to check for limitations. Also, in some circumstances we may be unable to grant your request (e.g., we are required by law to use or disclose your PHI in a manner that you want restricted; you signed an Authorization form, which you may revoke, that allows us to use or disclose your PHI in the manner you want restricted; in an emergency).
These privacy practices will be effective September 1, 2004, and will remain in effect until we replace them as specified above.