HIPAA Notice of Privacy Practices

Notice of Psychologists’ Policies and Practices to Protect the Privacy of Your Health Information 

This notice describes how psychological and medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully. 

I. Uses and Disclosures for Treatment, Payment, and Health Care Operations 

I may use or disclose your protected health information (PHI), for treatment, payment, and health care operations purposes with your consent. To help clarify these terms, here are some definitions: 

“PHI” refers to information in your health record that could identify you. 

“Treatment, Payment and Health Care Operations”
– Treatment is when I provide, coordinate or manage your health care and other services related to your health care. An example of treatment would be when I consult with another health care provider, such as your family physician or another psychologist. 

- Payment is when I obtain reimbursement for your healthcare. Examples of payment are when I disclose your PHI to your health insurer to obtain reimbursement for your health care or to determine eligibility or coverage. 

- Health Care Operations are activities that relate to the performance and operation of my practice. Examples of health care operations are quality assessment and improvement activities, business-related matters such as audits and administrative services, and case management and care coordination. 

“Use” applies only to activities within my practice group such as sharing, employing, applying, utilizing, examining, and analyzing information that identifies you. 

“Disclosure” applies to activities outside of my practice group such as releasing, transferring, or providing access to information about you to other parties. 

II. Uses and Disclosures Requiring Authorization 

I may use or disclose PHI for purposes outside of treatment, payment, and health care operations when your appropriate authorization is obtained. An “authorization” is written permission above and beyond the general consent that permits only specific disclosures. In those instances when I am asked for information for purposes outside of treatment, payment and health care operations, I will obtain an authorization from you before releasing this information. 

I will also obtain an authorization from you before using or disclosing PHI in a way that is not described in this Notice. 

You may revoke all such authorizations at any time, provided each revocation is in writing. You may not revoke an authorization to the extent that (1) I have relied on that authorization; or (2) if the authorization was obtained as a condition of obtaining insurance coverage, and the law provides the insurer the right to contest the claim under the policy. 

III. Uses and Disclosures with Neither Consent nor Authorization 

I may use or disclose PHI without your consent or authorization in the following circumstances: 

Child Abuse: If you give me information which leads me to suspect child abuse, neglect, or death due to maltreatment, I must report such information to the county Department of Social Services. If asked by the Director of Social Services to turn over information from your records relevant to a child protective services investigation, I must do so. 

Adult and Domestic Abuse: If information you give me gives me reasonable cause to believe that a disabled adult is in need of protective services, I must report this to the Director of Social Services. 

Health Oversight: The North Carolina Psychology Board has the power, when necessary, to subpoena relevant records should I be the focus of an inquiry. 

Judicial or Administrative Proceedings: If you are involved in a court proceeding, and a request is made for information about the professional services that I have provided you and/or the records thereof, such information is privileged under state law, and I must not release this information without your written authorization, or a court order. This privilege does not apply when you are being evaluated for a third party or where the evaluation is court ordered. You will be informed in advance if this is the case. 

Serious Threat to Health or Safety: I may disclose your confidential information to protect you or others from a serious threat of harm by you. 

Worker’s Compensation: If you file a workers’ compensation claim, I am required by law to provide your mental health information relevant to the claim to your employer and the North Carolina Industrial Commission. 

When the use and disclosure without your consent or authorization is allowed under other sections of Section 164.512 of the Privacy Rule and the state’s confidentiality law. This includes certain narrowly-defined disclosures to law enforcement agencies, to a health oversight agency (such as HHS or a state department of health), to a coroner or medical examiner, for public health purposes relating to disease or FDA- regulated products, or for specialized government functions such as fitness for military duties, eligibility for VA benefits, and national security and intelligence. 

IV. Patient's Rights and Psychologist's Duties 

Patient’s Rights: 

·       Right to Request Restrictions –You have the right to request restrictions on certain uses and disclosures of protected health information about you. However, I am not required to agree to a restriction you request. 

·       Right to Receive Confidential Communications by Alternative Means and at Alternative Locations – You have the right to request and receive confidential communications of PHI by alternative means and at alternative locations. (For example, you may not want a family member to know that you are seeing me. Upon your request, I will send your bills to another address.) 

·       Right to Inspect and Copy – You have the right to inspect or obtain a copy (or both) of PHI in my mental health and billing records used to make decisions about you for as long as the PHI is maintained in the record. I may deny your access to PHI under certain circumstances, but in some cases, you may have this decision reviewed. On your request, I will discuss with you the details of the request and denial process. 

·       Right to Amend – You have the right to request an amendment of PHI for as long as the PHI is maintained in the record. I may deny your request. On your request, I will discuss with you the details of the amendment process. 

·       Right to an Accounting – You generally have the right to receive an accounting of disclosures of PHI for which you have neither provided consent nor authorization (as described in Section III of this Notice). On your request, I will discuss with you the details of the accounting process. 

·       Right to a Paper Copy – You have the right to obtain a paper copy of the notice from me upon request, even if you have agreed to receive the notice electronically. 

·       Right to Restrict Disclosures When You Have Paid for Your Care Out-of-Pocket. You have the right to restrict certain disclosures of PHI to a health plan when you pay out- of-pocket in full for my services. 

·       Right to Be Notified if There is a Breach of Your Unsecured PHI. You have a right to be notified if: (a) there is a breach (a use or disclosure of your PHI in violation of the HIPAA Privacy Rule) involving your PHI; (b) that PHI has not been encrypted to government standards; and (c) my risk assessment fails to determine that there is a low probability that your PHI has been compromised. 

Psychologist’s Duties: 

• I am required by law to maintain the privacy of PHI and to provide you with a notice of my legal duties and privacy practices with respect to PHI. 

·       I reserve the right to change the privacy policies and practices described in this notice. Unless I notify you of such changes, however, I am required to abide by the terms currently in effect. 

·       If I revise my policies and procedures, I will verbally inform clients of any changes, post a revised notice in the office, and have copies of the notice available for clients at their request. 

V. Breach Notification Addendum
1. When the Practice becomes aware of or suspects a breach, as defined in Section 1 

of the Breach Notification Overview, the Practice will conduct a Risk Assessment, as outlined in Section 2 of the Overview. The Practice will keep a written record 

of that Risk Assessment. You can read the Breach Notification Overview at HHS.gov by typing in “Breach Notification Overview” in the “I’m looking for…” search tool at the top of the page. Select “HIPAA: Breach of Notification Rule.” 

2. Unless the Practice determines that there is a low probability that PHI has been compromised, the Practice will give notice of the breach as described in Sections 2.B and 2.C of the breach notification Overview. 

3. The risk assessment can be done by a business associate if it was involved in the breach. While the business associate will conduct a risk assessment of a breach of PHI in its control, the Practice will provide any required notice to patients and HHS. 

4. After any breach, particularly one that requires notice, the Practice will re-assess its privacy and security practices to determine what changes should be made to prevent the re-occurrence of such breaches. 

VI. Questions and Complaints 

If you have questions about this notice, disagree with a decision I make about access to your records, or have other concerns about your privacy rights, you may contact our office privacy official: 

Lonnie Sarnell drsarnell@gmail.com 

If you believe that your privacy rights have been violated and wish to file a complaint with my office, you may send your written complaint to our office privacy official: 

Lonnie Sarnell, Psy.D. drsarnell@gmail.com 

You may also send a written complaint to the Secretary of the U.S. Department of Health and Human Services. The person listed above can provide you with the appropriate address upon request. 

You have specific rights under the Privacy Rule. I will not retaliate against you for exercising your right to file a complaint. 

VI. Effective Date, Restrictions and Changes to Privacy Policy 

This notice went into effect on September 23, 2013. 

I reserve the right to change the terms of this notice and to make the new notice provisions effective for all PHI that I maintain. If I revise my policies and procedures, I will verbally inform clients of any changes, post a revised notice, and have copies of the notice available for clients at their request.