 |
Crotched Mountain Foundation (and its affiliates as listed on Page 1 of Addendum A: Notice of Privacy Practices), as an Affiliated Covered Entity, is committed to ensuring the privacy and security of patient health information. Federal law allows health care organizations to use or disclose protected health information (PHI) for the purpose of treatment, payment and health care operations once patients/clients have been notified of our privacy practices in regard to their individual identifiable health information, and have acknowledged receipt of notice of privacy.
Pursuant to 45 CFR 164.520 (Code of Federal Regulations), an individual has a right to adequate notice of the uses and disclosures of his/her PHI that may be made by or on behalf of a covered entity. An individual also has a right to adequate notice of their individual rights and the covered entities legal duties with respect to his/her PHI.
Covered Entity (CE) means a health plan that provides, or pays the cost of, medical care, a health care clearinghouse, or a health care provider.
Protected Health Information (PHI) means individually identifiable information relating to the past, present, or future physical or mental health or condition of an individual, provision of health care to an individual, or the past, present or future payment for health care provided to an individual.
Treatment, Payment, and Operations (TPO) includes all of the following:
-
Treatment means the provision, coordination, or management of health care and related services, consultation between providers relating to an individual, or referral of an individual to another provider for health care.
-
Payment means activities undertaken to obtain or provide reimbursement for health care, including determinations of eligibility or coverage, billing, collection activities, medical necessity determinations and utilization review.
-
Operations includes functions such as quality assessment and improvement activities, reviewing competence or qualifications of health care professionals, conducting or arranging for medical review, legal services and auditing functions, business planning and development, and general business and administrative activities.
The following statement in a header or otherwise prominently displayed:
"THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY."
-
A description, including at least one example, of the types of uses and disclosures that the CE is permitted to make for purposes of treatment, payment and health care operations, with sufficient detail to notify the individual of the uses and disclosures permitted or required;
-
A description of each of the other purposes for which the CE is permitted or required to use or disclose PHI without an individual's consent or authorization, with sufficient detail to notify the individual of the uses and disclosures permitted or required;
-
A statement that other uses or disclosures will be made only with the individual's written authorization, and that the authorization may be revoked in accordance with the policy on authorizations;
-
If provider intends to contact the individual for appointment reminders, treatment alternatives or other health related benefits, a separate statement describing such contacts;
-
A statement of the individual's rights with respect to his/her PHI, and a brief description of how the individual may exercise those rights, including: the right to request restrictions on certain uses/disclosures of PHI, and the fact that the CE does not have to agree to such restrictions; the right to receive confidential communications of PHI, the right to inspect and copy PHI, the right to amend PHI, the right to receive an accounting of disclosures of PHI, and the right to receive a paper copy of the privacy notice (each of the above in accordance with relevant policies);
-
A statement of the CE's duties with respect to PHI, including statements: that the CE is required by law to maintain the privacy of PHI and to provide individuals with notice of its legal duties and privacy policies; that the CE is required to abide by the terms of the currently effective privacy notice, and; that the CE reserves the right to change the terms of the notice and make the new notice provisions effective for all PHI maintained, along with a description of how the CE will provide individuals with the revised notice;
-
A statement that individuals may complain to the CE and to the Secretary of the United States Department of Health and Human Services about privacy rights violations, including a brief statement about how a complaint may be filed and an assurance that the individual will not be retaliated against for filing a complaint;
-
The name, or title, and telephone number of the person or office to contact for further information;
-
The effective date of the notice, which may not be earlier than the date printed or published.
CMF, as the Affiliated Covered Entity, will promptly revise and distribute the privacy notice whenever there is a material change to the uses or disclosures, the individual's rights, the covered entities legal duties, or other privacy practices described in the notice. Except when required by law, a material change to any term may not be implemented prior to the effective date of the notice reflecting the change.
Each covered entity under CMF must provide individuals/clients with the notice, and obtain the individual's written acknowledgment of receipt, or document attempts to obtain such acknowledgment (see Addendum B: Acknowledgment of Receipt of Privacy Notice). The privacy notice should be distributed to clients/patients no later than the date of the first treatment/ service delivery following implementation of the notice. The receipt of acknowledgment will be maintained in the client's or patient's medical record in Central Records. Additionally, the notice in effect (original notice or any subsequent revisions) must be prominently posted in admitting and registration areas and copies must be available for individuals to take at any service delivery sites.
The NPP will also be prominently posted on the CMF web site at www.crotchedmountain.org.
CMF's affiliated entities will retain copies of notices issued for a period of at least six (6) years from the later of the date of creation or the last effective date. Each CMF affiliated entity will retain documentation of individuals/clients acknowledgment of receipt, or documented attempts to obtain such acknowledgment, of the notice of privacy for a period of six (6) years. CMF may choose to centrally locate this documentation. |