The protection of your health information is very important. As a mental health professional I recognize that many of the things we discuss are sensitive, and because of this it is important that you are aware of how this information is used and may be revealed. This document contains a description about how your protected health information is used and sometimes disclosed. As a healthcare professional covered under the federal “HIPAA” law I am required to give you this notice and to abide by its terms. (I reserve the right to change the terms of this notice, and if that happens I will provide you with an updated copy with the changes.)
In general, the communications between a patient and psychologist are confidential and protected by law and I can only release your protected health information with your permission, or under certain circumstances. This document and the other intake documents you received discuss those circumstances. When I make a disclosure, I will always try to limit the information that I reveal. In general, I will try to disclose only the amount necessary.
Electronic Records and Electronic Protected Health Information (ePHI)
The HIPAA Privacy Rule protects the privacy of individually identifiable health information, called protected health information (PHI), as explained in the Privacy Rule. The Security Rule protects a subset of information covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form. The Security Rule calls this information “electronic protected health information” (e-PHI). The Security Rule does not apply to PHI transmitted orally or in writing.
Electronic records are subject to similar concerns and requirements as paper records. I keep electronic medical records on each patient. The 2005 HIPAA Security Rule provides specific guidance on managing electronic protected health information. It applies to practitioners who must comply with HIPAA and who store or transmit such information. The rule requires that I take special care in maintaining electronic records and that I conduct a risk analysis of specified issues and security measures appropriate for the practice. The electronic practice management company that I use takes reasonable efforts to maintain their service in a manner that includes appropriate administrative, technical and physical security measures designed to protect the confidentiality, availability and integrity of ePHI as required by HIPAA. The database is fully encrypted, access to the application is encrypted, data is backed up regularly at a SAS 70 Type II certified data center, strong passwords are required and changed frequently, all actions are logged which offers a strong audit trail, powerful firewalls protect the servers, allows ability to print a paper copy of medical file, and limited IP addresses are allowed to access the service.
I make reasonable and appropriate administrative, technical, and physical safeguards for protecting ePHI. Including: (1) Ensuring the confidentiality, integrity, and availability of all e-PHI that I create, receive, maintain or transmit; (2) Identifying and protecting against reasonably anticipated threats to the security or integrity of the information; (3) Protecting against reasonably anticipated, impermissible uses or disclosures; and (3) Ensuring compliance by my workforce.
Workstation, Device Security, and Technical Safeguards
I implement policies and procedures to specify proper use of and access to workstations and electronic media. I have policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information. I also have several technical safeguards to protect your health information including:
- Access Control. I implement technical policies and procedures that allow only authorized persons to access electronic protected health information (ePHI).
- Audit Controls. I implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use ePHI.
- Integrity Controls. I implement policies and procedures to ensure that ePHI is not improperly altered or destroyed.
- Transmission Security. I implement technical security measures that guard against unauthorized access to ePHI that is being transmitted over an electronic network.
Uses and Disclosures:
I can disclose information for the purposes of treatment, payment, and health care operations. An example of a disclosure for treatment purposes is one where I discuss your treatment/evaluation with your physician to coordinate our services. An example of a disclosure for payment is where I discuss your case with your health insurance carrier to determine if you are eligible for coverage. An example of a disclosure for health care operations is where I disclose information for the purposes of conducting quality assessment and quality improvement functions.
I can also make disclosures without your consent under the following circumstances:
- In some legal proceedings I may be required to disclose information about you without your consent. I will try to maintain the confidentiality of your protected health information, but if I receive a lawful order from a court or administrative authority, a valid subpoena, search warrant, or coroner’s inquest I may have to disclose information.
- If I believe you pose a serious risk of harm to yourself or someone else, I am required to take protective actions. This may mean that I have to contact a potential victim, the police, child and family services, government authorities whose job it is to protect the elderly or dependent adults, or other parties to minimize the risk of harm.
When I make disclosures for these purposes, I will disclose only the information necessary. Any additional disclosures will be made only with your written authorization and you can revoke that authorization at any time.
I am permitted to contact you to remind you about appointments, to discuss treatment alternatives, or other health-related services that may be of interest to you. I can also contact you for fundraising activities related to my practice.
Your Individual Rights:
You can request that that I restrict the disclosure of information such as I described above, but I am not required to agree to these restrictions. However, if I do agree to these restrictions I must abide by our agreement unless an emergency occurs. If I do have to disclose information in an emergency I will request to the persons to whom I make the disclosure that the information remain as confidential as possible. Any agreement that we make to restrict these disclosures will be written down and signed; if either of us needs to terminate our agreement we will document our agreement in writing and give you a copy. You cannot limit the uses and disclosures that I am legally required or allowed to make.
If you wish to receive communications from me by alternative means (such as billing at a different address) you have the right to make reasonable requests. This is especially true if my usual means of communicating with you could endanger you or someone else. If you want to make such a request, please do so in writing and we will discuss how it would work and if it would be possible for me to agree to your request.
You have the right to inspect and copy your protected health information. You also have the right to amend your protected health information. If you want a copy of your protected health information, I can charge you a reasonable fee for providing you with these copies.
You have a right to receive an accounting of most of the disclosures of your protected health information that have occurred in the last six years.
You have a right to receive a paper copy of this notice.
If you have a complaint about how I have disclosed or failed to disclose your protected health information you can make a complaint to me, or to the U.S. Secretary of Health and Human Services. I will not retaliate against you for filing a complaint.
If you have any additional questions, you can contact me at (269)-372-4140