Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED, AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
OUR DUTY TO SAFEGUARD YOUR PROTECTED HEALTH INFORMATION
Individually identifiable information about your past, present, or future health or condition, or the provision of healthcare is considered “Protected Health Information” or “PHI”. We are required to extend certain protections to your PHI. Except in specified circumstances, we must use or disclose only the minimum necessary PHI to accomplish our intended purpose. We are required to follow the privacy practices described in this Notice, but we reserve the right to change our privacy practices and the terms of this Notice at any time. The revised Notice will be available from any Center for Diagnostic Imaging or Insight Imaging center and will also be posted on our Web site at http://www.mycdi.com.
HOW WE MAY USE AND DISCLOSE YOUR PROTECTED HEALTH INFORMATION
We use and disclose PHI for a variety of reasons. If we disclose your PHI to an outside entity in order for that entity to do something on our behalf, we must have in place an agreement from the outside entity that it will protect the privacy of your information to the same extent that we do. We have a limited right to use and/or disclose your PHI for purposes of treatment, payment and for our healthcare operations. For uses beyond that, we must have your written authorization (or permission) unless the law permits or requires us to make the use or disclosure without your authorization. The law provides that we are permitted to make some uses/disclosures without your consent or authorization. The following describes and offers examples of our potential uses/disclosures of your PHI.
USES AND DISCLOSURES RELATING TO TREATMENT, PAYMENT, OR HEALTHCARE OPERATIONS
Generally, we may use or disclose your PHI as follows:
For treatment: We may use your PHI to treat you and disclose your PHI to doctors, nurses, and other healthcare personnel who are involved in treating you. For example, your PHI will be shared among members of your healthcare team.
To obtain payment: We may use/disclose your PHI in order to bill and collect payment for your healthcare services. For example, we may contact your insurer to get paid for services that we delivered to you. We may release information to collection agencies for the purpose of payment. For healthcare operations: We may use/disclose your PHI in the course of operating our centers. For example, we may use your PHI in evaluating the quality of services provided, or disclose your PHI to our accountant or attorney for audit purposes.
USES AND DISCLOSURES OF PHI REQUIRING AUTHORIZATION
For uses and disclosures for purposes other than treatment, payment and operations, we are required to have your written authorization, unless the use or disclosure falls within one of the exceptions described below. Most uses and disclosures of psychotherapy notes, uses and disclosures for marketing purposes, and disclosures that constitute the sale of PHI require your authorization. Authorizations can be revoked at any time to stop future uses/disclosures except to the extent that we have already relied on your authorization.
USES AND DISCLOSURES OF PHI NOT REQUIRING CONSENT OR AUTHORIZATION
Federal law provides that we may use/disclose your PHI without your consent or authorization in the following circumstances. If the laws of your state are more restrictive, we will follow state law.
When required by law: We may disclose PHI when required by a law, for law enforcement purposes or when necessary in connection with the commission of a crime. We may also disclose PHI to authorities that monitor compliance with these privacy requirements.
For public health activities: We may disclose PHI when we are required to collect information about disease or injury, or to report vital statistics to the public health authority, such as the Food and Drug Administration (FDA).
Victims of abuse, neglect or domestic violence: We may report information to a government authority, including a social service or protective services agency, about suspected abuse, neglect
or domestic violence. For health oversight activities: We may disclose PHI to our corporate office or an agency responsible for monitoring the healthcare system for such purposes as reporting or investigation of unusual incidents, and monitoring of government healthcare programs, such as Medicare and Medicaid.
Relating to decedents: We may disclose PHI related to a death to coroners, medical examiners or funeral directors, and to organ procurement organizations relating to organ, eye, or tissue donations or transplants.
To avert threat to health or safety: In order to avoid a serious threat to health or safety, we may disclose PHI as necessary to law enforcement or other persons who can reasonably prevent or lessen the threat of harm.
For specific government functions: We may disclose PHI of military personnel and veterans in certain situations, to correctional facilities in certain situations, to government benefit programs relating to eligibility and enrollment, and for national security reasons, such as protection of the President.
For workers’ compensation: We may disclose health information to the extent authorized by and necessary to comply with laws relating to workers’ compensation or other similar programs established by law.
For research: We may disclose information to researchers when their research has been approved by an institutional review board that has reviewed the research proposal and established protocols to ensure the privacy of your health information. To respond to lawsuits and legal actions: We may disclose your PHI in response to a court or administrative order.
USES AND DISCLOSURES REQUIRING YOU TO HAVE AN OPPORTUNITY TO OBJECT
In the following situations, we may disclose a limited amount of your PHI as long as you do not object and the disclosure is not otherwise prohibited by law.
Patient Directories: Your name, location, and general condition may be put into our patient directory for disclosures to callers or visitors who ask for you by name. Additionally, your religious affiliation may be shared with clergy.
To family, friends or others involved in your care: We may share your information with your family, friends and/or others if the information is directly related to their involvement in your care, or payment for your care.
YOUR RIGHTS REGARDING YOUR PROTECTED HEALTH INFORMATION
You have the following rights relating to your PHI:
To request restrictions on uses/disclosures: You have the right to ask that we limit how we use or disclose your PHI for healthcare treatment, payment and operations, or to individuals involved in your care. Such uses and disclosures do not typically require your permission because CDI may need to use or disclose the information in order to provide services to you. We will consider your request for a restriction, but, in most cases, we are not legally required to agree to the restriction. CDI is only required to agree to a requested restriction if (1) the disclosure is for payment or healthcare operations and (2) the information pertains solely to any item or service that you (or another person on your behalf, other than a health plan) paid for out of pocket, in full. To the extent that we do agree to any restriction on our use/disclosure of your PHI, we will put the agreement in writing and abide by it except in emergency situations. We cannot agree to limit uses/disclosures that are required by law.
To choose how we contact you: You have the right to ask that we send you information at an alternative address or by an alternate means. We will agree to your request as long as it is reasonably easy for us to do so.
To inspect and request a copy of your PHI: Unless your access to your records is restricted for clear and documented treatment reasons, you have a right to see your protected health information upon your written request. We will respond to your request within 30 days or sooner if required by the laws of your state. If we deny your access, we will give you written reasons for the denials and explain any right for the denial to be reviewed. If you want copies of your PHI, a charge for copying may be imposed, depending on your circumstances. You have a right to choose what portions of your information you want copied and to have prior information about any charges for copying. If your information is stored electronically, you have a right to receive it in an electronic format.
To request amendment of your PHI: If you believe that there is a mistake or missing information in our record of your PHI, you may request, in writing, that we correct or add to the record. We will respond within 60 days of receiving your request or sooner if required by the laws of your state. We may deny the request if we determine that the PHI is (1) correct and complete; or (2) not created by us and/or not part of our records.
To find out what disclosures have been made: You have a right to get a list of when, to whom, for what purpose, and what content of your PHI has been released by us other than pursuant to your written authorization. The list also will not include any disclosures made for treatment, payment and operations or disclosures made before April 2003 and certain other disclosures. We will respond to your written request for such a list within 60 days of receiving it or sooner if required by the laws of your state. Your request can relate to disclosures going back six years. We will provide you with one list each year for free but may charge you a reasonable cost-based fee for more frequent requests.
To find out if there has been a breach of your PHI: We are required to notify you when there has been an acquisition, access, use, or disclosure of your PHI that is not permitted under HIPAA and that compromises the security or privacy of your PHI.
YOU HAVE THE RIGHT TO RECEIVE THIS NOTICE
You have a right to receive a paper copy of this Notice.
CONTACT PERSON FOR INFORMATION OR TO SUBMIT A COMPLAINT
For any complaints regarding CDI’s privacy practices or additional information about its privacy practices, contact CDI’s Privacy Officer by calling 1-855-377-1624 or by email at HIPAA@cdirad.com.
Non-Retaliation: If an Individual believes his/her privacy rights have been violated, the Individual may complain to CDI’s Privacy Officer or to the Secretary of the Department Of Health and Human Services, without fear of retaliation by the organization.
Effective Date: This Notice is effective May 11, 2015.