This notice describes how medical information about you may be used and disclosed in accordance with HIPAA (Health Insurance Portability and Accountability Act).
Understanding your health record/information
As part of your counseling healthcare here, a record will be made of each visit and any other important exchange of information on your behalf. Your information is used by your insurance company to verify that the services billed were actually provided. Your medical record belongs to you as the client, and you have certain rights with regard to your health information.
You have a right to expect that your health information will be kept secure and used only for legitimate purposes.
You have a right to understand how your health information may be used and disclosed by Tara Mesward Counseling, PC.
You have a right to receive this privacy notice that tells you how your health information may be used or disclosed.
You have a right to ask questions about any healthcare privacy issue and have those questions clearly and promptly answered.
You have a right to know who has seen your health information, and for what purpose.
You have a right to request that we communicate with you by alternative means.
You have a right to complain about my privacy practices with no retaliatory action taken against you.
Our responsibilities include: maintaining the privacy of your health record (information that may identify you), providing you with a copy of this privacy notice form, abiding by the terms of this notice, notifying you if we are unable to agree to a requested amendment or restriction, and accommodating reasonable requests you may have to communicate health information by alternative means or at alternative locations. If our information practices change, we may change this notice. If we do so, the change will be effective for information gathered both before and after the effective date of such change. The effective date of our notice will always appear at the end of the notice. We will not use or disclose your health information without your authorization, except as described in this notice.
Disclosures for Treatment, Payment, and Healthcare Operations
We may use or disclose your information for treatment (including but not limited to therapy, testing, or diagnostic evaluation), payment (including but not limited to insurance filing and credit card processing), and healthcare operations without your permission. However, if state law requires us to obtain your written permission to use or disclose your health information for treatment, payment, or healthcare operations, we will do so. We will use or disclose your health information for payment.
Other Disclosures That May Be Made Without Your Authorization
Unless we are otherwise restricted from doing so, we may also use or disclose your information for the following purposes without your authorization:
We may use your information to provide you with information regarding a health-related product or service provided by Tara Mesward Counseling, PC or information regarding your treatment of care, such as appointment reminders or information about treatment alternatives.
Workers Compensation: We may disclose your health information to the extent authorized by and to the extent necessary to comply with laws relating to workers’ compensation or other similar programs established by law.
Specialized Governmental Functions: We may disclose your health information for military and veterans’ activities, national security and intelligence activities, and similar special governmental functions as required or permitted by law.
Law Enforcement & Judicial Proceedings: We may disclose your health information for law enforcement, judicial, or administrative proceedings purposes as required or permitted by law or in response to a valid subpoena, court order, or other binding authority.
Disclosures Required by Law: We may use or disclose your health information as required by law provided such use or disclosure complies with and is limited to the relevant requirements of such law. For example, this may include involvement in abuse, neglect, violence, or to the extent necessary to avert a serious threat to your health or safety or the health or safety of others, or any other disclosure authorized by law.
Tara Mesward Counseling, PC Breach Notification Policy
POLICY AND PROCEDURES
In summary, HIPAA requires that covered entities notify individuals whose unsecured protected health information has been impermissibly accessed, acquired, used, or disclosed, compromising the security or privacy of the protected health information. The notification requirements only apply to breaches of unsecured PHI. In other words, if PHI is encrypted or destroyed in accordance with the HIPAA guidance, there is a “safe harbor” and notification is not required.
Discovery of Breach. A breach shall be treated as discovered as of the first day on which such breach is known to Tara Mesward Counseling, PC or, by exercising reasonable diligence, would have been known to Tara Mesward Counseling, PC or any person, other than the person committing the breach, who is a workforce member or agent of Tara Mesward Counseling, PC.
Following the discovery of a potential breach, Tara Mesward Counseling, PC shall begin an investigation, conduct a risk assessment, and, based on the results of the risk assessment, begin the process of notifying each individual whose PHI has been, or is reasonably believed by Tara Mesward Counseling, PC to have been, accessed, acquired, used, or disclosed as a result of the breach. Tara Mesward Counseling, PC shall also begin the process of determining what notifications are required or should be made, if any, to the Secretary of the Department of Health and Human Services (HHS), media outlets, or law enforcement officials.
Breach Investigation. Tara Mesward shall act as the investigator of the breach. The investigator shall be responsible for the management of the breach investigation and completion of the risk assessment.
Risk Assessment. For breach response and notification purposes, a breach is presumed to have occurred unless Tara Mesward Counseling, PC can demonstrate that there is a low probability that the PHI has been compromised based on, at minimum, the following risk factors: The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; the unauthorized person who used the PHI or to whom the disclosure was made; whether the PHI was actually acquired or viewed; the extent to which the risk to the PHI has been mitigated.
Based on the outcome of the risk assessment, Tara Mesward Counseling, PC will determine the need to move forward with breach notification. The investigator must document the risk assessment and the outcome of the risk assessment process. All documentation related to the breach investigation, including the risk assessment, must be retained for a minimum of six years.
Notification: Individuals Affected. If it is determined that breach notification must be sent to affected individuals, Tara Mesward Counseling, PC’s standard breach notification letter (as modified for the specific breach) will be sent out to all affected individuals. Tara Mesward Counseling, PC also has the discretion to provide notification following an impermissible use or disclosure of PHI without performing a risk assessment, if Tara Mesward Counseling, PC so chooses. Notice to affected individuals shall be written in plain language and must contain the following information, which elements are included in Tara Mesward Counseling, PC ‘s standard breach notification letter: A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known; a description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); any steps the individuals should take to protect themselves from potential harm resulting from the breach; a brief description of what Tara Mesward Counseling, PC is doing to investigate the breach, to mitigate harm to individuals, and to protect against further breaches; contact procedures for individuals to ask questions or learn additional information, which includes a toll-free telephone number, email address, website, or postal address.
This letter will be sent by first-class mail to the individual at the last known address of the individual or, if the individual agrees to electronic notice and such agreement has not been withdrawn, by electronic mail. The notification shall be provided in one or more mailings as information is available. If Tara Mesward Counseling, PC knows that the individual is deceased and has the address of the next of kin or personal representative of the individual, written notification by first-class mail to the next of kin or person representative shall be carried out.
If there is insufficient or out-of-date contact information that precludes direct written or electronic notification, a substitute form of notice reasonably calculated to reach the individual shall be provided. If there is insufficient or out-of-date contact information for fewer than 10 individuals, then the substitute notice may be provided by an alternative form of written notice, by telephone, or by other means. If there is insufficient or out-of-date contact information for 10 or more individuals, then the substitute notice shall be in the form of either a conspicuous posting for a period of 90 days on the home page of Tara Mesward Counseling, PC’s website, or a conspicuous notice in major print or broadcast media in the geographic areas where the individuals affected by the breach likely reside. The notice shall include a toll-free number that remains active for at least 90 days where an individual can learn whether his or her PHI may be included in the breach.
Notice to affected individuals shall be made without unreasonable delay and in no case later than 60 calendar days after the discovery of the breach. If Tara Mesward Counseling, PC determines that notification requires urgency because of possible imminent misuse of unsecured PHI, notification may be provided by telephone or other means, as appropriate, in addition to the methods noted above. It is the responsibility of Tara Mesward Counseling, PC to demonstrate that all notifications were made as required, including evidence demonstrating the necessity of any delay. A copy of all patient correspondence shall be retained by Tara Mesward Counseling, PC in accordance with state law record retention requirements.
Notification: HHS. In the event a breach of unsecured PHI affects 500 or more of the practice’s patients, HHS will be notified at the same time notice is made to the affected individuals, in the matter specified on the HHS website. If fewer than 500 of the practice’s patients are affected, Tara Mesward Counseling, PC will maintain a log of the breaches to be submitted annually to the Secretary of HHS no later than 60 days after the end of each calendar year, in the manner specific on the HHS website. The submission shall include all breaches discovered during the preceding calendar year.
Notification: Media. In the event the breach affects more than 500 residents of a state, prominent media outlets serving the state and regional area will be notified without unreasonable delay and in no case later than 60 calendar days after the discovery of the breach. The notice shall be provided in the form of a press release.
Delay of Notification Authorized for Law Enforcement Purposes. If a law enforcement official states to Tara Mesward Counseling, PC or a business associate that a notification, notice, or posting would impede a criminal investigation or cause damage to national security, Tara Mesward Counseling, PC shall: If the statement is in writing and specifies the time for which a delay is required, delay such notification, notice, or posting for the time period specified by the official; or if the statement is made orally, document the statement, including the identity of the official making the statement, and delay the notification, notice, or posting temporarily and no longer than 30 days from the date of the oral statement, unless a written statement as described above is submitted during that time. This applies to notices made to individuals, the media, HHS, and by business associates.
Maintenance of Breach Information. Tara Mesward Counseling, PC shall maintain a process to record or log all breaches of unsecured PHI, regardless of the number of patients affected. The following information should be collected for each breach: A description of what happened, including the date of the breach, the date of the discovery of the breach, and the number of patients affected, if known; a description of the types of unsecured protected health information that were involved in the breach (such as full name, social security number, date of birth, home address, account number, other); a description of the action taken with regard to notification of patients regarding the breach; steps taken to mitigate the breach and prevent future occurrences.
Business Associate Responsibilities. Tara Mesward Counseling, PC‘s business associates shall, without unreasonable delay and in no case later than 60 calendar days after discovery of a breach of unsecured PHI, notify Tara Mesward Counseling, PC of such breach. Such notice shall include the identification of each individual whose unsecured PHI has been, or is reasonably believed by the business associate to have been, accessed, acquired, used, or disclosed during the breach. The business associate shall provide Tara Mesward Counseling, PC with any other available information that the practice is required to include in notification to the individual at the time of the notification or promptly thereafter as information becomes available. Upon notification by the business associate of discovery of a breach, Tara Mesward Counseling, PC will be responsible for notifying affected individuals, unless otherwise agreed upon by the business associate to notify the affected individuals.
Complaints. Tara Mesward Counseling, PC provides a process for individuals to make complaints concerning the practice’s patient privacy policies and procedures or its compliance with such policies and procedures. Individuals also have the right to complain about the practice’s breach notification processes. You may send a written complaint to the Secretary of the Department of Health & Human Services at 200 Independence Avenue S.W. Washington D.C. 20201.
Retaliation/Waiver. Tara Mesward Counseling, PC may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for exercising his or her privacy rights. Individuals shall not be required to waive their privacy rights as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits.
Burden of Proof. Tara Mesward Counseling, PC has the burden of proof for demonstrating that all notifications were made as required or that the use or disclosure did not constitute a breach.
If you have questions or would like additional information, you may contact Tara Mesward, MS, LMHP, LPC, CEDS, NCC by phone (402.898.3242) or email (Tara@tarameswardcounseling.com).
This notice serves as the privacy practices for Tara Mesward Counseling, PC, effective January 8, 2015.