Sage Bariatric Institute
(Texas Center for Medical & Surgical Weight Loss)
NOTICE OF PRIVACY PRACTICES
Effective Date: September 23, 2013
Revised: July 13, 2016
THIS DOCUMENT DESCRIBES IN DETAIL HOW YOUR CONFIDENTIAL MEDICAL INFORMATION MAY BE USED BY OUR PRACTICE, HOW IT MAY BE DISCLOSED TO OTHERS FOR THEIR USE, HOW YOU CAN CONTROL AND ACCESS YOUR MEDICAL INFORMATION, AND HOW YOU CAN GET ADDITIONAL INFORMATION REGARDING YOUR RIGHTS. PLEASE REVIEW IT CAREFULLY.
This is Texas Center for Medical & Surgical Weight Loss, P.A.’s (“TCMSWL”) Notice of Privacy Practices (“Notice”) and it is applicable to all of our patients. TCMSWL is referred to in this Notice as “us,” “we,” or “our.” This Notice is required by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as modified and updated in 2003 and later in 2013. In general, HIPAA deals with personal information that: a) identifies you, and/or b) describes or relates to the diagnosis and treatment of your past, present or future physical or mental health condition(s). This personal information is referred to by HIPAA as “Protected Health Information”. For the sake of simplicity, however, this Notice uses the term “medical information” instead of “Protected Health Information”. We strive at all times to deliver high quality clinical services and we take our obligation to protect your medical information very seriously.
We are required by law to maintain the privacy of your medical information (subject to the contents of this Notice), provide you with notice of our legal duties and privacy practices, and abide by the terms of our current Notice document. We reserve the right to change this Notice’s terms from time to time as permitted by applicable law and any changes made will apply to all medical information we then-currently maintain as well as medical information developed in the future. A copy of our current Notice document will be provided to you for review when you come to our office for your first appointment. After your review, we will ask that you acknowledge in writing that you have received and read the document. If you have a “personal representative” or if the patient is a minor, we will ask the “personal representative”, parent or guardian to make the acknowledgment. If you cannot or do not make the requested acknowledgment we will make an explanatory notation in your medical record. This Notice will also be available, upon your request, whenever you subsequently visit our office for care. We also prominently post copies of our Notice in each exam room in our office. We also have laminated copies of this Notice distributed throughout our office Waiting Area. A copy of our Notice is also available upon request at any time at our offices or by contacting our Privacy Officer, Nadia Villarreal. She can be reached by calling (210) 651-0303, by writing to Texas Center for Medical & Surgical Weight Loss, P.A., c/o Privacy Officer, 8811 Village Drive, Suite 300, San Antonio, Texas, 78217, or by emailing us at Nadia@texasbariatric.com. Our Privacy Officer will also answer any questions you may have relating to your medical information.
HOW WE MAY USE AND DISCLOSE YOUR MEDICAL INFORMATION
We may use and disclose your medical information in a number of circumstances and for a variety of reasons, some of which require your prior authorization. There are many situations, however, in which we are legally permitted or required to use and disclose your medical information without your prior authorization. Many of these instances will occur in connection with: a) your treatment, b) payment for healthcare services that we provide to you, and/or c) our routine healthcare business operations. This Notice describes these situations. Whenever disclosing your medical information we will endeavor to disclose the it to the degree minimally necessary to accomplish the intended purpose. In some cases we may completely remove any personal identifiers. Specifically, we may use and disclose your medical information as follows:
Routine Business Operations
We may use and disclose your medical information without your prior authorization in the ordinary course of our routine business operations. Such instances include the following:
Treatment: We may use your medical information to facilitate the provision of our services to you. This includes disclosing your medical information to individuals who may need that information to treat you, such as our surgeons, other physicians, physician assistants, nurses, technicians, therapists, counselors, and nutritionists, and others involved in your care, such as your primary care physician or specialists. We may also use and disclose your medical information to remind you of upcoming appointments, inform you about treatment options or alternatives, tell you about healthcare-related services, or monitor and evaluate your experience with us through follow-up communications.
Payment: We may use your medical information to bill and receive payment from your insurance company, you, or another person/entity responsible for payment of your account. We may also use it when contacting your health plan to see if it will pay for your treatment with us or for any other customary purpose related to billing and payment. You may also request to pay out-of-pocket for the services we provide to you and, in such a case, you may request that we not bill your insurer for such services.
Healthcare Operations: We may also use or disclose your medical information to conduct our normal business and professional operations. For example, we routinely review past medical and surgical procedures to assess our service and clinical performance. We might also use your medical information for internal and external review purposes. In addition, we may use your medical information to demonstrate our competencies to an accreditation body. Accreditation is important to you and to us because the process assists us in maintaining our proficiency in performing our medical services. Other operational matters that might require us to use or disclose your medical information include professional and staff training, payor credentialing, risk management activities, insurance underwriting, cost and utilization management, legal and regulatory compliance, facility licensing and certification, and financial accounting and auditing.
Additional Disclosures Not Requiring Specific Authorization
We are also permitted or required to use and disclose your medical information without your specific authorization for the following purposes:
Disclosures Required by Law: Federal, state, or local law may require us to disclose our patients’ medical information for certain legally-mandated purposes.
Public Health Activities: We may disclose your medical information to a public agency for public health and quality control/improvement purposes.
Victims of Abuse, Neglect, or Domestic Violence: We may disclose your personal information to proper authorities in accordance with applicable law when we reasonably believe patient abuse or neglect is involved.
Health Oversight Activities: If you are the beneficiary of a government healthcare program, we may be required to disclose your medical information to that program or a related agency if it selects your case for medical review.
Judicial and Administrative Proceedings: If information in your medical record is relevant to a legal proceeding, a court or administrative tribunal may issue a subpoena commanding us to disclose your medical information.
Law Enforcement: We may disclose your medical information when legally required by appropriate authorities in connection with a criminal or other official investigation.
Serious Threats to Health or Safety: We may be obligated to disclose your medical information if, in our professional opinion, doing so would help avert a serious threat to personal or public health.
Specialized Government Functions: We may use and disclose medical information of certain individuals for specific national security, intelligence, or protective service purposes.
Patient Authorizations for Certain Disclosures
All other uses and disclosures of your medical information will require your prior written authorization.
Situations Requiring Written Authorization: For situations not described above in this Notice, we will ask for your written authorization before we release your medical information. Examples of these situations include requests to provide medical information to your attorney or to life or disability insurance companies. Additionally, we will request your voluntary written authorization to permit us to use your testimonial or photographic images.
Revocation of Authorization and Its Effects: You may revoke any standing authorization to disclose your medical information (see below) by so notifying our Privacy Officer in writing at the physical or email address provided on the first page of this Notice. You revocation can only be prospective and we will not request the return of information previously disclosed.
YOUR RIGHTS WITH RESPECT TO MEDICAL INFORMATION
Your Rights Concerning Communication, Access, Amendment and Accounting
You have certain rights with respect to our communication of, your access to, the amendment of, and accounting for the disclosure of your medical information:
Requesting Restrictions: You may ask us to limit our use or disclosure of your medical information under certain circumstances. For example, we may disclose your medical information to an immediate family member(s), other relative(s), or close personal friend(s) who are directly involved either in your care or in the payment for your care if we reasonably determine, based upon our professional judgment, that you would not object. You may, however, request a restriction on what medical information we may disclose to someone who is directly involved either in your care or in the payment for your care. You are entitled to request other restrictions as well. We are not required to agree to your request, but if we agree to it, we will abide by your request, except as required by law, in emergencies, or when the information is necessary to treat you. All such requests must be in writing and directed to our Privacy Officer Privacy Officer in writing at the physical or email address provided on the first page of this Notice. You request must describe the information that you want restricted, state if the restriction is to limit our use or disclosure, and state the party(ies) to whom the restriction applies. You may revoke your restriction at any time by contacting our Privacy Officer at the physical or email address on the first page of this Notice.
Confidential Communications: In order to protect your medical information, you may ask that we communicate with you in a particular way or at a certain location. Your request must be in writing, tell us how you intend to satisfy your payment obligation (if your request potentially interferes with our obtaining third party payment), and specify an alternate way that we can contact you confidentially. You do not have to give a reason for your request. You may revoke your request at any time by contacting our Privacy Officer at the physical or email address on the first page of this Notice. We will accommodate your reasonable request, but in determining whether your request is reasonable, we will consider the administrative burden it may impose upon us.
Inspect and Copy: You may ask to review and obtain a copy of your medical information. You must make your request in writing to our Privacy Officer at the physical or email address on the first page of this Notice. We may charge a fee for copying or preparing a summary of requested medical information. We will respond within 15 days of receiving your request unless your medical information is not readily-accessible or the information is maintained in an off-site storage location. Additionally, you have the right to access your own e-health record in an electronic format and to direct us to send the e-health record directly to a third party. In connection with transfers of e-health records, we may charge for labor costs only.
Amendment: You may request, in writing, that we make a change or addition to your medical information. To make such a request you may contact our Privacy Officer using the contact information on the first page of this Notice. The law limits your ability to change or add to your medical information. Specifically, we may decline to change your medical information if we did not create the medical information and we do not include it within our medical records or if we believe that the medical information is accurate and complete without any changes. Under no circumstances will we erase or otherwise delete original documentation in your medical information.
Accounting of Disclosures: You may request a list of non-routine disclosures that we have made of your medical information. This list will not include disclosures we make to provide our medical services to you, to seek payment for our medical services, to conduct our normal business operations, or disclosures we make pursuant to your written authorization. Your first request in a 12-month period is free, but we may charge for additional lists in the same 12-month period.
Paper Copy of Notice: You are entitled to receive a paper copy of our Notice of Privacy Practices by contacting our Privacy Officer using the contact information on the first page of this Notice. You may also take a copy of this Notice with you. Even if you have requested this Notice electronically, you may always request a paper copy.
File a Complaint: If you believe that we have violated your privacy rights, you may file a complaint directly with our Privacy Officer using the contact information on the first page of this Notice. You may also file a complaint with the Secretary of the Department of Health and Human Services, Office of Civil Rights, 200 Independence Avenue S.W., Washington, DC 20201 or calling 1-877-696-6775. You will not be penalized or retaliated against for filing a complaint.
Your Rights Under HITECH
In 2009 Congress passed the Health Information Technology for Economic and Clinical Health Act (“HITECH”), which expands your rights with respect to your medical information and enhances the enforcement of HIPAA. In January 2013 the Department of Health and Human Services released final rules implementing HITECH. Under these rules we must notify you of the following information and requirements, some of which are stated earlier in the text of this Notice:
Breach Notification: We are required to notify you if the privacy of your medical information has been breached. Notification must occur by first class mail within sixty (60) days of the event. A breach occurs if anyone engages in an unauthorized use or disclosure that compromises the privacy or security of your medical information and poses a significant risk of financial, reputational or other harm to you. The notice of breach must contain: a) a brief description of what happened, including the date of the breach and the date of discovery, b) the steps you should take to protect yourself from potential harm resulting from the breach, and c) and a brief description of what we are doing to investigate the breach, mitigate losses and protect against further breaches.
Business Associates: Like most medical practices we conduct some of our business operations with the help of third party vendors and contractors known under HIPAA as “Business Associates.” In accordance with HITECH’s requirements, we have drafted Business Associate Agreements to provide that all HIPAA administrative security safeguards, physical safeguards, technical safeguards, and security policies, procedures and documentation requirements that apply to us also apply directly to our Business Associates.
Access to E-Health Records: You have the right to access your own e-health record in an electronic format and to direct us to send the e-health record directly to a third party. In connection with transfers of e-health records, we may charge for labor costs only.
Accounting of E-Health Records for Treatment, Payment, and Healthcare Operations: Through the end of 2013, we do not have to provide an accounting of disclosures of your medical information to carry out treatment, payment, and healthcare operations. However, starting January 1, 2014, the law will require us to provide an accounting of disclosures through an e-health record to carry out treatment, payment, and healthcare operations. This new accounting requirement is limited to disclosures within the three-year period prior to your request. If you make such a request, we must either: provide you with an accounting of all such disclosures made by us and by all of our Business Associates; or provide you with an accounting of all such disclosures made by us and a list of our Business Associates, including their contact information, who will be responsible for providing an accounting of such disclosures upon your request.
Fundraising Communications: Although we do not anticipate sending fundraising communications to you, if we ever do so, you may opt out of receiving them. Every such communication must inform our patients of this right. Additionally, we may not sell your medical information without your permission.
Other Uses and Disclosures Requiring Your Prior Written Authorization: In addition to the situations described above in the section on Patient Authorizations for Certain Disclosures, we must obtain your prior, written authorization to undertake the following uses and disclosures of your medical information: a) the use and disclosure of your psychotherapy notes, if any, b) the use or disclosure of your medical information for marketing purposes, including communications intended to inform you of subsidized treatment options offered by specific providers, c) the use or disclosure that constitutes the sale of your medical information, and d) other uses and disclosures not generally described in this Notice.
Click Here to download a PDF document of this notice.