HIPAA Notice Regarding Privacy of Personal Health Information



Originally effective: 12/1/2020


Pursuant to the Federal Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”) and its regulations issued at 45 C.F.R. Parts 160 through 164 (the “Privacy Regulations”), and also as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”), this Notice of Privacy Practices (“Notice”) describes the uses and disclosures of protected health information (“PHI”) by Kaufman Allergy Asthma and Immunology, PLLC, which throughout this notice will be referred to as “our practice”.

A. Purpose of this Notice

Our practice is required by law to maintain the privacy of your protected health information (“PHI”) and to provide you with this Notice about your rights and our practice’s legal duties and privacy practices with respect to your PHI.

  1. Uses and Disclosures of PHI to Carry Out Treatment, Payment and Health Care Operations

The following describes how our practice may use or disclose your PHI to carry out treatment, payment, and health care operations.

Treatment. Your PHI may be used by staff members, or disclosed to other health care professionals, for the purpose of evaluating your health, diagnosing medical conditions, and/or planning for your care and treatment. Some of the individuals in our practice who may use your PHI include physicians, physician extenders such as nurse practitioners or physician assistants, registered nurses, medical assistants, and our practice’s administrative support staff. Your PHI may be communicated to the many health care professionals who contribute to your care, including, but not limited to your referring doctor, hospitals, and other health care specialists, translators, and ancillary services.

Payment. Your PHI may be used to seek payment from your health plan carrier, from other sources of coverage such as an automobile insurer, or from credit card companies you may use to pay for services. Our practice may also provide your PHI to our business associates, such as billing companies, claims processing companies, and others who process the health care claims. Our practice may tell your health plan about a treatment you are going to receive, to obtain prior approval or to determine whether your plan will cover the rest of the treatment.

Health Care Operations. Our practice may use and disclose your PHI in order to run necessary administrative, educational, quality assurance, and business functions. These uses and disclosures are necessary to run our practice and make sure that all of our patients receive quality care.

  1. Other Permitted Uses and Disclosures of PHI

Additionally, use and disclosure of your PHI is permitted under the following circumstances:

Appointment Reminders. Our practice may use and disclose your PHI to remind you of an appointment. Our practice may contact you by mail, telephone, or email. Our practice may leave voice messages at the telephone number you provide us, and we may respond to your email.

Treatment Alternatives and Health-Related Products or Services. Our practice may use and disclose your PHI to tell you about, or recommend, possible treatment options, alternatives and health-related benefits, or services that may be of interest to you.

As Required by Law. Our practice will disclose your PHI when required to do so by federal, state, or local law.

To Avert a Serious Threat to Health or Safety. Our practice may use and disclose PHI when necessary to prevent an immediate, serious threat to your health and safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat.

Incidental Disclosures. Certain disclosures of your PHI may occur incidental to another lawful, permitted use and/or disclosure of your PHI.

Business Associates. Our practice contracts with outside companies who perform business services for it, such as attorneys, accountants, or software vendors. In certain circumstances, our practice may need to share your PHI with a business associate so it can perform a service for our practice or on our practice’s behalf. Or practice will limit the disclosure of your information to a business associate, to the minimum amount of information necessary, for the company to perform services for our practice. Our practice will have a written contract in place with the business associate requiring it to protect the privacy and security of your PHI.

Organ and Tissue Donation. Our practice may disclose your PHI to organizations that handle organ procurement or organ, eye, or tissue transplantation, or to an organ donation bank, as necessary, to facilitate a donation and transplantation.

Military and Veterans. If you are a member of the armed forces, we may release medical information about you as required by military command authorities. We may also release medical information about foreign military personnel to the appropriate foreign military authority.

Workers’ Compensation. We may release medical information about you for workers’ compensation or similar programs. These programs provide benefits for work-related injuries or illnesses.

Public Health Activities. Our practice may disclose your health information to public health agencies as required or authorized by law. These activities generally include, but are not limited to the following:

  • to prevent or control disease, injury or disability;
  • to report births and deaths;
  • to report endangering disabilities of drivers and pilots;
  • to report abuse or neglect of children, the elderly and incompetent patients;
  • to report reactions to medications or problems with products, and to notify people of recalls of products they may be using.
  • to notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition

Health Oversight Activities.
Our practice may disclose your PHI to a health oversight agency for activities authorized by law, such as audits, investigations, inspections, and licensure.

Lawful Subpoena or Court Order. Our practice may disclose PHI in response to a court or administrative order. Our practice may also disclose PHI about you in certain cases in response to a subpoena, discovery request, if you are involved in a lawsuit or a dispute, but only if efforts have been made to tell you about the request or to obtain an order protecting the information requested. Our practice may release medical information if asked to do so by a law enforcement official in response to a court order, warrant, summons or similar process.

Coroners, Medical Examiners and Funeral Directors. Our practice may disclose your PHI to a coroner or medical examiner, as necessary, (for example, to identify a deceased person or determine the cause of death) or to a funeral director, as necessary to allow him/her to carry out his/her duties.

  1. Uses and Disclosures You May Limit

To Your Family Member, Other Relative, or Close Personal Friend. Our practice may disclose your PHI to your family member, other relative, or close personal friend who are involved in your care or who help pay for your care, provided such PHI is directly relevant to such person’s involvement in your health care, or to notify such person of your location, general condition, or death. Our practice will not make any such disclosure unless you are given a reasonable opportunity under the circumstances to object and did, in fact, not object. If you are not present or able to agree to these disclosures of your PHI, then using professional judgment, our practice may determine whether the disclosure is in your best interest.

  1. When Written Authorization is Required

Other than for those purposes identified in this Notice, our practice will not use or disclose your PHI for any purpose unless you give us specific written authorization to do so, including the following:

  • uses and disclosures for marketing purposes; and
  • the sale of PHI

If you change your mind after authorizing a use or disclosure of your PHI, you may submit a written revocation of the authorization. However, your decision to revoke the authorization will not undo any use or disclosure of information that occurred before you notified us of this decision. Your revocation will be effective upon our practice’s receipt of your written notice of cancelation or modification of the authorization.

The Authorization to Use and/or Disclose Protected Health Information and the Revocation of Authorization to Use and/or Disclose Protected Health Information forms are available from our practice staff.

  1. Your Rights Regarding Your PHI

Federal privacy standards provide you with the following rights:

Right to Inspect and Copy. With limited exceptions, you have the right to inspect and obtain copies of your medical and billing records, or to have a copy sent to another person designated by you. For any portion of your PHI maintained in our practice’s electronic medical record, you may request copies of records in an electronic format, and if the records are available in that format, they will be provided in it. If they are not, we will provide an alternative format. For medical records, you must make your request in writing. There may be a reasonable cost-based charge for the copying, mailing, or other supplies associated with your request.

Our practice may deny your request to inspect and obtain copies of your PHI under very limited circumstances. If access is denied, you will be provided with a written denial setting forth the basis for the denial, a description of how you may exercise those review rights, and a description of how you may complain to the Secretary of the U.S. Department of Health and Human Services.

Right to Amend. If you feel your PHI is incorrect or incomplete, you may ask our practice to amend the information. You have the right to request an amendment from our practice as long as the information is kept by, or for, our practice. An amendment is not necessary to correct clerical errors.

To request an amendment, your request must be made in writing and submitted to 8320 Old Courthouse Road, Suite 310, Vienna, VA 22812. In addition, you must provide a reason supporting your request. FNAPC may deny your request for an amendment if it is not in writing or does not include a reason to support the request. Our practice may deny your request if you ask it to amend information which:

  • was not created by our practice, unless you can show the person or entity that created the information is no longer available to make the amendments; if so, we will add your request to the information records;
  • is not part of the medical information kept by or for our practice;
  • is not part of the information which you would be permitted to inspect and/or copy; or
  • is already accurate and complete.

Right to an Accounting of Disclosures. You have the right to request an accounting of disclosures, which includes a list and description of certain disclosures made by our practice regarding your PHI, other than those made for the purposes of treatment, payment, or health care operations or pursuant to your authorization.

To request this list of accounting of disclosures, you must submit your request in writing to 8320 Old Courthouse Road, Suite 310, Vienna, VA 22812. Your request must state a time period which may not be longer than six years and may not include dates before our practice adopted its privacy procedures. Your request should indicate in what form you want the list (for example, paper or electronically) The first list you request within a twelve (12) month period will be free. For additional lists, we may charge you for costs of providing the list. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time before any costs are incurred.

Right to Request Restrictions. You have the right to restrict disclosure of health information to your health plan for services paid out of pocket in full prior to the service being provided. This restriction applies only if the disclosure is to a health plan for purposes of payment or health care operations and the PHI relates to a health care item or service for which the health care provider has been paid in full prior to the services.

You have the right to request other restrictions on our practice’s use or disclosure of medical information about you for treatment, payment or operations purposes, or disclosure of health information about you to someone who is involved in your care or the payment for your care. Our practice is not required to agree to your request for these restrictions. For instance, our practice will not be able to agree to requests that our practice cannot reasonably carry out, or that would interfere with your treatment such as restricting your referring or primary care physician’s access to your health information. Our normal process is to send records of your visit to your referring physician.

Requests to restrict disclosures of health records or disclosures of billing and payment records to other persons may be made by calling our office (703) 403-5413. If we agree, we will comply with your request unless the information is needed to provide you emergency services.

Right to Request Confidential Communications. You have the right to request for our practice to communicate with you involving PHI in a certain manner or at a certain location. For example, you may ask that our practice only contact you at work or by mail. To request confidential communications, you must make your request in writing. Please submit your written request to 8320 Old Courthouse Road, Suite 310, Vienna, VA 22182. Our practice will not ask you the reason for your request. Our practice will accommodate all reasonable requests within our technical capabilities. Your request must specify how or where you wish to be contacted.

Right to Breach Notification. You have the right to receive notification of any impermissible acquisition, access, use, or disclosure of your unsecured PHI. Should such a breach of your unsecured PHI occur, our practice, or its authorized representative, will notify you without unreasonable delay after the date our practice discovered the breach.

Right to a Paper Copy of This Notice. You have a right at any time to request a paper copy of this Notice, even if you had previously agreed to receive an electronic copy. You may obtain a copy of this Notice on our practice’s website, http://kaufmanallergy.com/forms. To request a paper copy of this Notice, contact our practice at (703) 403-5413.

  1. Changes to this Notice

Our practice reserves the right to change the terms of this Notice at any time for any reason to the extent permitted by law, effective for PHI it already has about you, as well as any information our practice receives in the future.

This Notice, or any material revisions, will be posted in locations where patients receive services as well as on our practice’s website, http://kaufmanallergy.com. The Notice will contain the effective date on the first page.

  1. Questions or Concerns

If you would like to submit a question or concern about our practice’s privacy practices, or obtain more information about your patient rights, you may do so by contacting our practice:

8320 Old Courthouse Road, Suite 310
Vienna, VA 22182

Phone Number (703) 403-5413

If you believe your privacy rights have been violated, you may submit your complaint in writing to our practice. You may also contact our practice by telephone. If our practice cannot resolve your concern, you also have the right to file a written complaint with the Secretary of the Department of Health and Human Services. You will not be penalized or otherwise retaliated against for filing a complaint.

  1. Social Security Numbers

Our practice may collect your social security number. We use social security numbers for identification and verifications, for example to provide the right medical record when two patients have the same name. We also are required to collect social security numbers by Virginia law (Va. Code 58.1-521) for use if needed in the administrative offset program. Providing a social security number is voluntary. The privacy practice in the Notice apply to your social security number.