THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
As part of the federal Health Insurance Portability and Accountability Act of 1996, known as HIPAA, Cure Urgent Care has created this Notice of Privacy Practices. This Notice states Cure Urgent Care’s privacy practices and rights you, the individual, have as they relate to the privacy of your Protected Health Information. Your PHI is information about you, or that could be used to identify you, as it relates to your past and present health care services and condition. We, at Cure Urgent Care want you to know that nothing is more central to our operations than maintaining the privacy of your PHI. We take our responsibility to protect this information very seriously. The HIPAA regulations require that Cure Urgent Care, and our Business Associates and their subcontractors, protect the privacy of your PHI that we have received or created. For anv uses or disclosures that are not listed below (Including Marketing and Selling of PHI), Cure Urgent Care will obtain a written authorization from you which you will have the right to revoke at any time. Cure Urgent Care reserves the right to change our privacy practices and this notice.
Cure Urgent Care will use and disclose your PHI for many different reasons. Some of the uses or disclosures will require your prior written authorization, others will not. Below you will find the different categories of uses and disclosures
A. USES AND DISCLOSURES RELATED TO TREATMENT, PAYMENT, OR HEALTHCARE OPERATIONS
A healthcare provider may use and disclose your PHI without your consent for the following reasons:
a. For treatment. A healthcare provider may disclose your PHI to physicians, psychologists, and other licensed health care providers who provide von with health care services or are otherwise involved in your care.
b. For health care operations. A healthcare provider may disclose your PHI to facilitate the efficient and correct operation of their practice. A healthcare profiler may also provide your PHI to their attorneys, accountants, consultants, and others to make sure that they are in compliance with applicable laws.
c. To obtain payment for treatment. A healthcare provider may disclose your PHI to collect payment for the treatment and services provided to you.
d. During an emergency. Your consent isn’t required if you need emergency treatment provided that a healthcare provider attempts to get your consent after treatment is rendered. In the event that a healthcare provider tries to get your consent but you are unable to communicate with them, e.g., you are unconscious or in severe pain, but they think that you would consent to such treatment if you could, they may disclose your PHI.
B. CERTAIN OTHER USES AND DISCLOSURES THAT DO NOT REQUIRE YOUR CONSENT
Cure Urgent Care may also use and disclose your PHI without your consent for the following reasons.
a. Uses and disclosures as required by law: We must disclose your PHI when required to do so by applicable federal or state law.
b. Uses and disclosure for Public Health Activities: We may disclose your PHI to federal, state, or local authorities, or other entities charged with preventing oi controlling disease, injury, or disability for public health activities. These activities may include the following: disclosures for reactions to medications or other products to the U.S. Food and Drug Administration or other authorized entity; disclosures to notify individuals of recalls, exposure to a disease, or risk for contracting or spreading a disease or condition.
c. Uses and disclosures for victims of abuse or neglect: Cure Urgent Care may provide PHI about you to a government authority if it is reasonably believed you are a victim of abuse, neglect or domestic violence.
d. Uses and disclosures for health oversight activities: We may disclose your PHI to an oversight agency for activities authorized by law. These oversight activities include audits, investigations, and inspections, as necessary for our licensure and for government monitoring of the health care system, government programs, and compliance with federal and applicable state law.
e. Disclosures to Individuals Involved in your Care: Cure Urgent Care may disclose PHI about you to individuals involved in your care.
f. Disclosures for judicial and administrative proceedings: Cure Urgent Care may disclose PHI about you in the course of any judicial or administrative proceedings, provided that proper documentation is presented to Cure Urgent Care.
g. Disclosures for law enforcement purposes: Cure Urgent Care may disclose PHI about you to law enforcement officials for authorized purposes as required by law or in response to a court order or subpoena.
h. Uses and disclosures about the deceased: Cure Urgent Care may disclose PHI about a deceased, or prior to, and in reasonable anticipation of an individual’s death, to coroners, medical examiners, and funeral directors.
i. Uses and disclosures for research purposes: Cure Urgent Care may use and disclose PHI about you for research purposes with a valid waiver of authorization approved by an institutional review board or a privacy board. Otherwise, Cure Urgent Care will request a signed authorization by the individual for all other research purposes.
j. Uses and disclosures to avert a serious threat to health or safety: Cure Urgent Care may use or disclose PHI about you, if it believed in good faith, and is consistent with any applicable law and standards of ethical conduct, to avert a serious threat to health or safety.
k. Uses and disclosures for specialized government functions: Cure Urgent Care may use or disclose PHI about you for specialized government functions including; public health emergencies, national security and intelligence, protective services, department of state functions, and correctional institutions and law enforcement custodial situations.
l. Disclosure for workers’ compensation: Cure Urgent Care may disclose PHI about you as authorized by and to the extent necessary to comply with workers’ compensation laws or programs established by law.
m. Disclosures for disaster relief purposes: Cure Urgent Care may disclose PHI about you as authorized by law to a public or private entity to assist in disaster relief efforts and for family and personal representative notification.
n. Disclosures to business associates: Cure Urgent Care may disclose PHI about you to Cure Urgent Care’s business associates for services that they may provide to or for Cure Urgent Care. To ensure the privacy of your PHI, we require all business associates to apply appropriate safeguards to any PHI they receive or create.
o. Disclosures after death: Cure Urgent Care may disclose deceased individuals’ PHI to non-family members, as well as family members, who were involved in the care or payment for healthcare of the decadent prior to death; however, the disclosure will be limited to PHI relevant to such care or payment and cannot be inconsistent with any prior expressed preference of the deceased individual.
p. Appointment reminders and health related benefits or services: Cure Urgent Care is permitted to contact you, without your prior authorization, to provide appointment reminders or information about alternative or other health-related benefits and services that may be of interest to you.
C. FOR ALL OTHER USES AND DISCLOSURES
In any other situation not described in Sections A and B, Cure Urgent Care will request your written authorization before using or disclosing any of your PHI. In addition, you may revoke such an authorization in writing at any time. To revoke a previously authorized disclosure please contact Cure Urgent Care.
When it comes to your health information, you have certain rights. This section explains your rights and some of our responsibilities to you.
1. The right to view and obtain copies of Your PHI. You have a right to see, and to keep a copy of your health records and information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. Your request for a copy of your record must be in writing. We will provide a copy or a summary of your health and claims records, usually within 30 days of your request. We may charge a reasonable, cost-based fee. In very limited circumstances your request to inspect and obtain a copy of your health information may be denied. In that case, you may request that the denial be reviewed by an independent person.
2. The right to request limits on uses and disclosures of your PHI. You can ask us not to use or share certain health information for treatment, payment, or our operations. You may also request that any part of your protected health information not be disclosed to family members or friends who may be involved in your care or for notification purposes as described in this Notice. Additionally, you may obtain restrictions on the disclosure of your PHI to a health plan for payment or healthcare operations with respect to specific items and services for which you have paid out of pocket in full. To request a restriction, you must make your request in writing using the Contact Information at the end of this Notice. In your request, you must indicate (1) what information you want to limit; (2) whether you want to limit the Plan’s use, disclosure or both; and (3) to whom you want the limits to apply. We are not required to agree to your request.
3. The right to choose how a healthcare provider sends your PHI to you. It is your right to ask that your PHI be sent to you at an alternate address or by an alternate method. The healthcare provider is obliged to agree to your request providing that they can give you the PHI in the format you requested, without undue inconvenience.
4. You have the right to receive an accounting of disclosures. You have the right to request a list of disclosures of your health information that we have made that were not required for payment, or health care operations, required by law, or authorized by you. Your written request must state the time period for the requested information and be no greater than six years prior to date of request.
5. The right to amend Your PHI. If you believe that there is some error in your PHI or that important information has been omitted, it is your right to request that the healthcare provider correct the existing information or adds the missing information. Your request and the reason for the request must be made in writing. You will receive a response within 30 days of receipt of your request. If your request is denied, you have the right to file a written statement objecting to the denial. If you do not file a written objection, you still have the right to ask that your request and the denial be attached to any future disclosures of you PHI.
6. The right to receive additional copies of this HIPAA Privacy Notice: You have the right to request an additional paper or electronic copy of this notice. You also have the right to direct the healthcare provider to transmit an electronic copy of PHI to an entity or person designated by you.
7. Notification of Breaches: You will be notified of any breaches that have compromised the privacy of your PHI.
Additional HIPAA Rules and Information
A. Minimum Necessary Rule
Our staff will not use or access your PHI unless it is necessary to do their jobs. All of our team members are trained in HIPAA Privacy rules and sign strict Confidentiality Contracts with regards to protecting and keeping private your PHI. So do our Business Associates and their Subcontractors.
B. Incidental Disclosure Rule
We will take reasonable administrative, technical and security safeguards to ensure the privacy of your PHI when we use or disclose it. However, in the event that there is a breach in protecting your PHI we will follow Federal Guidelines to HIPAA Omnibus Rule Standard to first evaluate the breach situation using the Omnibus Rule, 4-Factor Formula for Breach Assessment. Then we will document the situation, retain copies of the situation on file, and report all breaches (other than low probability as prescribed by the Omnibus Rule) to the US Department of Health and Human Services at:
We will also make proper notification to you and .my other parties of significance as required by HIPAA Law.
C. Business Associate Rule
Business Associates and other third parties (if any) that receive your PHI from us will be prohibited front re-disclosing it unless required to do so by law or you give prior express written consent to the re-disclosure. Nothing in our Business Associate agreement will allow Cure Business Associates to violate this re-disclosure prohibition, Under Omnibus Rule, Business Associates will sign a strict confidentiality agreement binding them to keep your PHI protected and report any compromise of such information to us, you and the United States Department of Health and Human Services, as well as other required entities. Our Business Associates will also follow Omnibus Rule and have any of their Subcontractors that may directly or indirectly have contact with your PHI, sign Confidentiality Agreements to Federal Omnibus Standard.
D. Super-confidential Information Rule
If we have PHI about you regarding communicable diseases, disease testing, alcohol or substance abuse diagnosis and treatment, or psychotherapy and mental health records (super confidential information under the law), we will not disclose it under the “USES AND DISCLOSURES RELATED TO TREATMENT, PAYMENT, OR HEALTHCARE OPERATIONS” Rules above without your first signing and properly completing our Authorization form (i.e. you specifically must initial the type of super-confidential information we are allowed to disclose). If you do not specifically authorize disclosure by initialing the super-confidential information, we will not disclose it unless authorized under the Special HIPAA Disclosure Rules (i .e. we are required by law to disclose it). If we disclose super confidential information (either because you have initialed the consent form or the Special Rules authorizing us to do so), we will comply with state and federal law that requires us to warn the recipient in writing that re-disclosure is prohibited.
E. Faxing and Emailing Rule
then you request us to fax or email your PHI as an alternative communication, we may agree to do so, but only after having our Privacy Officer or treating doctor review that request. For this communication, our Privacy Officer will confirm that the fax number or email address is correct before sending the message and ensure that the intended recipient has sole access to the fax machine or computer before sending the message; confirm receipt, locate our fax machine or computer in a secure location so unauthorized access and viewing is prevented; use a fax cover sheet so the PHI is not the first page to print out (because unauthorized persons may view the top page); and attach an appropriate notice to the message. Our emails are all encrypted per Federal Standard for your protection.
F. Practice Transition Rule
If we sell our practice, our patient records (including but not limited to your PHI) may be disclosed and physical custody may be transferred to the purchasing healthcare provider, but only in accordance with the law. The healthcare provider who is the new records owner will be solely responsible for ensuring privacy of your PHI after the transfer and you agree that we will have no responsibility for (or duty associated with) transferred records. If all the owners of our practice die, our patient records (including but not limited to your PHI) must be transferred to another healthcare provider within 90 days to comply with State & Federal Laws. Before we transfer records in either of these two situations, our Privacy Officer will obtain a Business Associate Agreement front the purchaser and review your PHI for super-confidential information (i.e. communicable disease records), which will not be transferred without your express written authorization (indicated by your initials on our Consent form).
G. Inactive Patient Records
We will retain your records in accordance with New York State law or for six years from your last treatment or examination, at which point you will become an inactive patient in our practice and we may destroy your records at that time (but records of inactive minor patients will not be destroyed before the child’s 18th birthday). We will do this only in accordance the law (i.e. in a confidential manner, with a Business Associate Agreement prohibiting re-disclosure if necessary).
If we use or disclose your PHI for collections purposes, we will do so only in accordance with the law.