ILLINOIS BONE AND JOINT INSTITUTE, LLC


HIPAA NOTICE OF PRIVACY PRACTICES

Revised March 2019


THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED OR DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION AS REQUIRED BY THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA). PLEASE REVIEW IT CAREFULLY.


IF YOU HAVE ANY QUESTIONS ABOUT THIS NOTICE OR IF YOU NEED MORE INFORMATION, PLEASE CONTACT THE IBJI COMPLINACE MANAGER. DIVISION LOCATIONS AND NUMBERS ARE LISTED AT THE END OF THIS NOTICE.


About this Notice

This Notice of Privacy Practices describes how we may use and disclose your protected health information (PHI) to carry out treatment, payment or healthcare operations and for other purposes that are permitted or required by law. It also describes your rights to access and control your PHI. The terms of this notice apply to all records that we have created or maintained in the past and for any records that we may create or maintain in the future.


We are required by law to abide by the terms of this Notice of Privacy Practices and provide you with a copy of this notice. We have the right to change the terms of our notice at any time. The new notice will be effective for all PHI that we maintain at that time. Upon your request, we will provide you with any revised Notice of Privacy Practices.


What is Protected Health Information?

Protected Health Information is information that individually identifies you and that we create or get from you or from another health care provider, a health plan, your employer, or a health care clearinghouse and that relates to (1) your past, present, or future physical or mental health or conditions, (2) the provision of health care to you, or (3) the past, present, or future payment for your healthcare.


How We May Use and Disclose Your Protected Health Information

Your PHI may be used and disclosed by our physicians, office staff and others outside of our office that are involved in your care and treatment for the purpose of providing health care services to you. Your PHI may also be used and disclosed to obtain payment for services provided to you and to support the operation of our practice.


The following are examples of the types of uses and disclosures of your PHI that our office is permitted to make under HIPAA. These examples are not meant to be exhaustive, but describe some of the types of uses and disclosures that may be made by our office for treatment, payment and health care operations.


For Treatment: We may use PHI to give you medical treatment or services and to manage and coordinate your medical care. For example, we may disclose PHI to doctors, nurses, technicians, or other personnel who are involved in taking care of you, including physicians or health care providers outside our practice, such as referring or specialist physicians or laboratories.


For Payment: Your PHI will be used, as needed, to obtain payment for your health care services from you, your family members or your health insurance provider. This may include certain activities that your health insurance plan may undertake before it approves or pays for the health care services we recommend for you such as making a determination of eligibility for insurance benefits, reviewing services provided to you for medical necessity and undertaking utilization review activities. For example, obtaining approval for a hospital stay may require that your PHI be disclosed to the health plan to obtain approval for the hospital admission.

For Health Care Operations: We may use and disclose PHI for our health care operations. For example, we may use PHI for our general business management activities, for checking on the performance of our staff in caring for you, for our cost-management activities, for audits, or to get legal services. We may give PHI to other health care entities for their health care operations, for example, to your health insurer for its quality review purposes.


All disclosures of your PHI will be limited to the minimum necessary or that which is contained in a limited data set (e.g. PHI that excludes certain identifiers including demographic information, photographs, etc.). We will not sell your PHI without specific, individual authorization.


Appointment Reminders/Treatment Alternatives/Health-Related Benefits and Services: We may use and disclose PHI to contact you to remind you that you have an appointment for medical care, or to contact you to tell you about possible treatment options or alternatives or health related benefits and services that may be of interest to you.


Armed forces: We may use or disclose the PHI of Armed Forces personnel to the military for proper execution of a military mission. We may also use and disclose PHI to the Department of Veterans Affairs to determine eligibility for benefits.


Business Associates: We may disclose PHI to our business associates who perform functions on our behalf or provide us with services if the PHI is necessary for those functions or services. For example, we may use another company to do our billing, or to provide transcription or consulting services for us. All of our business associates are obligated, under contract with us, to protect the privacy of your PHI.


Correctional Institutions and Custodial Situations: We may use or disclose PHI to correctional institutions or law enforcement custodians for the safety of individuals at the correctional institution, those that are responsible for transporting inmates, and others.


Disaster Relief Purposes: We may use or disclose your PHI to a public or private entity authorized to assist in disaster relief efforts.


Emergencies: We may use or disclose your PHI in an emergency treatment situation. If this happens, your physician shall try to obtain your consent as soon as reasonably practical after the delivery of treatment.


Fundraising/Marketing: We may use your PHI for fundraising or marketing activities in accordance with, and as permitted by the HIPAA Rule.


Fundraising: We may contract you for fundraising efforts, but you can tell us not to contact you again.


Health Oversight Activities: We may disclose PHI to a health oversight agency for activities authorized by law. These oversight activities include, for example, audits, investigations, inspections, licensure, and similar activities that are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws.


Immunizations: If we obtain and document your verbal or written agreement to do so, we may release proof of immunization to a school where you are a student or prospective student.


Judicial and Administrative Proceedings: We may use and disclose your PHI in judicial and administrative proceedings. Efforts may be made to contact you prior to a disclosure of your PHI to the party seeking the information.


Law Enforcement: We may release PHI if asked by a law enforcement official for the following reasons: in response to a court order, subpoena, warrant, summons or similar process; to identify or locate a suspect, fugitive, material witness, or missing person; about the victim of a crime, or about a death we believe may be the result of criminal conduct on our premises; and in emergency circumstances to report a crime, the location of the crime or victims, or the identity description, or location of the person who committed the crime.


Lawsuits and Disputes: If you are involved in a lawsuit or a dispute, we may disclose PHI in response to a court or administrative order. We also may disclose PHI in response to a subpoena, discovery request, or other legal process from someone else involved in the dispute. We may also use or disclose your PHI to defend ourselves if you sue us.

Medical Residents, Medical Students and Other Students: Medical residents, medical students, and other students may observe or participate in your treatment or use your PHI to assist in their training. You have the right to refuse to be examined, observed, or treated by medical residents, medical students or other students.


Minors: We may disclose the PHI of minor children to their parents or guardians unless such disclosure is otherwise prohibited by law.


National Security: We may release PHI to authorized federal officials for national security activities authorized by law. For example, we may disclose PHI to those officials so they may protect the President.


Newsletters and Other Communications: We may use your PHI to communicate to you by newsletters, mailings, or other means regarding treatment options, health related information, disease management programs, wellness programs, or other community based initiatives or activities in which our practice is participating.


Others Involved in your Health Care: Unless you object, we may disclose to a family member, relative or close friend your PHI that directly relates to that person’s involvement in your care. We may use or disclose PHI to notify or assist in notifying a family member, personal representative or any other person that is responsible for your care or your location, general condition or death.


Personal Representative: If you have a personal representative, such as a legal guardian (or an executor or administrator of your estate after your death), we will treat that person as if that person is you with respect to disclosures of your PHI.


Public Health Risks: We may disclose PHI for public health activities. This includes disclosures to: (1) a person subject to the jurisdiction of the Food and Drug Administration (“FDA”) for purposes related to the quality, safety or effectiveness of an FDA regulation, product or activity; (2) prevent or control disease, injury or disability; (3) report births and deaths; (4) report child abuse or neglect; (5) report reactions to medications or problems with products; (6) notify people of recalls of products they may be using; (7) a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition; (8) the appropriate government authority if we believe a patient has been the victim of abuse, neglect, or domestic violence and the patient agrees or we are required or authorized by law to make that disclosure (9) to coroners, medical examiners and funeral directors as needed to perform their duties as required by law; and (10) to organ procurement organizations for the purpose of facilitating organ, eye or tissue donation and transplantation.


Research: We may use and disclose your PHI for research purposes, in accordance with and as permitted by the HIPAA Rule including if the research has been specifically approved by an institutional review board or a privacy board that has reviewed the research proposal and has set up protocols to ensure the privacy of your PHI. Even without that special approval, we may permit researcher to look at PHI to help them prepare for research, for example to allow them to identify patients who may be included in their research project, as long as they do not remove, or take a copy of, any PHI. We may use and disclose a limited data set that does not contain specific readily identifiable information about you for research. But we will only disclose the limited data set if we enter into a data use agreement with the recipient who must agree to (1) use the data set only for the purposes for which it was provided, (2) ensure the security of the data, and (3) not identify the information or use it to contact any individual.


Special Situations: We may use or disclose your PHI in the following situations without your authorization, subject to all applicable legal requirements and limitations:


Required By Law: We may use or disclose your PHI as required by international, federal, state or local law. The use or disclosure will be made in compliance with the law and will be limited to the relevant requirements of the law. You will be notified, as required by law, of any such use or disclosure.


Public Benefit: We may use or disclose your PHI as authorized by law for purposes deemed to be in the public interest or benefit as stated above.


To Avert a Serious Threat to Health or Safety: We may use and disclose PHI when necessary to prevent a serious threat to your health or safety or to the health or safety of others. But we will only disclose the information to someone who may be able to help prevent the threat.

Work-Related Injuries/Workers’ Compensation: We may use or disclose PHI for workers’ compensation or similar programs that provide benefits for work-related injuries or illness. We may communicate regarding your PHI with your employer to clarify work restrictions if you are receiving workers’ compensation benefits.


Your Written Authorization is Required for Other Uses and Disclosures

Other uses and disclosures of PHI not covered by this Notice or the laws that apply to us will be made only with your written authorization, unless otherwise permitted or required by law as described above. If you do give us an authorization, you may revoke it at any time by submitting a written revocation to our Privacy Manager and we will no longer disclose PHI under the authorization. But disclosures that we made in reliance on your authorization before you revoked it will not be affected by the revocation.


Special Protections for HIV, Alcohol and Substance Abuse, Mental Health, and Genetic Information/Illinois Law

Illinois law provides certain requirements that govern the use or disclosure of your PHI. You may apply special protections to your mental health treatment, genetic information, your AIDS/HIV status, and alcohol or drug abuse treatment information. Some parts of this general Notice of Privacy Practices may not apply to these kinds of PHI. Please check with our Privacy Manager for information about the special protections that do apply.


Your Rights Regarding Your Protected Health Information

You have the following rights, subject to certain limitations, regarding your PHI:


Right to Inspect and Copy: You have the right to inspect and copy PHI that may be used to make decisions about your care or payment for your care. Any request for PHI must be made in writing. We may charge you a fee for the costs of copying, mailing or other supplies associated with your request. We may not charge you a fee if you need the information for a claim for benefits under the Social Security Act or any other state or federal needs-based benefit program. We may deny your request in certain limited circumstances and will provide you a written explanation for that denial. We will also let you know if the reasons for the denial can be reviewed and how to request such a review. Under federal law, you may not inspect or copy the following records: psychotherapy notes, information compiled in reasonable anticipation of, or use in, a civil, criminal or administrative action or proceeding and other protected information access to which is restricted by law.


Right to an Electronic Copy of Electronic Medical Records: If your PHI is maintained in an electronic format (known as an electronic medical record or an electronic health record), you have the right to request that an electronic copy of your record be given to you or transmitted to another individual or entity. We may charge you a reasonable, cost-based fee for the labor associated with transmitting the electronic medical record.


Right to Get Notice of a Security Breach: We are required to notify you by first class mail or by e-mail (if you have indicated a preference to receive information by e-mail), of any breach of your Unsecured PHI as soon as possible, but in any event, no later than 60 days after we discover the breach. “Unsecured Protected Health Information” is PHI that has not been made unusable, unreadable, and undecipherable to unauthorized users.


Right to Confidential Communications: You have the right to request that we communicate with you about your PHI by alternate means or at alternate locations. Your request must be submitted, in writing, to our Privacy Manager. We will not ask for a reason for your request. We will accommodate most reasonable requests. We may condition this accommodation by asking for information as to how payment will be handled. We do not have to agree to your request.


Right to Request Amendments: You have the right to request an amendment of your PHI within a designated record set for as long as we maintain this information. Your request must be in writing with an explanation of what information is to be amended and why. We may deny this request, and if denied, we will provide you a written explanation. You may respond to this denial with a statement of disagreement to be attached to the information you want amended. If we do not accept your request, we will make reasonable efforts to inform others who we are aware of that also have this information of this amendment and to include it in any future disclosures.


Right to an Accounting of Disclosures: You have the right to ask for an “accounting of disclosures”, which is a list of the disclosures we made of your PHI. We are not required to list certain disclosures, including (1) disclosures made for treatment, payment, and health care operations purposes (2) disclosures made with your authorization, (3) disclosures made to create a limited data set, and (4) disclosures made directly to you. You must submit your request in writing to our Privacy Manager. Your request must state a time period which may not be longer than 6 years before your request. The first accounting of disclosures you request within any 12-month period will be free. For additional

requests within the same period, we may charge you for the reasonable costs of providing the accounting report. We will tell you what the costs are, and you may choose to withdraw or modify your request before the costs are incurred.


Right to Request Restriction: You have the right to request a restriction or limitation of the PHI we use or disclose for treatment, payment, or health care operations. You also have the right to request a limit on the PHI we disclose about you to someone who is involved in your care or the payment for your care, like a family member or friend. We are not required to agree to your request. If we agree, we will comply with your request unless we terminate our agreement or the information is needed to provide you with emergency treatment. A request to restrict must be made in writing to our Privacy Manager and must specifically identify the requested restrictions. We will not accept any restriction request that is not in writing.


Out-of-Pocket-Payments: If you paid out-of-pocket in full for a specific item or service, you have the right to ask that your PHI with respect to that item or service not be disclosed to a health plan for purposes of payment or health care operations, and we will honor that request. This request for restriction must be made in writing to our Privacy Manager.


Right to a Paper Copy of This Notice: You have the right to a paper copy of this notice, even if you have agreed to receive this Notice electronically. You may request a copy of this Notice at any time. You can get a copy of this Notice at our website: http://www.ibji.com


How to Exercise Your Rights

To exercise your rights described in this Notice, send your request, in writing to our Privacy Manager at the address below. We may ask you to fill out a form that we will supply. To get a paper copy of this Notice, contact our Privacy Manager by phone or mail.


Changes To This Notice

The effective date of this Notice is stated at the beginning. We reserve the right to change this Notice. We reserve the right to make the changed Notice effective for PHI we already have as well as for any PHI we create or receive in the future. A copy of our current Notice is posted in our office and on our website.


Complaints

If you believe your privacy rights have been violated, you may file a complaint with us or with the Secretary of the United States Department of Health and Human Services.


To file a complaint with us, contact our Privacy Manager at the address listed below. All complaints must be made in writing and should be submitted within 180 days of when you knew or should have known of the suspected violation. There will be no retaliation against you for filing a complaint.


To file a complaint with the Secretary, mail it to: Secretary of the U.S. Department of Health and Human Services, 200 Independence Ave, S.W., Washington, D.C. 20201. Call (877) 696-6775 or go to the website of the Office for Civil Rights, www.hhs.gov/ocr/hipaa/complaints/., for more information. There will be no retaliation against you for filing a complaint.


Questions and Complaints


If you want more information about our privacy practices, or have questions or concerns, please contact IBJI Compliance Manager:


Illinois Bone and Joint Institute, LLC

900 Rand Road

Des Plaines, IL 60016

Phone: 847-324-3981