ASAP Privacy and Security Notice -- Notice of Policies and Practices to Protect the Privacy of Your Health Information

 

THIS NOTICE DESCRIBES HOW PSYCHOLOGICAL AND MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

 

I. Uses and Disclosures for Treatment, Payment, and Health Care Operations

ASAP may use or disclose your protected health information (PHI), for treatment, payment, and health care operations purposes with your consent. To help clarify these terms, here are some definitions:

· “PHI” refers to information in your health record that could identify you.

· “Treatment, Payment and Health Care Operations”

– Treatment is when ASAP provides, coordinates or manages your health care and other services related to your health care. An example of treatment would be when ASAP consults with another health care provider, such as your family physician or another mental health professional.

– Payment is when ASAP obtains reimbursement for your healthcare. Examples of payment are when ASAP discloses your PHI to your health insurer to obtain reimbursement for your health care or to determine eligibility or coverage.

– Health Care Operations are activities that relate to the performance and operation of ASAP’s practice. Examples of health care operations are quality assessment and improvement activities, business-related matters such as audits and administrative services, and case management and care coordination.

· “Use” applies only to activities within ASAP’s practice such as sharing, employing, applying, utilizing, examining, and analyzing information that identifies you.

· “Disclosure” applies to activities outside of ASAP’s  practice such as releasing, transferring, or providing access to information about you to other parties.

 

II. Uses and Disclosures Requiring Authorization

ASAP may use or disclose PHI for purposes outside of treatment, payment, or health care operations when your appropriate authorization is obtained. An “authorization” is written permission above and beyond the general consent that permits only specific disclosures. In those instances when ASAP is asked for information for purposes outside of treatment, payment or health care operations, ASAP will obtain an authorization from you before releasing this information. ASAP will also need to obtain an authorization before releasing your Psychotherapy Notes. “Psychotherapy Notes” are notes ASAP may have made about conversations during a private, group, joint, or family counseling session, which have kept separate from the rest of your medical record. These notes are given a greater degree of protection than PHI.

You may revoke all such authorizations (of PHI or Psychotherapy Notes) at any time, provided each revocation is in writing. You may not revoke an authorization to the extent that (1) ASAP has relied on that authorization; or (2) if the authorization was obtained as a condition of obtaining insurance coverage, law provides the insurer the right to contest the claim under the policy.

 

III. Uses and Disclosures with Neither Consent nor Authorization

ASAP may use or disclose PHI without your consent or authorization in the following circumstances:

· Child Abuse – ASAP is required to report PHI to the appropriate authorities when staff have reasonable grounds to believe that a minor is or has been the victim of neglect or physical and/or sexual abuse.

· Adult and Domestic Abuse – If ASAP has the responsibility for the care of an incapacitated or vulnerable adult, staff are required to disclose PHI when they have a reasonable basis to believe that abuse or neglect of the adult has occurred or that exploitation of the adult's property has occurred.

· Health Oversight Activities – If an Arizona professional regulatory board is conducting an investigation, then ASAP is required to disclose PHI upon receipt of a subpoena from the Board.

· Judicial and Administrative Proceedings – If you are involved in a court proceeding and a request is made for information about the professional services ASAP provided you and/or the records thereof, such information is privileged under state law, and ASAP will not release information without the written authorization of you or your legally appointed representative or a court order. The privilege does not apply when you are being evaluated for a third party or where the evaluation is court ordered. You will be informed in advance if this is the case.

· Serious Threat to Health or Safety – If you communicate to ASAP an explicit threat of imminent serious physical harm or death to a clearly identified or identifiable victim(s) and ASAP staff believe you have the intent and ability to carry out such a threat, ASAP has a duty to take reasonable precautions to prevent the harm from occurring, including disclosing information to the potential victim and the police and in order to initiate hospitalization procedures. If ASAP believes there is an imminent risk that you will inflict serious harm on yourself, ASAP may disclose information in order to protect you.

· Worker’s Compensation – ASAP may disclose PHI as authorized by and to the extent necessary to comply with laws relating to worker’s compensation or other similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault.

​

IV. Patient’s Rights and Provider’s Duties

Patient’s Rights:

· Right to Request Restrictions – You have the right to request restrictions on certain uses and disclosures of protected health information. However, ASAP is not required to agree to a restriction you request.

· Right to Receive Confidential Communications by Alternative Means and at Alternative Locations – You have the right to request and receive confidential communications of PHI by alternative means and at alternative locations.  On your request, ASAP will send your bills to another address.

· Right to Inspect and Copy – You have the right to inspect or obtain a copy (or both) of PHI in ASAP mental health and billing records used to make decisions about you for as long as the PHI is maintained in the record. ASAP may deny your access to PHI under certain circumstances, but in some cases you may have this decision reviewed. On your request, ASAP will discuss with you the details of the request and denial process.

· Right to Amend – You have the right to request an amendment of PHI for as long as the PHI is maintained in the record. ASAP may deny your request. On your request, ASAP will discuss with you the details of the amendment process.

· Right to an Accounting – You generally have the right to receive an accounting of disclosures of PHI. On your request, ASAP will discuss with you the details of the accounting process.

· Right to a Paper Copy – You have the right to obtain a paper copy of the notice upon request, even if you have agreed to receive the notice electronically.

Provider’s Duties:

· ASAP is required by law to maintain the privacy of PHI and to provide you with a notice of its legal duties and privacy practices with respect to PHI.

· ASAP reserves the right to change the privacy policies and practices described in this notice. Unless ASAP notify you of such changes, however, ASAP is required to abide by the terms currently in effect.

· If ASAP revises its policies and procedures, ASAP may notify you by US mail.

 

V.  ASAP Specific Policies

The ASAP organization was founded in 1991—before even the widespread use of the internet.  Since 1991 ASAP has been successful as a model program for the protection of client’s personal information because we have followed one foundational principle:  We regularly, and frequently, assess the particular wishes of our clients regarding the specific protection of their personal information.   This careful assessment of our client’s security preferences has consistently yielded the following safety plan: 1)  Paper medical records are  preferred to electronic medical records and always utilized, 2) Texting, even for appointment reminders, is not used, 3)  Sharing of information, including PHI, both between ASAP staff and clients and also among ASAP staff, by use of regular unencrypted e-mail is preferred, aware of the risks inherent in e-mail, and 4) Electronic billing of health insurance companies is considered safe, and preferred over paper claims.   By signature below we expressly agree to the specific practice of these four safety plans for the protection of our Protected Health Information (PHI).

Many parents have regularly expressed concern about the frequent, and sometimes massive, data breeches and ransomware they hear about through the media.   Our parents have asked us to continue to maintain paper records for the greater security they offer in the digital age.  We comply with their wishes.  Similarly, for security purposes ASAP does not text patients, aware of the challenges in trying to secure text messages.  On the other hand, electronic healthcare billing with a reliable HIPPA-compliant software company has proven safe for many years now, and is preferred by our parents.  ASAP utilizes the services of Claim MD to complete safe and efficient electronic health care billing.

Regarding e-mail, HIPPA regulations state that covered entities are permitted to send individuals unencrypted e-mails if they have advised the individual of the risk, and the individual still prefers the unencrypted e-mail.   Our parents at ASAP have strongly and consistently expressed the desire to use regular, unencrypted e-mail, both between themselves and ASAP staff and also among ASAP staff.  Here is our required warning of the risks and limitation of unencrypted e-mail:  Advice of the risks and limitations of unencrypted e-mail:  We want to make sure you know that unencrypted e-mail communications are not secure communications.  When we send you an e-mail, or you send us an e-mail, the information that is sent is not encrypted.  E-mail is inherently unsecure unless it is fully encrypted by means of strong authentication and password protection.  Among the risks of using e-mail to communicate medical information:  1)  E-mail can be forwarded, printed, and stored and unknowingly received by unintended recipients, 2)  E-mail can be sent to the wrong address, 3) E-mail is easier to forge than handwritten papers or signatures, 4)  Copies of e-mails can exist after the send or receiver has deleted an e-mail,  5) E-mail service providers have a right to archive and inspect e-mails sent through them, 6)  E-mail can be intercepted, altered, or forwarded without detection, 7)  E-mail can spread computer viruses, 8)  E-mail delivery is not guaranteed, 9)  E-mail can be used for Phishing (fraudulent obtaining of information.)  You agree to the four security plans above.  You acknowledge your recognition and understanding of the risks of communicating your health information via unencrypted e-mail, and hereby consent to receive such communications despite those risks.  You expressly agree to the use of unencrypted e-mail between you and ASAP staff, and also among ASAP staff.  By signing below you also acknowledge that you have the choice to receive communications via other more secure means, such as telephone.  By signing below, you agree to hold ASAP harmless for unauthorized use, disclosure or access of your protected health information sent to the e-mail address you provide.

​

VI. Complaints

If you are concerned that ASAP have violated your privacy rights, or you disagree with a decision ASAP made about access to your records, you may contact ASAP staff at 602 434-0249 for further information

You may also send a written complaint to the Secretary of the U.S. Department of Health and Human Services.

​

VII. Effective Date, Restrictions, and Changes to Privacy Policy

This notice will go into effect on 4-14-2003.  Renewed on 6-20-20.

ASAP will limit the uses or disclosures that ASAP staff will make as follows: what is reasonably necessary to accomplish the purpose for which the request is made.  ASAP reserves the right to change the terms of this notice and to make the new notice provisions effective for all PHI that ASAP maintains. ASAP may provide you with a revised notice by US mail.

 

 

​

​