Last Updated: February 11, 2022
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal program that requires that all individually identifiable health information used or disclosed by us in any form, whether electronically, on paper or orally, are kept properly confidential. This Act gives you, the patient, significant new rights to understand and control how your health information is used. HIPAA provides penalties for covered entities that misuse Protected Health Information. "Protected Health Information" or “PHI” is information about you, including demographic information, that may identify you and that relates to your past, present or future physical or mental health or condition and related health care services, such as your name, date of birth, dates of services, diagnosis, treatments, medications, demographic information (name, address, home/cellular/work telephone numbers, emails, and social security number), and photographs.
Niivana shall only use or disclose your PHI if:
In addition to the above, we may use and disclose PHI in the following special circumstances:
As Required by Law. We will disclose PHI when required to do so by international, federal, state or local law.
To Avert a Serious Threat to Health or Safety. We may use and disclose PHI when necessary to prevent or lessen a serious threat to your health or safety, or the health or safety of the public or another person. Any disclosure, however, will be to someone who we believe may be able to help prevent the threat.
Business Associates. We may disclose PHI to the business associates that we engage to provide services on our behalf if the information is needed for such services. For example, we may use another company to perform billing services on our behalf or to provide video conferencing services on our behalf. Our business associates are obligated, under contract with us, to protect the privacy of your information and are not allowed to use or disclose any information other than as specified in our contract with them.
Military and Veterans. If you are a member of the armed forces, we may release PHI as required by military command authorities. We also may release PHI to the appropriate foreign military authority if you are a member of a foreign military.
Workers’ Compensation. We may disclose PHI as authorized by and to the extent necessary to comply with laws relating to workers’ compensation or similar programs. These programs provide benefits for work-related injuries or illness.
Public Health Risks. We may disclose PHI for public health activities. These activities generally include disclosures to prevent or control disease, injury or disability; report births and deaths; report child abuse or neglect; report reactions to medications or problems with products; notify people of recalls of products they may be using; track certain products and monitor their use and effectiveness; if authorized by law, notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition; and conduct medical surveillance of our facilities in certain limited circumstances concerning workplace illness or injury. We also may release PHI to an appropriate government authority if we believe a patient has been the victim of abuse, neglect or domestic violence; however, we will only release this information if the patient agrees or when we are required or authorized by law.
Health Oversight Activities. We may disclose PHI to a health oversight agency for activities authorized by law. These oversight activities include, for example, audits, investigations, inspections, and licensure of our facilities and providers. These activities are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws.
Lawsuits and Disputes. If you are involved in a lawsuit or a dispute, we may disclose PHI in response to a court or administrative order. We also may disclose v in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have been made to tell you about the request or to obtain an order protecting the information requested.
Law Enforcement. We may release v if asked by a law enforcement official as follows: (1) in response to a court order, subpoena, warrant, summons or similar process; (2) limited information to identify or locate a suspect, fugitive, material witness, or missing person; (3) about the victim of a crime if, under certain limited circumstances, we are unable to obtain the person’s agreement; (4) about a death we believe may be the result of criminal conduct; (5) about evidence of criminal conduct on our premises; and (6) in emergency circumstances to report a crime, the location of the crime or victims, or the identity, description, or location of the person who committed the crime.
De-identified Information and Limited Data Sets. Niivana may use and disclose health information that has been “de-identified” by removing certain identifiers making it unlikely that you could be identified. Niivana also may disclose limited health information, contained in a “limited data set”. The limited data set does not contain any information that can directly identify you. For example, a limited data set may include your city, county and zip code, but not your name or street address.
Niivana shall ensure that for all routine and recurring uses and disclosures of PHI (except for uses or disclosures made 1) to or as authorized by the patient or 2) as required by law for HIPAA compliance) such uses and disclosures of PHI must be limited to the minimum amount of information needed to accomplish the purpose of the use or disclosure. Niivana shall also ensure that non-routine uses and disclosures will be handled pursuant to established criteria. It is also Niivana’s policy that all requests for PHI (except as specified above) must be limited to the minimum amount of information needed to accomplish the purpose of the request. Under HIPAA’s minimum necessary provisions, an organization must make reasonable efforts to limit PHI to the minimum necessary to accomplish the purpose of the use, disclosure or request. (45 CFR 164.502(b)).
Niivana employs additional safeguards for PHI that is subject to protection under other federal and state laws, for example, relating to mental health. As applicable, Niivana will obtain your permission before disclosing the information to other health care providers who are not involved in your treatment program or care.
You have the following rights, subject to certain limitations, regarding PHI that we maintain about you:
Right to Inspect and Copy. You have the right to inspect and receive a copy of your PHI that may be used to make decisions about your care or payment for your care, including information kept in an electronic health record, and/or tell us where to send the information. Please note that there may be a charge for paper or electronic copies of your records.
Right to Amend. If you feel that PHI that we have is incorrect or incomplete, you may ask us to amend the information. You have the right to request an amendment for as long as the information is maintained by or for us. You must tell us the reason for your request.
We may deny your request for an amendment to your record. We may do this if your request is not in writing or does not include a reason to support the request. We also may deny your request if you ask us to amend information that:
Right to an Accounting of Disclosures. You have the right to request an accounting of certain disclosures of PHI that we made.
Right to Request Restrictions. You have the right to request a restriction or limitation on the PHI that we use or disclose for treatment, payment, or health care operations. You have the right to request a limit on the PHI that we disclose about you to someone who is involved in your care or the payment for your care, like a family member or friend. For example, you could ask that we not share information about your surgery with your spouse. We are not required to agree to your request. If we agree to your request, we will comply with your request unless we need to use the information in certain emergency treatment situations.
In addition, you have the right to request that we restrict disclosure of your PHI to your health plan if the disclosure is for the purpose of carrying out payment or health care operations (and is not for the purpose of carrying out treatment) and the PHI pertains solely to a health care item or service for which you have paid in full. Niivana is not required to comply with your request if you do not pay for the service in full.
Right to Request Confidential Communications. You have the right to request that we communicate with you about medical matters in a certain way or at a certain location. For example, you can ask that we contact you only by mail or at work. Your request must specify how or where you wish to be contacted. We will accommodate reasonable requests. By providing us with certain information, you expressly agree that Niivana and its business associates can use certain information (such as your home/work/cellular telephone number and your email), to contact you about various matters, such as follow up appointments, collection of amounts owed and other operational matters. You agree you may be contacted through the information you have provided and by use of prerecorded/artificial voice messages and use of an automatic/predictive dialing system.
Right to a Paper Copy of This Notice. You have the right to a paper copy of this notice. You may ask us to give you a copy of this notice at any time. Even if you have agreed to receive this notice electronically, you are still entitled to a paper copy of this notice. You may obtain a copy of this notice at any time by contacting us by email at firstname.lastname@example.org.
To exercise any of your rights, you may send a written request to us at the address set forth below.
Niivana shall implement and maintain appropriate physical safeguards designed to reasonably safeguard PHI from any intentional or unintentional use or disclosure that is in violation of the HIPAA Privacy Rule. Niivana will implement measures designed to ensure that the effects of any unauthorized use or disclosure of PHI be mitigated to the greatest extent possible.
In the event that a breach (as defined under applicable law) of your PHI in Niivana’s custody or control has been confirmed to have occurred Niivana will notify you within 60 days following discovery and confirmation of the breach unless a delay in notification is requested by law enforcement or otherwise required by applicable law or legal process.
Niivana will ensure that all members of its workforce are appropriately trained on the policies and procedures governing PHI and compliance with the HIPAA Privacy and Security Rules. New members of its workforce shall receive training on these matters within a reasonable time after they have joined the workforce. Should any policy or procedure related to the HIPAA Privacy and Security Rule materially change Niivana shall provide new training to update the workforce on those changes. This training will be provided within a reasonable time after the policy or procedure materially changes. Furthermore, all training provided to the workforce will be documented indicating participants, date and subject matter.
Our HIPAA Privacy Officer will develop, coordinate, and facilitate initial and ongoing training programs on privacy, and coordinate privacy training with security training requirements. Each member of our workforce, including management, will be trained on our policies and procedures at least once annually in a formal setting, and regularly in an informal setting and as needed. Our HIPAA Privacy Officer will determine who needs additional training, the type of training that is appropriate, and the frequency with which such training will occur. New employees will participate in training within thirty (30) days following their first date of service.
All workforce members will participate in retraining on privacy policies and procedures related to the HITECH Act and the Breach Notification Rule, and on any other regulations related to the safeguarding of PHI.
Upon completing training or retraining, each member of our workforce will sign an acknowledgement form that he or she participated in training and is aware of and understands our organization’s privacy policies and procedures.
You may submit complaints either directly to Niivana’s HIPAA privacy officer or to the Secretary of Health and Human Services if you believe your privacy rights have been violated by us. You will be able to submit complaints to be submitted anonymously. You may file a complaint with us by notifying our privacy officer of your complaint at our office and main telephone number set forth below. We will not retaliate against you for filing a complaint or otherwise exercising your rights under HIPAA.
555 Madison Avenue, Suite 1202
New York, New York 10022
Attn: Privacy Officer
The HIPAA Privacy Rule records retention requirement of six years will apply to PHI maintained by Niivana. All records designated by HIPAA in this retention requirement will be maintained in a manner that allows for access within a reasonable period of time. This records retention time requirement may be extended at Niivana’s discretion to meet with other governmental regulations or internal requirements.
Niivana will disclose PHI as required by the HIPAA Privacy Rule, and to HHS when it is undertaking a compliance investigation or review or enforcement action. Niivana shall additionally ensure that all personnel cooperate fully with all privacy compliance reviews and investigations.