CFMC is required by law to maintain the privacy of protected health information (PHI) and to provide individuals with notice of its legal duties and privacy practices. CFMC must abide by the terms of the current notice but reserves the right to change practices. An individual has the right to file a complaint with the covered entity or the U. S. Department of Health and Human Services, and no retaliation will occur. Other PHI uses and disclosures will only be made with an individual's written authorization, which the individual may revoke.
The individual has certain rights regarding his/her PHI. The individual has the right to request restrictions on certain PHI uses and disclosure. CFMC is not required by law to agree to the restriction. The individual has the right to receive confidential PHI communications. PHI may be inspected and copied. The individual has the right to amend PHI. An accounting of PHI disclosures may be requested by the individual. The individual also has the right to receive a paper copy of notices.
Required Disclosures
1 - PHI (Protected Health Information) must be disclosed to individuals who request access to their own PHI or request an accounting of PHI disclosures.
2 - PHI must be disclosed when required by the U.S. Department of Health and Human Services (HHS) to determine a covered entity's compliance with the privacy rules.
The disclosure is only required to enforce the privacy rules, not for other reasons such as enforcing coordination of benefits under the Medicare Secondary Payer law.
Permitted Disclosure
The privacy rules permit a covered entity to use and disclose PHI without consent or authorization, or without allowing the individual to object or agree to the use or disclosure if:
1 - The PHI is used by or disclosed to the individual who is the subject of the PHI.
2 - The use or disclosure is based on and is in compliance with a consent that complies with the privacy rules regarding treatment, payment or health care operations (TPO).
3 - The consent is not required for TPO purposes and has not been sought (except regarding psychotherapy notes).
4 - The use or disclosure is based on and is in compliance with a valid authorization.
5 - The use or disclosure is based on an agreement.
A group health plan may use PHI without consent or authorization for treatment, payment and health care operations functions.
While health care providers must obtain prior consent to use or disclose PHI for TPO purposes, The U. S. Department of Health and Human Services (HHS) saw no need to require consent for health plans, which unlike providers, generally do not obtain consent. However, plans may obtain consent to use or disclose PHI for TPO purposes. If a plan seeks individual consent, the consent must meet the content and use requirements established in the rules.
You may contact Debi Hardwick, HIPAA Officer, at 831-754-3800.
This document is effective July 1, 2002