Purpose
Legion Health, PA, a Texas professional association (“Medical Group,” “we,” “our,” or “us”), respects your privacy. We are legally required to maintain the privacy of your protected health information (“PHI”) under the Health Insurance Portability and Accountability Act (“HIPAA”) and other federal and state laws. We follow state privacy laws when they are stricter or more protective of your PHI than federal law.
As part of our commitment and legal obligations, we are providing you with this Notice of Privacy Practices (“Notice”). This Notice describes:
• Our legal duties and privacy practices regarding your PHI, including our duty to notify you following a data breach of your unsecured PHI.
• Our permitted uses and disclosures of your PHI.
• Your rights regarding your PHI.
Contact
If you have any questions about this Notice, please contact Legion Health, PA’s Privacy Officer at privacy@legionhealth.com.
PHI Defined
Your PHI is health information about you which someone may use to identify you and which we keep or transmit in electronic, oral, or written form. It includes information such as your name, contact information, past, present, or future physical or mental health or medical conditions, payment for health care products or services, or prescriptions. It excludes employment records that your employer may hold.
Scope
We create a record of the care and health services you receive to provide your care and to comply with legal requirements. This Notice applies to all PHI that we generate and to any substance use disorder (SUD) records subject to 42 U.S.C. Section 290dd-2 and 42 C.F.R. Part 2 (“Part 2”) that we receive or maintain. We comply with Part 2’s confidentiality rules for such records. When SUD records are disclosed under Part 2, the recipient may be prohibited from redisclosing them unless permitted by Part 2 and other applicable law.
Our workforce members follow the duties and privacy practices described in this Notice and any changes once they take effect.
Changes to this Notice
We can change the terms of this Notice, and the changes will apply to all information we have about you. The new notice will be available on request, in our office, and on our website.
Data Breach Notification
We will promptly notify you if a data breach occurs that may have compromised the privacy or security of your PHI, and in any event, no later than 60 days after discovery, consistent with applicable law. We will notify you in writing by first-class mail or, if you have agreed to electronic notices, by email. In some circumstances, our Business Associates may provide notification. If our contact information for you is insufficient or outdated, we may use an alternative form of notice permitted by law.
Business Associates
We may share PHI with outside vendors that perform services for us, such as billing, IT, analytics, and transcription (“Business Associates”). Business Associates and their subcontractors are required by HIPAA and contract to protect your PHI and may use and disclose it only as permitted by HIPAA and our Business Associate Agreement. Legion Health, Inc. serves as our Business Associate for certain services.
Your Rights
When it comes to your health information, you have certain rights. This section explains your rights and some of our responsibilities to help you.
Get a copy of your PHI. You can ask to see or obtain an electronic or paper copy of PHI we maintain about you (“right of access”). You may also request a summary or explanation of your PHI. We require you to make access requests in writing to Legion Health, PA. We will generally grant or deny access within 30 days, with one 30-day extension if needed and permitted by law. We may charge a reasonable, cost-based fee for copies, mailing, or supplies. You may ask us to send a copy of your PHI to a third party of your choice; requests must clearly identify the recipient and destination. We may deny access in certain limited cases. If we deny your request, we will provide a written explanation and explain your rights to appeal, if applicable, or to file a complaint.
Ask us to correct your medical record. You may ask us to correct, amend, or supplement PHI that we maintain about you that you think is incorrect or inaccurate. You must submit requests in writing, specify the inaccurate or incorrect PHI, and provide a reason that supports your request. We will generally grant or deny your request within 60 days, with one 30-day extension if needed. We may deny your request if the PHI is not part of our records, was not created by us unless the creator is no longer available, is not part of our designated record set, or is accurate and complete.
Ask us to limit what we use or share. You may request that we restrict uses or disclosures of your PHI for treatment, payment, or health care operations, or to certain people involved in your care. Requests must be in writing. We are not required to agree and may decline if it would affect your care. We will agree to restrict disclosure to a health plan for payment or operations if the relevant item or service has been paid in full by you, or another person, out-of-pocket, unless disclosure is otherwise required by law. If we agree, we will comply unless the PHI is needed for emergency treatment or the disclosure is to the U.S. Department of Health and Human Services.
Get a list of disclosures. You may request an accounting of certain disclosures of your PHI for the six years prior to your request, excluding disclosures for treatment, payment, and health care operations and other disclosures exempted by law. Requests must be in writing to Legion Health, PA. The first accounting in a 12-month period is free; we may charge a reasonable, cost-based fee for additional requests. We will include the date, recipient, and purpose of each included disclosure. We will not include disclosures you asked us to make, incidental disclosures, disclosures for national security or intelligence, disclosures to correctional institutions or law enforcement regarding inmates, or disclosures as part of a limited data set.
Choose someone to act for you. If you have given someone medical power of attorney or if someone is your legal guardian, that person can exercise your rights and make choices about your PHI. We will confirm the person has this authority and can act for you before we take any action.
Request confidential communications. You may request that we communicate with you about health matters in a certain way or at a certain location, for example only at work or at a specific address. We will accommodate reasonable requests and may require an alternative address or contact method.
Make a complaint. You have the right to complain if you feel we have violated your rights. We will not retaliate against you for filing a complaint. You may file a complaint by writing to: Privacy Officer, Legion Health, PA, 1606 Headway Cir, STE #9779, Austin, TX 78754, or emailing privacy@legionhealth.com. All complaints must be submitted in writing. You may also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, at https://www.hhs.gov/ocr/privacy/hipaa/complaints/ or by calling 1-800-368-1019 (TDD 1-800-537-7697).
Get a paper copy of this Notice. You can ask for a paper copy of this Notice at any time, even if you agreed to receive it electronically. We will provide you with a paper copy promptly.
Your Choices
For certain health information, you can tell us your choices about what we share. If you have a clear preference for how we share your information in the situations described below, please contact Legion Health, PA’s Privacy Officer at privacy@legionhealth.com, and we will make reasonable efforts to follow your instructions.
In these cases, you have both the right and the choice to tell us whether to share information, such as your PHI, general condition, or location, with your family, close friends, or others involved in your care, and whether to share information in a disaster relief situation, such as with a relief organization, to assist with locating or notifying your family, close friends, or others involved in your care.
If you are not able to tell us your preference, for example if you are unconscious, we may share your information if we believe it is in your best interest, according to our best judgment. We may also share your information when needed to lessen a serious and imminent threat to health or safety.
In these cases, we will not share your information unless you give us your written permission:
• We will not use or disclose your PHI for marketing communications without your unambiguous permission in written or electronic form, except for communications that are permitted by Texas law. If you orally request a one-time marketing communication, it will be limited to the scope of your oral permission.
• We will not disclose your PHI in exchange for direct or indirect remuneration (the “sale of PHI”) without your authorization, except as allowed for treatment, payment, health care operations, certain insurance/HMO functions, or as otherwise required or authorized by law.
• We will not use or disclose psychotherapy notes without your written authorization, except for the limited circumstances permitted by HIPAA.
• We will not electronically disclose your PHI without your authorization, except for disclosures to another covered entity for treatment, payment, or health care operations, or as otherwise authorized or required by law; we provide notice that your PHI may be subject to electronic disclosure.
• Other uses and disclosures not described in this Notice.
Certain categories of information may receive additional protections under state or federal law, such as HIV test results/diagnosis, genetic information, mental health records, and SUD records subject to 42 C.F.R. Part 2. Where such laws apply, we will obtain any required authorization before using or disclosing this information.
Where permitted by law, we may participate in one or more health information exchanges to share PHI electronically for treatment, payment, or health care operations. You may request to opt out of HIE participation to the extent required or permitted by law; opting out may limit providers’ access to your information.
Other uses and disclosures of your PHI not described in this Notice will be made only with your written authorization, unless permitted or required by law. You may revoke your authorization at any time by writing to us, but it will not affect information we already used or disclosed in reliance on your authorization.
In the case of fundraising, we may contact you for fundraising efforts; you may opt out of further fundraising communications at any time.
Our Responsibilities
We are required by law to maintain the privacy and security of your PHI; provide you with this Notice; follow the terms of the Notice currently in effect; and notify you following a breach of unsecured PHI. We will not use or disclose your PHI other than as described here unless you authorize us in writing. If you authorize us, you may revoke it at any time as described above.
Uses and Disclosures of Your PHI
The law permits or requires us to use or disclose your PHI for various reasons, which we explain in this Notice. We have included some examples, but we have not listed every permissible use or disclosure. When using or disclosing PHI or requesting your PHI from another source, we will make reasonable efforts to limit our use, disclosure, or request about your PHI to the minimum we need to accomplish our intended purpose.
Treatment. We may use or disclose your PHI and share it with other professionals who are treating you, including doctors, nurses, technicians, medical students, or hospital personnel involved in your care. We may disclose your PHI to people outside Legion Health, PA’s office who may be involved in your care. We may use your PHI to contact you as a reminder that you have an appointment for treatment or medical care at Legion Health, PA. For example, we might disclose information about your overall health condition to physicians who are treating you for a specific injury or condition.
Billing and payment. We may use and disclose your PHI to bill and get payment from health plans, insurance companies, or a third party. For example, we share your PHI with your health insurance plan so it will pay for the services you receive.
Running our organization. We may use and disclose protected health information about you for Legion Health, PA’s health care operations, such as our quality assessment and improvement activities, case management, coordination of care, business planning, customer services, and other activities. These uses and disclosures are necessary to run the facility, reduce health care costs, and make sure that all of our patients receive quality care. We may also combine protected health information about many Legion Health, PA patients to decide what additional services Legion Health, PA should offer, what services are not needed, and whether certain new treatments are effective.
Other Uses and Disclosures
We may share your information in other ways, usually for public health or research purposes or to contribute to the public good. For more information on permitted uses and disclosures, see www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html.
Our business associates. We may disclose PHI to our Business Associates who perform services for us, such as billing, IT, analytics, and transcription. Business Associates and their subcontractors are required by law and contract to protect your PHI and to use and disclose it only as permitted by HIPAA and our Business Associate Agreement.
Complying with the law. We will disclose your PHI when required to do so by federal, state, or local law. For example, we will share your PHI if the Department of Health and Human Services requires it when investigating our compliance with privacy laws.
Helping with public health and safety issues. For example, we may share your PHI to report injuries, births, and deaths; prevent disease; report adverse reactions to medications or medical device product defects; report suspected child neglect or abuse, or domestic violence; or avert a serious threat to public health or safety.
Responding to legal actions. For example, we may share your PHI to respond to a court or administrative order or subpoena, discovery request, or another lawful process.
Research. For example, we may share your PHI for some types of health research that do not require your authorization, such as if an institutional review board has waived the written authorization requirement because the disclosure only involves minimal privacy risks.
Working with medical examiners or funeral directors. For example, we may share PHI with coroners, medical examiners, or funeral directors when an individual dies.
Responding to organ and tissue donation requests. For example, we may share your PHI to arrange an authorized organ or tissue donation from you or a transplant for you.
Addressing workers’ compensation, law enforcement, or other government requests. For example, we may use and disclose your PHI for workers’ compensation claims, health oversight activities by federal or state agencies, law enforcement purposes or with a law enforcement official, or specialized government functions, such as military and veterans’ activities, national security and intelligence, presidential protective services, or medical suitability.
The privacy laws of a particular state or other federal laws might impose a more stringent privacy standard. If these more stringent laws apply and are not superseded by federal preemption rules, we will comply with the more stringent law.
Acknowledgment of Receipt
I, ___________________________ (individual’s name), acknowledge that on _________________________ (date), I received a copy of Legion Health, PA’s Notice of Privacy Practices and that I read and understood it. I understand that:
• I have certain rights to privacy regarding my PHI.
• Legion Health, PA can and will use my PHI for purposes of my treatment, payment, and health care operations.
• The Notice explains in more detail how Legion Health, PA may use and share my PHI for other purposes.
• I have the rights regarding my PHI listed in the Notice.
• Legion Health, PA has the right to change the Notice from time to time, and I can obtain a current copy of the Notice by contacting Legion Health, PA’s Privacy Officer at privacy@legionhealth.com.
Signature: _____________________________________________________
Printed Name: _____________________________________________________
Date: _____________________________________________________
Date of Birth: _____________________________________________________
Relationship to Patient: _____________________________________________________
For Office Use Only: Good Faith Effort to Obtain Acknowledgement Form
Name of Patient: _________________________
Date of Birth: _____________________________________________________
I attempted to obtain the patient’s or the patient’s representative’s signature on the HIPAA Notice of Privacy Practices Acknowledgment Form, but was unable to do so as documented below:
Reason: _____________________________________________________
Name: _____________________________________________________
Date: _____________________________________________________
Signature: _____________________________________________________