Center of Behavioral Therapy and Consultation for OCD and Anxiety, a Psychological Corporation
Danielle Cooper, PhD
626-493-2165
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU, AS MY PATIENT, MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
MY PLEDGE REGARDING PROTECTED HEALTH INFORMATION:
I understand that protected health information (“PHI”) about you and your health care is personal. I am committed to protecting health information about you. I create a record of the care and services you receive from me. I need this record to provide you with quality care and to comply with certain legal requirements. This notice applies to all of the records of your care generated by this mental health care practice.
This notice will tell you about the ways in which I may use and disclose health information about you. Use of PHI means when I share, apply, utilize, examine, or analyze information. PHI is disclosed when I release, transfer, give, or otherwise reveal it to a third party outside this practice. With some exceptions, I may not use or disclose more of your PHI than is necessary to accomplish the purpose for which the use or disclosure is made; however, I am always legally required to follow the privacy practices described in this Notice. I also describe your rights to the health information I keep about you, and describe certain obligations I have regarding the use and disclosure of your health information. I am required by law to:
• Make sure that PHI that identifies you is kept private.
• Give you this notice of my legal duties and privacy practices with respect to health information.
• Follow the terms of the Notice that is currently in effects
To help clarify certain terms, here are some definitions.
• “PHI” or “Protected Health Information” refers to information in your health record that could identify you. This includes data about your past, present, or future health or condition, the provision of health care services to you, and the payment for such health care. Records may include: reasons you came for treatment; your history, such as things that happened to you throughout your life, your school and work experiences, and your relationships; diagnoses; records I get from others who treated you; information about medications you took or are taking; progress notes; and a treatment plan.
• “Treatment and Payment Options”:
o Treatment is when I provide, coordinate, or manage your healthcare and other services related to your healthcare. An example of treatment would be when I consult with another healthcare provider, such as your family physician or another psychologist, regarding your treatment.
o Payment is when I obtain reimbursement for your healthcare. Examples of payment are when I disclose your PHI to your health insurer to obtain reimbursement for your health care or to determine eligibility or coverage.
o Health Care Operations is when I disclose your PHI to your health care service plan (for example your health insurer), or to your other health care providers contracting with your plan, for administering the plan, such as case management and care coordination.
• “Use” applies only to activities within my clinic such as sharing, employing, applying, utilizing, examining and analyzing information that identifies you.
• “Disclosure” applies to activities outside of my office [office, clinic, practice group, etc.] such as releasing, transferring, or providing access to information about you to other parties.
• “Authorization” means written permission for specific uses or disclosures. I can change the terms of this Notice and my privacy policies at any time as permitted by law, and such changes will apply to all information I have about you. The new Notice will be available upon request. If you have any questions, I am happy to help you understand my procedures and your rights.
ELECTRONIC RECORDS AND ELECTRONIC PROTECTED HEALTH INFORMATION (ePHI)
The HIPAA Privacy Rule establishes national standards to protect individuals' medical records and other personal health information. The Security Rule protects a subset of information covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form. The Security Rule calls this information “electronic protected health information” (e-PHI). The Security Rule does not apply to PHI transmitted orally or in writing.
Electronic records are subject to similar concerns and requirements as paper records. I keep electronic medical records on each patient within the SimplePractice portal. The 2005 HIPAA Security Rule provides specific guidance on managing electronic protected health information. It applies to practitioners who must comply with HIPAA and who store or transmit such information. The rule requires that I take special care in maintaining electronic records and that I conduct a risk analysis of specified issues and security measures appropriate for the practice. SimplePractice takes reasonable efforts to maintain their service in a manner that includes appropriate administrative, technical and physical security measures designed to protect the confidentiality, availability and integrity of ePHI as required by HIPAA. For instance, the database is fully encrypted on secure servers that are monitored 24/7, strong passwords are required and changed frequently, and all actions are logged which offers a strong audit trail. For more information about how SimplePractice secures PHI, please visit their website.
I make reasonable and appropriate administrative, technical, and physical safeguards for protecting ePHI. Including: (1) Ensuring the confidentiality, integrity, and availability of all e-PHI that I create, receive, maintain or transmit; (2) Identifying and protecting against reasonably anticipated threats to the security or integrity of the information; and (3) Protecting against reasonably anticipated, impermissible uses or disclosures.
WORKSTATION, DEVICE SECURITY, AND TECHNICAL SAFEGUARDS
I implement policies and procedures to specify proper use of and access to workstations and electronic media. I have policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information. I also have several technical safeguards to protect your health information including:
• Access Control. I implement technical policies and procedures that allow only authorized persons to access electronic protected health information (ePHI).
• Audit Controls. I implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use ePHI.
• Integrity Controls. I implement policies and procedures to ensure that ePHI is not improperly altered or destroyed.
• Transmission Security. I implement technical security measures that guard against unauthorized access to ePHI that is being transmitted over an electronic network.
II. HOW I MAY USE AND DISCLOSE HEALTH INFORMATION ABOUT YOU:
The following categories describe different ways that I use and disclose health information. For each category of uses or disclosures I will explain what I mean and try to give some examples. Not every use or disclosure in a category will be listed. Some of the uses or disclosures will require your prior written authorization (i.e., completion of the Release of Information form); others, however, will not. However, all of the ways I am permitted to use and disclose information will fall within one of the categories.
A. Uses and Disclosures Related to Treatment, Payment, or Health Care Operations Do
Not Require Your Prior Written Consent. Federal privacy rules (regulations) allow health care providers who have a direct treatment relationship with the patient to use or disclose the patient’s personal health information without the patient’s written authorization, to carry out the health care provider’s own treatment, payment or health care operations. I may use and disclose your PHI without your consent for the following reasons:
1. For treatment. I may also disclose your protected health information for the treatment activities of another health care provider involved in your care. This too can be done without your written authorization. For example, if I were to consult with another licensed health care provider such as a psychiatrist about your condition, I would be permitted to use and disclose your personal health information, which is otherwise confidential, in order to assist the clinician in diagnosis and treatment of your mental health condition. Disclosures for treatment purposes are not limited to the minimum necessary standard because therapists and other health care providers need access tomthe full record and/or full and complete information in order to provide quality care. The word “treatment” includes, among other things, the coordination and management of health care providers with a third party, consultations between health care providers, and referrals of a patient for health care from one health care provider to another.
2. For health care operations. I may disclose your PHI to facilitate the efficient and correct operation of this practice. For example, I might use your PHI in the evaluation of the quality of health care services that you have received. I may also provide your PHI to attorneys, accountants, consultants, and others to make sure that I am in compliance with applicable laws.
3. To obtain payment for treatment. I may use and disclose your PHI to bill and collect payment for the treatment and services I have provided to you. For example, I might send PHI to your insurance company (e.g., to file claims or complete treatment plans), claims processing companies, and others that process health care claims from my office.
B. Certain Other Uses and Disclosures Do Not Require Your Authorization. Subject to certain limitations in the law, I can use and disclose your PHI without your Authorization for the following reasons:
1. When disclosure is required by local, state, or federal law, and the use or disclosure complies with and is limited to the relevant requirements of such law. If you are involved in a lawsuit or administrative proceeding, I may disclose health information in response to a court or administrative order to the appropriate officials when a law requires me to report information to government agencies, law enforcement personnel, and/or in an administrative proceeding. I may also disclose health information about you in response to a subpoena, discovery request, or other lawful process by someone else involved in a dispute, but only if efforts have been made to tell you about the request or to obtain an order protecting the information requested.
2. To avoid harm. I may provide PHI to law enforcement personnel or persons able to prevent or mitigate a serious threat to the health or safety of a person or the public (i.e., adverse reaction to medications). Additionally, your consent is not required if you need emergency treatment provided that I attempt to get your consent after treatment is rendered. In the event I try to get your consent but you are unable to communicate with me (e.g., if you are unconscious or in severe pain), but I think you would consent to such treatment if you could, I may disclose your PHI. When I do share information in an emergency, I will tell you as soon as I can. If you do not approve, I will stop, as long as it is not against the law. The disclosure may also be compelled or permitted by the fact that you are in such mental or emotional condition as to be dangerous to yourself or the person or property of others, and if I determine that disclosure is necessary to prevent the threatened danger.
3. If disclosure is mandated by the California Child Abuse and Neglect Reporting law.
For example, if I have a reasonable suspicion of child abuse or neglect.
4. If disclosure is mandated by the California Elder/Dependent Adult Abuse Reporting
law. For example, if I have a reasonable suspicion of elder abuse or dependent adult abuse.
5. For public health activities. Example: In the event of your death, if a disclosure is permitted or compelled, I may need to give the county coroner or medical examiner information about you.
6. For health oversight activities. Example: I may be required to provide information to assist the government in the course of an investigation or inspection of a health care organization or provider.
7. For specific government functions. I may disclose PHI for national security purposes.
8. For research purposes. In certain circumstances, I may provide PHI in order to conduct medical research, such as studying and comparing the mental health of patients who received one form of therapy versus those who received another form of therapy for the same condition.
9. For Workers’ Compensation purposes. Although my preference is to obtain an Authorization from you, I may provide your PHI in order to comply with workers’ compensation laws.
10. Appointment reminders and health related benefits or services. Examples: I may use PHI to provide appointment reminders. I may use PHI to give you information about alternative treatment options, or other health care services or benefits I offer.
11. If disclosure is required or permitted to a health oversight agency for oversight activities authorized by law. Example: When compelled by U.S. Secretary of Health and Human Services to investigate or assess our compliance with HIPAA regulations.
12. For law enforcement purposes, including reporting crimes occurring on my premises.
13. If disclosure is otherwise specifically required by law.
III. CERTAIN USES AND DISCLOSURES REQUIRE YOU TO HAVE THE OPPORTUNITY TO OBJECT.
1. Disclosures to family, friends, or others. I may provide your PHI to a family member, friend, or other person that you indicate is involved in your care or the payment for your health care, unless you object in whole or in part. The opportunity to consent may be obtained retroactively in emergency situations.
2. Other Uses and Disclosures Require Your Prior Written Authorization. In any other situation not described in Sections IIA, IIB, and III above, I will request your written authorization before using or disclosing any of your PHI. Even if you have signed an authorization to disclose your PHI, you may later revoke that authorization, in writing, to stop any future uses and disclosures (assuming that I haven’t taken any action subsequent to the original authorization) of your PHI. You may not revoke an authorization if the authorization was obtained as a condition of obtaining insurance coverage, and the law provides the insurer the right to contest the claim under the policy.
IV. YOU HAVE THE FOLLOWING RIGHTS WITH RESPECT TO YOUR PHI:
1. The Right to Request Limits on Uses and Disclosures of Your PHI. You have the right to ask me not to use or disclose certain PHI for treatment, payment, or health care operations purposes. While I will consider your request, I am not legally bound to agree. If I do agree to your request, I will put those limits in writing and abide by them except in emergency situations. You do not have the right to limit the uses and disclosures that I am legally required or permitted to make.
2. The Right to Request Restrictions for Out-of-Pocket Expenses Paid for In Full. You have the right to request restrictions on disclosures of your PHI to health plans for payment or health care operations purposes if the PHI pertains solely to a health care item or a health care service that you have paid for out-of-pocket in full.
3. The Right to Choose How I Send PHI to You. You have the right to ask me to contact you in a specific way (for example, home or office phone) or to send mail to a different address, and I will agree to all reasonable requests.
4. The Right to See and Get Copies of Your PHI. In general, you have the right to get an electronic or paper copy of your medical record and other information that I have about you. Under certain circumstances, I may feel that your request may be denied, but if I do, I will give you, in writing, the reasons for the denial. I will also explain your right to have our denial reviewed. Otherwise, I will provide you with a copy of your record, or a summary of it, if you agree to receive a summary, within 30 days of receiving your written request, and I may charge a reasonable, cost based fee for doing so, not more than $0.25 per page.
5. The Right to Get a List of the Disclosures I Have Made. You have the right to request a list of instances in which I have disclosed your PHI for purposes other than treatment, payment, or health care operations, for which you provided me with an Authorization, for national security purposes, or to corrections or law enforcement personnel. I will respond to your request for an accounting of disclosures within 60 days of receiving your request. The list I will give you will include disclosures made in the last six years unless you request a shorter time. The list will include the date of the disclosure, to whom PHI was disclosed (including their address, if known), a description of the information disclosed, and the reason for the disclosure. I will provide the list to you at no charge, but if you make more than one request in the same year, I will charge you a reasonable cost based fee for each additional request.
6. The Right to Correct or Update Your PHI. If you believe that there is a mistake in your PHI, or that a piece of important information is missing from your PHI, you have the right to request that I correct the existing information or add the missing information. Your request and the reason for the request must be made in writing. You will receive a response within 60 days of my receipt of your request. I may deny your request, in writing, if I find that: the PHI is (s) correct and/or complete, (b) forbidden to be disclosed, (c) not part of my records, or (d) written by someone other than me. My denial must be in writing and must state the reasons for the denial. It must also explain your right to file a written statement objecting to the denial. If you do not file a written objection, you still have the right to ask that your request and my denial be attached to any future disclosures of your PHI. If I approve your request, I will make the change(s) to your PHI. Additionally, I will tell you that the changes have been made, and I will advise all others who need to know about the change(s) to your PHI.
7. The Right to Get a Paper or Electronic Copy of this Notice. You have the right get a paper copy of this Notice, and you have the right to get a copy of this notice by e-mail. And, even if you have agreed to receive this Notice via e-mail, you also have the right to request a paper copy of it.
V. HOW TO COMPLAIN ABOUT MY PRIVACY PRACTICES
If, in your opinion, I may have violated your privacy rights or if you object to a decision I made about access to your PHI, you are entitled to file a complaint with Dr. Danielle Cooper by calling 626-493-2165 or e-mailing drdaniellecooper@cbtcoa.com. You may also send a written complaint to the Secretary of the Department of Health and Human Services at 200 Independence Avenue S.W. Washington, D.C. 20201. If you file a complaint about my privacy practices, I will take no retaliatory action against you.
EFFECTIVE DATE OF THIS NOTICE
This notice went into effect on July 15, 2024.
Acknowledgement of Receipt of Privacy Notice
Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), you have certain rights regarding the use and disclosure of your protected health information. By checking the box below, you are acknowledging that you have received a copy of HIPAA
Notice of Privacy Practices.
BY SIGNING BELOW I AM AGREEING THAT I HAVE READ,
UNDERSTOOD AND AGREE TO THE ITEMS CONTAINED IN THIS DOCUMENT.