HIPAA Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
When this Notice of Privacy Practices (“Notice”) refers to “we” or “us,” it is referring to Don’s Pharmacy and all of the pharmacists who provide health care services and the employees of our pharmacy. We are required by law to maintain the privacy of your protected health information (“PHI”), to follow the terms of the Notice currently in effect, to give you this Notice setting forth our legal duties and privacy practices concerning your PHI and to notify affected individuals following a breach of unsecured PHI. This Notice describes how we may use and disclose your PHI. Additionally, this Notice explains the rights you have with respect to your PHI, and certain obligations we must abide by in accordance with the law. We reserve the right to amend this Notice. If we make any material revisions to this Notice, we will post a copy of the revised Notice in the pharmacy, on our website and will offer you a copy of the revised Notice.
- USE AND DISCLOSURE OF YOUR PHI – We will use and disclose your PHI for treatment, payment and health care operations. We may also use your PHI for other purposes that are permitted and/or required by law and pursuant to your written authorization. The following lists examples of how we may use and/or disclose your PHI. Any other uses not described in this Notice will only be made with your explicit written authorization, which you may revoke at any time by providing us with written notice of your revocation.
- Treatment – We may use and disclose your PHI in order to provide you with prescription and supply services. We may disclose your PHI to other pharmacists, pharmacy technicians and health care providers that are involved in your care. You will receive an individual notice and have the opportunity to opt out of any subsidized treatment communications.
- Payment – We will use and disclose your PHI in order to obtain payment for the health care services we provide to you. We may also need to disclose your PHI to receive prior approval from your health plan or to determine if your health plan will cover a certain prescription or service.
- Health Care Operations – We may use and disclose your PHI in connection with the management of our pharmacy. For example, this may include: quality assessment and improvement, internal compliance audits, and performance evaluations. Additionally, we may use your PHI for our business management and general administrative activities.
- Prescription Refill Reminders, Treatment Alternatives or Health-Related Benefits – We may use and disclose your PHI to contact you to remind you about prescription refills, to tell you about treatment options or alternatives, or to inform you about health-related benefits or services that may be of interest to you.
- Family Members, Relatives or Close Friends – Unless you object to such disclosure, we may disclose your PHI to your family members, relatives or close personal friends, or any other persons identified by you as being involved in the treatment or payment for your medical care. If you are not present to agree or object to our disclosure of your PHI to a family member, relative or friend, we may exercise our professional judgment to determine whether the disclosure is in your best interest. If we decide to disclose your PHI, we will only disclose the PHI that is relevant to your treatment or payment.
- Other Permitted and Required Uses and Disclosures – We may use your PHI without obtaining your authorization and without offering you the opportunity to agree or object as follows:
- as required by law, provided however, that the use or disclosure will be made in compliance with applicable law;
- to a public health authority that is authorized by law to collect or receive such information, or to a foreign government agency that is acting in collaboration with a public health authority and these health activities generally include preventing or controlling disease, reporting deaths, reporting adverse effects of medications or problems with products, notification of communicable disease, and reporting abuse or neglect under certain circumstances;
- to a health oversight agency for oversight activities authorized by law, including audits and inspections, and civil, administrative or criminal investigations, proceedings or actions;
- for judicial or administrative proceedings purposes in response to a subpoena, court order, discovery request, etc. but only if efforts have been made to inform you about the request or to obtain an order protecting the information requested;
- to law enforcement to report certain injuries, comply with court orders or warrants or similar process, to identify a suspect, fugitive, missing person or victim or to report a crime;
- to a coroner or medical examiner to perform duties authorized by law such as identification of a deceased person or determining the cause of death;
- to funeral directors, consistent with applicable law, as necessary to carry out their duties;
- to organ procurement organizations or similar entities for the purpose of facilitating organ, eye or tissue donation and transplantation;
- for research purposes provided that certain approvals take place and assurances are given;
- to avert a serious threat to health or safety, so long as the disclosure is only to a person who is reasonably able to prevent or lessen such threat;
- for military and veterans activities (including foreign military personnel) to assure the proper execution of a military mission and to determine eligibility for benefits;
- for national security and intelligence activities for the purpose of conducting lawful intelligence, counter-intelligence and other national security activities;
- for protection of the President and other authorized persons or foreign heads of state or to conduct authorized investigations;
- to a correctional institution or law enforcement custodian if you are an inmate or under custody; and
- to the extent necessary to comply with laws relating to workers’ compensation and work-related injuries.
- YOUR RIGHTS AS OUR PATIENT – As our patient, you have a number of rights associated with your PHI. The following describes your specific rights.
- You have the right to request restrictions or limitations on how we use and/or disclose your PHI, however, we do not have to agree to your requested restriction or limitation (except for transactions you paid for in full out-of-pocket). Your written request must specify: (1) if you would like to restrict or limit our use and/or disclosure; (2) what information you want restricted or limited; and (3) to whom the restriction or limitation applies (e.g., spouse).
If we agree to your request, it will not prevent us from disclosing your PHI as follows: (1) to you if you request access or an accounting of disclosures; (2) for purposes required or permitted by law; or (3) in case of an emergency.
- You have the right to receive confidential communications concerning your PHI by alternative means or via alternative locations. For example, you may want to receive communications related to your prescriptions at a different address other than your home address. If you wish to receive confidential communications via alternative means or locations, please submit your request in writing to the Privacy Officer and set forth the alternative means by which you wish to receive communications or the alternative location at which you wish to receive such communications. We will accommodate all reasonable requests.
- You have the right to access, inspect and obtain a copy of your PHI, including any electronic PHI; provided, however, you are not entitled to access certain PHI exempted under HIPAA. To the extent we maintain electronic PHI, upon request we will provide you with a copy of your PHI in the format requested. If we do not have your PHI in our possession, we will provide you with the appropriate contact information when your request is received. If you request a copy of your PHI, you will receive a response to your request in a timely fashion but may be charged a reasonable, cost-based fee to cover copy costs and postage. In some limited circumstances, we may deny your request for access to PHI in which case you may request for the denial to be reviewed. If access is ultimately denied, you are entitled to a written explanation with the reason(s) for the denial.
- You have the right to receive an accounting of disclosures of your PHI made by us, including disclosures to or by our business associate(s), for a period of six (6) years prior to the date on which you request an accounting of disclosures, or such lesser period as you indicate. You will receive one request annually free of charge and, thereafter, we may charge you a reasonable, cost-based fee for each subsequent request for an accounting of disclosures within the same twelve-month period. We will notify you of the cost for an accounting of disclosures and you may choose to withdraw or modify your request before we charge you.
- If you believe we have PHI about you that is incorrect or incomplete, you may make a written request to us stating the reasons to support any requested amendment. You have the right to request an amendment to your PHI for so long as we maintain your PHI. If we do not have your PHI in our possession, we will provide you with the appropriate contact information when we receive your request. We will respond to your request for an amendment after we receive your request. However, we may deny your request for amendment if, for example, we determine that the PHI you requested was not created by us or is already accurate and complete. You may respond to our denial by filing a written statement of disagreement, but we have the right to rebut your disagreement. If this occurs, you have the right to request that your original request, our denial, your statement of disagreement, and our rebuttal be included in future disclosures of your PHI.
- You have the right at any time to obtain a paper copy of this Notice, even if you receive this Notice electronically. If you have received an electronic copy of this Notice, but wish to obtain a paper copy of this Notice, please send your request in writing to the Privacy Officer at the address listed below.
- You have the right to opt-out of fundraising and your PHI will not be used for fundraising purposes or sold without your prior authorization.
III. Additional Information/Questions or Complaints
- If you need any additional information about this Notice or wish to exercise any of your rights set forth in this Notice, please contact the Privacy Officer at the following address Don’s Pharmacy 8609 West Markham Suite A, Little Rock, Arkansas 72205 Fax 501-225-8683
- If you believe your privacy rights have been violated, you may file a complaint with us or with the Secretary of the Department of Health and Human Services without retaliation.
- BREACH NOTIFICATION POLICY
- Because the Pharmacy maintains, accesses, stores, destroys and otherwise uses and discloses PHI, the Pharmacy must notify individuals if any of their “unsecured PHI” has been, or reasonably believed to have been, accessed, acquired or otherwise compromised as a result of a breach of information maintained by the Pharmacy. A “breach” means the acquisition, access, use or disclosure of PHI in a manner that is not permitted by the Privacy Rule which compromises the security or privacy of PHI.
- A breach is treated as known on the day of discovery or when the Pharmacy should have known through reasonable diligence. Therefore, if any Workforce Member suspects or learns of a breach s/he must immediately report such breach to the Privacy Officer.
- Notification to the affected individuals must be made without delay, but no later than sixty (60) calendar days after the discovery of the breach.
- Workforce Members must immediately report any suspected breach to the Privacy Officer when a Workforce Member becomes aware.
- If any data is believed to be compromised or any Workforce Member believes that a breach has occurred, the Pharmacy, in coordination with the Privacy Officer and the Security Officer, must perform a risk assessment to identify the individuals whose information is believed to have been breached, the extent of the harm to the individuals and the source of the breach.
- If the Privacy Officer, Security Officer and any designee(s) determine that the action did not constitute a breach or require notification because:
(1) The acquisition, access or use of PHI by a Workforce Member or individual acting under the authority of the Pharmacy was unintentionally acquired, if such acquisition, access or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the Privacy Rule;
(2) There was an inadvertent disclosure of PHI from one person authorized to access PHI at the Pharmacy to another person authorized to access the PHI at the Pharmacy, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the Privacy Rule; or
(3) There was a disclosure of PHI to an unauthorized person but the Privacy Officer and the Security Officer have a good faith belief that such person would not reasonably have been able to retain such information.
No further action need be taken other than to document such incident for compliance purposes.
- If the Privacy Officer and Security Officer determine that a breach has occurred, they, in consultation with their designee(s), will perform a fact-based risk assessment to identify the nature and extent of the PHI involved, including types of identifiers and the likelihood of re-identification; the unauthorized person who used the PHI or to whom the disclosure was made; whether the PHI was actually acquired or viewed; and the extent to which the risk to the PHI has been mitigated.
- The Privacy Officer and Security Officer must determine through the fact-based risk assessment if there is a significant risk of harm to such individual(s).
(1) If there is a low probability that PHI has been compromised based on a risk assessment of the factors in Section D above, then notification to the affected individual(s) is not required. The breach must still be properly documented for compliance purposes.
(2) Following the discovery of a breach of unsecured PHI, then the Pharmacy, in coordination with the Privacy Officer, must contact the affected individual(s). The Privacy Officer must promptly prepare a notice to the individual(s) utilizing the attached template. (See attached Appendix A.)
- The Privacy Officer or such designee will send such notice by first class mail or by e-mail if the individuals have previously agreed to have e-mail as a method of contact to those individuals whose unsecured PHI has been breached.
- If the Pharmacy does not have sufficient contact information for some or all of the affected individuals, or if some notices are returned as undeliverable, you must provide substitute notice for these affected individuals:
(1) If ten (10) or less of the affected individuals cannot be located or such individuals’ notices are returned as undeliverable, the Privacy Officer may contact those individuals through an alternative form of written notice, by telephone, or other means.
(2) If more than ten (10) affected individuals cannot be located or such individuals’ notices are returned as undeliverable, the Pharmacy, in coordination with the Privacy Officer, can use a substitute notice such as: (i) posting on the Pharmacy homepage for a period of ninety (90) days the contact information regarding the breach and a toll-free number for individuals to call with questions; or (ii) providing conspicuous notice in major print or broadcast media in the geographic areas where affected individuals are likely to reside. Major print or broadcast media may include a press release to a local newspaper or a local television outlet.
- For a breach affecting more than five hundred (500) individuals, the Pharmacy in coordination with the Privacy Officer must:
(1) Provide notice to prominent media outlets serving the State or jurisdiction in which affected individuals reside no less than sixty (60) calendar days from the discovery of the breach. Such notice may include a press release to a local newspaper or a local television outlet.
(2) Provide notice to Secretary, HHS, in no less than sixty (60) calendar days from the discovery of the breach utilizing the attached template. (See attached Appendix B for required form.)
- If notification is urgent, notice by telephone may be made and is considered an addition to written notice.
- The Privacy Officer maintains documentation of the extent of each breach, the affected individuals and the steps taken to notify and mitigate harm.
- For breaches of unsecured PHI involving less than 500 individuals, the Privacy Officer must maintain a log or other documentation of such breaches and, not later than 60 days after the end of each calendar year, provide notification to the Secretary, HHS, for breaches discovered during the preceding calendar year.
- The Privacy Officer must coordinate with the Security Officer and the Pharmacy to correct and rectify the source of the breach to prevent further breaches of unsecured PHI.
* Breach notification requirements only apply to PHI that is unsecured. The HITECH Act defines “unsecured protected health information” as “protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance.” The only technology approved is encryption and the only methodology approved is destruction of the PHI by means that render the PHI indecipherable, unreadable, and unusable by unauthorized individuals. Remember, the term “unsecured PHI” can include information in any form or medium, including electronic, paper, or oral form. Only pharmacies that secure health information through encryption while in use and at rest, until such PHI is properly destroyed, are relieved from having to notify patients in the event of a breach. Please note that compliance with the HIPAA Security Rule does not guarantee you have encrypted electronic PHI in a manner sufficient to meet the requirements for the breach notification safe harbor.