Riverchase Dermatology and Cosmetic Surgery d/b/a DermConnect™
P.O. Box 111389
Naples, FL 34110
NOTICE OF PRIVACY PRACTICES
This Notice applies to the DermConnect® Service (“DC Service”) for the website located at http://dermconnect.riverchasedermatology.com (“Website”) administered by DermConnect (“DC” or “Administration”). The DC Service provides telehealth dermatology services through the Website.
DC is required by law as a business associate of the participating dermatologists (“Participants”) to maintain the privacy of Protected Health Information (“PHI”) and to provide individuals with notice of its legal duties and privacy practices. This Notice explains the following: 1) the uses and disclosures of your PHI which may be made by DC or its designee; 2) your individual rights; and 3) DC’s legal duties pertaining to your PHI.
PHI means individually identifiable information created or received by DC or its designee that relates to your past, present, or future physical or mental health or condition, the provision of health care to you, or the past, present, or future payment for the provision of health care to you.
By submitting your information to the DC Service using the Website in order to request telehealth dermatology services, your PHI will be made available online through the DC Service and the Website. Participants will have access to your PHI by using the DC Service through the Website review your request for telehealth dermatology services. DC will have access to your PHI as the Administration of the DC Service. DC’s designated payment processor will have access to your PHI for use in connection with payment related activities. Other third parties may have access to your PHI either to fulfill healthcare operations of the Participants or as a result of a valid authorization which you have granted.
The effective date of this Notice is 09/30/2014. DC is required to abide by the terms of this Notice which are currently in effect, but reserves the right to change its privacy practices as required or permitted by the privacy regulations of the Health Insurance Privacy and Accountability Act of 1996 (“HIPAA Privacy Rule”) and other applicable law. DC also reserves the right to revise and distribute this Notice whenever there is a material change to the uses or disclosures of PHI, your individual rights pertaining to your PHI, DC’s legal duties, or DC’s privacy practices.
Minimum Necessary. DC has implemented policies and procedures which limit how much PHI is used, disclosed, and requested for certain purposes. These policies and procedures reasonably limit who within DC has access to PHI, and under what conditions, based on who needs access to perform their job duties for DC. Certain incidental uses and disclosures of PHI are permitted since DC has reasonable safeguards and minimum necessary policies and procedures to protect your privacy. The minimum necessary standard does not apply to disclosures among health care providers for treatment purposes.
When using or disclosing PHI or when requesting PHI from another entity covered under the HIPAA Privacy Rule, DC will make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request unless any of the following apply: (i) the uses, disclosures, or requests are made by a health care provider for treatment; (ii) the uses or disclosures are provided to you as permitted under the HIPAA Privacy Rule; (iii) the disclosures are made pursuant to a valid written authorization; (iv) the disclosures are made to the Secretary of the U.S. Department of Health and Human Services; (v) the uses or disclosures are required by law; or (vi) the uses or disclosures are required for compliance with the HIPAA Privacy Rule.
Incidental Uses and Disclosures Permitted. The HIPAA Privacy Rule permits certain incidental uses and disclosures of PHI which may occur as a by-product of another permissible or required use or disclosure since DC has in place reasonable safeguards and minimum necessary policies and procedures to protect your privacy. An incidental use or disclosure is a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted by the HIPAA Privacy Rule.
DC will use or disclose your PHI for treatment, payment, or health care operations. Disclosures are made to others who are subject to the HIPAA Privacy Rule and who are also involved in your health care or with vendors, agents, or subcontractors with whom we have contracted to assist us in providing health care services.
DC may also use or disclose your PHI without your authorization and without giving you an
opportunity to agree or object in the following instances:
• When required by law;
• For public health activities and purposes as authorized by law to collect or receive such information (e.g., public health agency requesting statistics concerning a chronic disease);
• For cases of abuse or neglect (e.g., to a government agency, social service agency, or protective services agency);
• For health oversight activities to a public health authority (e.g., audit by an agency);
• For judicial and administrative proceedings (e.g.,subpoena or court order);
• For a law enforcement purpose to a law enforcement official;
• For workers’ compensation purposes (e.g., DC may need to report information which is relevant to any job-related injuries that by state law are deemed to be involved in workers’ compensation coverage);
• For sharing a limited data set with third parties, subject to a data use agreement;
• For specific government requirements or emergencies (e.g., national security and intelligence activities);
• To avert serious threat or safety (e.g., in an emergency);
• To business associates who perform services on behalf of DC;
• When required by the Secretary of the U.S. Department of Health and Human Services to investigate HIPAA compliance; and
• When contacting you about health-related benefits and services that may be of interest to you, where applicable.
Other uses and disclosures of your PHI will be made only with your written authorization, such as sharing your PHI obtained by DC or its designees with certain third parties. If you give DC written authorization to use or disclose your PHI for a purpose that is not described in this Notice, then you may revoke it in writing at any time unless: (1) DC has taken action in reliance on your authorization; or (2) the authorization was obtained as a condition of obtaining insurance coverage and other law provides the insurer with the right to contest a claim under the policy or the policy itself provides for such a right.
As permitted by the HIPAA Privacy Rule, DC may use de-identified information (which consists of information which does not identify any individual) for any use or disclosure in its sole and exclusive discretion. De-identified information is not PHI and therefore is not subject to any protections under the HIPAA Privacy Rule.
Right to Receive Confidential Communications. You have the right to request that DC communicate your PHI to you through alternate means (e.g., alternate address or mode of communication). DC will accommodate reasonable requests from you to receive communications of PHI from DC by alternative means or at alternative locations. Electronic communications such as e-mail and facsimile are not completely secure. DC is not responsible for incorrect e-mail addresses or facsimile numbers.
Right to Access Your PHI. You generally have the right of access to inspect and obtain a copy of your PHI which DC collects or maintains in its files.
Providing access to PHI if the request is granted. DC will provide the access requested, including inspection or obtaining a copy of your PHI. DC will provide you with access to your PHI in the form or format requested if feasible, in a readable hardcopy form, or another form as agreed by DC and you.
DC may provide you with a summary of your PHI in lieu of providing access to your PHI or may provide an explanation of your PHI if you agree in advance to such summary or explanation and you agree in advance to the fees imposed, if any, by DC for such summary or explanation.
DC will provide you with access to your PHI within thirty (30) days after receipt of the request if your PHI is maintained on site or within sixty (60) days if maintained off-site. DC will arrange with you a convenient time and place to inspect or obtain a copy or otherwise mail you a copy of your PHI at your request. DC may charge you for the cost of copying the materials and any postage involving your requested PHI. DC may discuss with you the scope, format, and other aspects of your request as necessary to process your request.
DC will not provide you access, however, to certain PHI, namely, information compiled for use in civil, criminal, or administrative proceedings, and health information that is covered by federal laws governing clinical laboratories.
Legal duties of DC for denial of access to PHI. If DC denies access to PHI, in whole or in part, then DC will do the following:
• Make other PHI that was requested accessible to the extent possible;
• Provide a timely, written denial to you within thirty (30) days after receipt of the request if your PHI is maintained on-site or within sixty (60) days if maintained off-site. But, if DC is unable to comply with this time frame, then DC may extend the time for thirty (30) days from the initial time period. However, in such a case, DC will provide you with a written statement of the reasons for the delay and the date by which DC will complete its action on the request within the initial time period.
• The denial will be written in plain language and will include the basis for the denial. If the denial is reviewable, then the denial will provide a statement of your rights to have the denial reviewed and include a description of how you may complain to DC either through its procedures or the procedures as designated by the Secretary of the U.S. Department of Health and Human Services. The denial will also provide the name, or title, and telephone number or office, where applicable.
Other duties of DC regarding access to PHI. If DC does not maintain your PHI that is the subject of your request for access and DC knows where the requested PHI is maintained, then DC will inform you of where to direct the request for access to your PHI.
Reviewable grounds for denial of access to PHI. DC may deny you access for any of the following reasons; however, you will have the right to have the denial reviewed in the following instances:
• A licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of yourself or another person;
• Your PHI makes reference to another person (unless such other person is a health care provider) and a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to such other person; or
• The request for access is made by your personal representative and a licensed health care professional has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to you or another person.
Review of denial regarding access to PHI. If your request is denied and the grounds for denial are reviewable, then you have the right to have the denial reviewed by a licensed health care professional who is designated by DC to act as a reviewing official and who did not participate in the original decision to deny access to your PHI. DC will provide you with instructions for requesting a review of the denial (if the grounds are reviewable). DC will either provide access or deny access in accordance with the determination of the reviewing official.
Right to Amend PHI. You have the right to request that DC amend your PHI or a record about you so long as DC maintains your PHI in the designated record set. Any request must be made in writing and you must provide a reason to support a requested amendment. DC will act on your request within sixty (60) days after the receipt of such a request. If it cannot comply with the request within the initial sixty (60) days, then it may extend the time for an additional thirty (30) days provided that DC has informed you in writing of the reasons for the delay and the date by which DC will act on your request. DC may grant or deny your request to amend your PHI.
Grant of the amendment. If DC grants your request to amend your PHI, then it will obtain from you an identification of relevant persons (or entities) with whom the amendment needs to be shared. DC will also make the appropriate amendment to your PHI or record that is the subject of the request for amendment by, at minimum, identifying the records in the designated record set that are affected by the amendment and appending or otherwise providing a link to the location of the amendment.
Denial of the amendment. If DC denies your request to amend your PHI, then the denial will be written in plain language and contain the basis for the denial. The denial will include a description of your right to disagree with denial and how you may submit a statement of disagreement. DC may prepare a written rebuttal to your statement of disagreement and provide you with a copy.
However, if you choose not to submit a statement of disagreement, then you may request that DC provide your request for amendment and the denial with any future disclosure of your PHI that is subject to the amendment.
Right to Receive an Accounting of PHI Disclosures. You have the right to request an accounting of disclosures of PHI made by DC in the six (6) years prior to the date of your request except in the following instances (unless otherwise required by law):
• To carry out treatment, payment and health care operations;
• To you about your own PHI;
• Incident to a permitted or required use or disclosure;
• Pursuant to an authorization;
• To persons involved in your care or for other notification purposes;
• For national security or intelligence purposes;
• Occurred prior to the HIPAA compliance date for DC;
• To correctional institutions or law enforcement officials in custodial situations; or
• As part of a limited data set in accordance with 45 CFR 164.514(e).
Suspension of individual right to receive an accounting of certain disclosures which are made to a health oversight agency or law enforcement officials. DC will suspend your individual right to receive an accounting of certain disclosures to a health oversight agency or law enforcement official if the agency or official provides DC with a written statement that the accounting would be reasonably likely to impede the agency’s activities and specifies a time for which the suspension requires.
However, if the agency or official statement as described above is made orally, then DC will: (1) document the statement, including the identity of the agency or official making the statement; (2) temporarily suspend your right to an accounting of disclosures subject to the statement; and (3) limit the temporary suspension to no longer than thirty (30) days from the date of the oral statement, unless a written statement as described above is submitted during that time.
When accounting will be provided. DC generally will act on the request for an accounting no later than sixty (60) days after receipt. However, if DC cannot act on the request within this period of time, it will send you a written explanation of why it cannot act on the request within the timeframe and also the date by which it will act on the request.
Fees that may be charged for an accounting. DC will provide the first accounting to you in any twelve (12) month period without charge. However, DC may impose a reasonable, cost-based fee for each subsequent request for an accounting by you within the twelve (12) month period, provided that DC has informed you in advance of the fee and provides you with an opportunity to withdraw or modify the request for a subsequent accounting in order to avoid or otherwise reduce the fee.
Right to Copy of Notice. You have the right to obtain a copy of this Notice upon request even if you agreed to receive the Notice electronically.
Procedure for Exercising Your Rights. If you want to exercise any of the rights described in this Notice, please contact the Privacy Officer using the contact information listed below. The Privacy Officer will give you the necessary information and forms for you to complete and return. In some cases, you may be charged a cost-based fee to carry out your request.
A Note Regarding Your Personal Representative. Your rights may be exercised by a person who qualifies as your personal representative in accordance with 45 CFR 164.502(g). If under applicable law a person has authority to act on behalf of an individual who is an adult or an emancipated minor in making decisions related to health care, DC will treat such person as a personal representative with respect to PHI relevant to such personal representation.
Exceptions may apply in certain circumstances involving minor children and in cases involving suspected domestic violence, abuse or neglect by the personal representative such as when DC has a reasonable belief that the individual has been or may be subjected to domestic violence, abuse, or neglect by such person or treating such person as the personal representative could endanger the individual and DC, in the exercise of professional judgment, decides that it is not in the best interest of the individual to treat the person as the individual’s personal representative.
If you believe your privacy rights have been violated by DC, you have the right to file a complaint with DC’s Privacy Officer or the Secretary of the U.S. Department of Health and Human Services. You will not be retaliated against you if you choose to file a complaint with DC or with the U.S. Department of Health and Human Services. You may also contact DC’s Privacy Officer to request additional copies of this Notice or to receive more information about the matters covered by this Notice, and to review a denial of access of PHI.
Contacting the Privacy Officer.
Riverchase Dermatology and Cosmetic Surgery d/b/a DermConnect
Attn: Privacy Officer
P.O. Box 111389
Naples, FL 34110
Contacting Health and Human Services. If you wish to file a complaint, you may do so by either sending the complaint to the appropriate Office of Civil Rights Regional office or Office of Civil headquarters; alternatively, you may file a complaint online at the www.hhs.gov website.
Riverchase Dermatology and Cosmetic Surgery d/b/a DermConnect
P.O. Box 111389
Naples, FL 34110
Receipt of Notice of Privacy Practices
Riverchase Dermatology and Cosmetic Surgery. is registered to do business as DermConnect. This Receipt of Notice of Privacy Practices and HIPAA Consent (collectively, “Consent”) are for the following purposes: (1) your acknowledgement that you have either received or that you were provided a reasonable opportunity to electronically review the notice of DermConnect’s notice of privacy practices (“Notice of Privacy Practices) and (2) your consent for DermConnect’s and its designees’ use and disclosure of your protected health information (“PHI”) for treatment, payment or healthcare operations as defined by the Health Insurance Privacy and Accountability Act of 1996 (the "HIPAA Privacy Rule") in connection with the telehealth dermatology services (referred to as the “DermConnect® Service” or “DC Service”) which are provided to you by DermConnect (“DC”). The DC Service comprises a network of participating dermatologists (“Participants) which delivers dermatology services on a telehealth basis through the website located at http://dermconnect.riverchase.com (“Website”).
By submitting your information to the DC Service using the Website in order to request telehealth dermatology services, your PHI will be made available online through the DC Service. Participants will have access to your PHI by using the DC Service to review your request for telehealth dermatology services. DC will have access to your PHI as the Administration of the DC Service. DC’s designated payment processor will have access to your PHI for use in connection with payment related activities. Other third parties may have access to your PHI either to fulfill healthcare operations of the Participants or as a result of a valid authorization which you have granted.
Please read the following information carefully:
1. I understand and consent to the use and/or disclosure of my PHI by DC and its designees for the purposes of treatment, payment, and healthcare operations related activities which are permitted by the HIPAA Privacy Rule.
a. As a result of your submitting your PHI to the DC Service to request delivery of care (i.e., through the Internet), Participants will have the ability to access your PHI for the provision of telehealth dermatology services using the DC Service. Your PHI will be disclosed and used by the Participant who has elected to fulfill your request for such services. Your PHI will be accessed, stored, and maintained online by DC and its designees.
b. When you pay for dermatology services which are delivered through the DC Service, your PHI will be used or disclosed by the third party payment processor in connection with the processing of your payment information. In addition, your PHI may be disclosed to or used by a Participant in connection with payment related activities. DC and its designees may use your PHI for other payment or reimbursement activities for the provision of services.
c. Participants and business associates (e.g., entities which perform functions such as e-prescribing, data center hosting, managed security services, and ongoing software development and support) may use or disclose your PHI in connection with healthcare operations related activities such as communications about your treatment, case management, care coordination, direct or alternative treatments, therapies, health care providers, or settings of care, and communications pursuant to a valid authorization by you.
2. I am aware that DC maintains a Notice of Privacy Practices which explains the types of uses and disclosures that DC and its designees that are permitted or required to make under the HIPAA Privacy Rule. By signing this Consent, I acknowledge that I have received a copy of the Notice of Privacy Practices.
3. I understand and acknowledge that, in its Notice of Privacy Practices, DC has reserved the right to change its Notice of Privacy Practices as permitted or required by the HIPAA Privacy Rule. I understand that I may obtain a copy of the Notice of Privacy Practices at any time by sending a written request to the following address: Riverchase Dermatology and Cosmetic Surgery d/b/a DermConnect, Attn: Privacy Officer, P.O. Box 111389, Naples, FL 34110.
4. I understand and acknowledge that I have the right to request restrictions on how my PHI is used or disclosed to carry out treatment, payment or healthcare operations or to restrict uses and disclosures to those who are involved in my care or payment of my care.
5. I understand and acknowledge that DC is generally not required to agree to restrictions requested by me regarding my PHI. However, DC reserves the right to not provide care if such restrictions are requested by me; in such a case, I understand that I will not be eligible to use the DC Service if DC exercises that right.
6. I understand and acknowledge the risks of electronic communications (e.g., via the DC Service, text messages, and email) in that they are not secure and I consent to receiving such communications. If any PHI is communicated, then only the minimum necessary amount of PHI will be used.