Notice of Privacy Practices
This Notice describes how Identifiable Health Information about you may be used and disclosed and how you can get access to this information. Please review it carefully.
This Notice of Privacy Practices is effective as of February 17, 2010. If you have any questions about this notice, please contact the Privacy Officer at 518-944-2129.
Our Privacy Commitment to You
At St. Margaret’s Center, we understand that information about you and your family is personal. We are committed to protecting your privacy and sharing information only with those who need to know and are allowed to see the information to assure quality services to you.
1. Who will follow these practices:
All people who work for St. Margaret’s Center in our programs and in our administrative offices will follow this notice. This includes employees, persons, contracts with contractors who are authorized to enter information in your clinical record or need to review your record to provide services to you, and volunteers that St. Margaret’s Center allows to assist you.
2. What information is protected:
All information we create or keep that relates to your health or care and treatment, including your name, address, birth date, social security number, your medical information and other information about your care in our programs.
We will ask you to sign an “acknowledgement” indicating that you received this notice.
Your Health/Clinical Information Rights
You have the following rights concerning your health/clinical information. When we use the word “you” in this notice, we also mean your personal representative. Depending on your circumstances and in accordance with state law, this may be your guardian, involved parent, spouse, or adult child, or your advocate.
- You have the right to review your health/clinical information and obtain a copy. Some exceptions apply, such as psychotherapy notes, records regarding incident reports and investigations and information compiled for use in court or administration proceedings. Your request to review your information should be put in writing.
- If we deny your request to see your health/clinical information, you have the right to request a review of that denial. A professional chosen by St. Margaret’s Center who was not involved in denying your request will review the record and decide if you may have access to the record. Denials will be explained in writing.
- You have the right to ask St. Margaret’s Center to change or amend your health/clinical information that you believe is incorrect or incomplete. We may deny your request in some cases, for example, if the record was not created by St. Margaret’s Center or if after reviewing your request, we believe that the record is accurate and complete. If we approve the request for amendment, we will change the health information and inform you of that action and tell others that need to know about the change in the PHI.
- You have the right to request a list of the disclosures St. Margaret’s Center has made of your health/clinical information. We will not, however, keep or provide you with a list of certain disclosures, for example, disclosures made for treatment, payment and health care operations, or disclosures made to you or made to others with your permission. This list of disclosures will also not include disclosures made for national security or intelligence purposes, to law enforcement officials or correctional institutions, or disclosures made before April, 2003.
- You have the right to ask that we limit how we disclose or use your protected health information (PHI). We will consider your request, but are not legally bound to agree to the restriction. To the extent that we do agree to any restrictions on our use/disclosure of your PHI, we will put the agreement in writing and abide by it except in emergency situations. We cannot agree to limit uses/disclosures that are required by law.
- Based on the requirements of the Health Information Technology for Economic and Clinical Health (HITECH) Act St. Margaret’s Center will comply with your to request to restrict information if the information is to be sent to a health plan for payment or health care operations purposes and the disclosure relates to products or services that were paid for solely out-of-pocket (unless the disclosure is otherwise required by law).
- You have the right to request that St. Margaret’s Center communicates with you in a way that will help keep your information confidential.
- You have the right to receive a paper copy of this notice. You may ask St. Margaret’s Center staff to give you another copy or you may obtain one from our website at www.stmargaretscenter.org
- To request access to your health/clinical information or to request any of the rights listed here, you may contact Medical Records at 518-591-3371.
Note: All requests must be submitted in writing.
St. Margaret’s Responsibilities for your Health Information
St. Margaret’s Center is required by law to:
· Maintain the privacy of your information in accordance with federal & state laws.
· Give you this notice of our legal duties and practices concerning the health information
we have about you.
· Follow the rules in this notice. St. Margaret’s Center will use or share information about you only with your permission except for the reasons explained in this notice. We will inform you if we make changes to our privacy practices in the future. If significant changes are made, St. Margaret’s Center will give you a new notice and post a new notice on our website at www.stmargaretscenter.org
How St. Margaret’s Center Uses and Discloses Health Care Information
St. Margaret’s Center may use and disclose health/clinical information without your permission for the purposes described below. For each of the categories of uses and disclosures, we explain what we mean and offer an example. Not every use or disclosure is described, but all the ways we will use or disclose information will fall within these categories.
- Treatment: St. Margaret’s Center will use your health/clinical information to provide you with treatment and services. We may disclose health/clinical information to doctors, nurses, psychologists, social workers, therapists, nursing assistants and other St. Margaret’s Center personnel, volunteers or interns who are involved in providing you care. For example, involved staff may discuss your health/clinical information to develop and carry out your care plan. We may also need to disclose your health/clinical information to providers outside of St. Margaret’s Center who are responsible for providing you with the services identified in your Individualized Education Plan (IEP) or to obtain new services for you.
- Appointment Reminders: We may use and disclose limited medical information to contact you as a reminder that you have an appointment for treatment or services at one of our programs.
- Payment: St. Margaret’s Center will use your health/clinical information so that we can bill and collect payment from you, a third party, an insurance company, Medicare or Medicaid or other government agencies. For example, we may need to provide the NYS Department of Health (Medicaid) with information about the services you received in our facility so they will pay us for the services. In addition, we may disclose your health/clinical information to receive prior approval for payment of services you may need. Also, we may disclose your health/clinical information to the US Social Security Administration, or the Department of Health to determine your eligibility for coverage or your ability to pay for services.
- Health Care Operations: St. Margaret’s Center will use health/clinical information for administrative operations. These uses and disclosures are necessary to operate St. Margaret’s Center and to make sure all residents receive appropriate, quality care. For example, we may use health/clinical information for quality improvement to review our treatment and services and to evaluate the performance of our staff in caring for you. We may also disclose information to clinicians and other personnel for on the job training. We may share your health/clinical information with other St. Margaret’s Center staff for the purposes of obtaining legal services through Counsel’s office, conducting fiscal audits and for fraud and abuse detection through the Compliance Department. We may also share your health/clinical information with St. Margaret’s Center staff to resolve complaints or objections to your services. We may also disclose health/clinical information to our business associates who need access to the information to perform administrative or professional services on our behalf. If we do disclose your health information to a business associate, we will have a written contract to ensure that our business associate also protects the privacy of your health information.
- Public Relations/Fund Raising/Grants: St. Margaret’s Center may use health/clinical information in summary format to describe the scope of agency services for public relations, fund raising and/or grant applications. For example, a grant application may ask for the organization to describe the nature of individuals served by a specific St. Margaret’s Center program. Such information would describe the general population served and not disclose individual information of a person. Any need to disclose individualized information for public relation funding or grant purposes would not be disclosed unless specific authorization from the person is obtained. Under the HITECH Act, you have the right to opt-out of future fundraising communications. Any opt-out elected will be treated as revocation of any prior authorizations.
Other Uses and Disclosures that Do Not Require Permission
In addition to treatment, payment and health care operations, St. Margaret’s Center will use your health/clinical information without your permission for the following reasons:
- When we are required to do so by federal or state law;
- For public health reasons, including prevention and control of disease, injury or disability, child abuse or neglect, reactions to medication or problems with products, and to notify people who may have been exposed to a disease or are at risk of spreading the disease;
- To report domestic violence and adult abuse or neglect to government authorities if you agree of if necessary, to prevent serious harm;
- For health oversight activities, including audits, investigations, surveys and inspections and licensure. These activities are necessary for government to monitor the health care system, government programs, and compliance with civil rights laws;
- For judicial and administrative proceedings, including hearings and disputes. If you are involved in a court or administrative proceeding we will disclose health/clinical information if the judge or presiding officer orders us to share the information;
- For law enforcement purposes, in response to a subpoena or other legal process, to identify a suspect or witness or missing person, regarding a victim of a crime, a death, criminal conduct at the facility and in emergency circumstances to report a crime;
- Upon your death, to coroners or medical examiners for identification purposes or to determine cause of death and to funeral directors to allow them to carry out their duties;
- To organ procurement organizations to accomplish cadaver, eye, tissue or organ donations in compliance with state law;
- For workers compensation, to the extent authorized by and to the extent necessary to comply with laws relating to workers’ compensation or other similar programs established by law;
- For research purposes when you have agreed to participate in the research of an Institutional Review Board;
- To prevent or lessen a serious and imminent threat to your health and safety or the health and safety of others;
- To authorized federal officials for intelligence and other national security activities authorized by law or to provide protective services to the President and other officials;
- To correctional institutions or law enforcement officials if you are an inmate and the information is necessary to provide you with health care, protect your health and safety or that of others, or for the safety of the correctional institution;
- To governmental agencies that administer public benefits if necessary to coordinate the covered functions of the programs.
Uses and Disclosures that Require Your Agreement or Authorization
St. Margaret’s Center may disclose health/clinical information to the following persons if we tell you we are going to use or disclose it and you agree or do not object:
- To family members and personal representatives who are involved in your care if the information is relevant to their involvement and to notify them of your condition and location; or
- To disaster relief organizations that need to notify your family about your condition and location should a disaster occur.
Authorization Required for All Other Uses and Disclosures
- For all other types of uses and disclosures not described in this Notice, St. Margaret’s Center will use or disclose health/clinical information only with a written authorization signed by you or an authorized personal representative that states who may receive the information, what information is to be shared, the purpose of the use or disclosure and an expiration for the authorization. Written authorizations are always required for use and disclosure of mental health, HIV/AIDS and substance abuse information.
Note: If you cannot give permission due to an emergency, St. Margaret’s Center may release health/clinical information in your best interest. We must tell you as soon as possible after releasing the information. This notification will be made in writing. You may revoke your authorization at any time. If you revoke your authorization in writing, we will no longer use or disclose your health/clinical information for the reasons stated in your authorization. We cannot, however, take back disclosures we made before you revoked and we must retain health/clinical information that indicates the services we have provided to you.
Notice of Breach of Health Information
Breach means the acquisition, access, use or disclosure of protected health information in violation of the HIPAA privacy rule that compromises the security or privacy of the information. The phrase "compromises the security or privacy of health information" means poses a significant risk of financial, reputational or other harm to the individual.
If a breach occurs and we determine that the breach poses significant harm to the individual, we will provide written notice to the individual affected as described below. In order to determine whether the breach poses significant harm to the individual, we will perform a fact-based risk assessment that includes consideration of the following factors: (i) who or what type of entity received access to the information; (ii) steps taken to mitigate harm, such as obtaining satisfactory assurances (e.g., a confidentiality agreement) from the recipient that the information will not be further used or disclosed, or will be destroyed; (iii) if the information was returned prior to it being accessed for an improper purpose; and (iv) the nature, type and amount of information used or disclosed.
A. Notice to the Individual
The required notice will be sent without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. A breach will be treated as discovered by us as of the first day on which the breach is known to us. The notice will be written in plain language and will contain the following information: (i) a brief description of what happened, the date of the breach, if known, and the date of discovery; (ii) the type of PHI involved in the breach; (iii) any precautionary steps the individual should take; (iv) a description of what we are doing to investigate and mitigate the breach and prevent future breaches; and (v) contact information for us, including a toll-free telephone number, e-mail address, website or postal address.
The notice will be sent by first-class mail or by email, if the individual has specified a preference for communication by email. If contact information for the individual in question is insufficient or out-of-date, we may contact the individual by telephone or other permissible alternate method of communication. If the notification is of an urgent nature because of possible imminent misuse of unsecured health information, we may contact the individual by telephone or other means, as appropriate, in addition to the written or other forms of notice.
B. Notice to the Media
In the event of a breach affecting more than 500 residents of a State or jurisdiction, we will, without unreasonable delay and in no case later than 60 calendar days after discovery of the breach, notify prominent media outlets serving the State or jurisdiction.
C. Notice to HHS
For breaches affecting fewer than 500 individuals, we are required to maintain an annual log of such breaches and provide a copy of such log to HHS within 60 days of the end of the calendar year. For breaches affecting 500 or more individuals, we are required to notify HHS at the same time notice is provided to the individual.
D. Law Enforcement Delay
Following a breach, we may delay transmission of any of the required forms of notice if we are informed by a law enforcement official that such notice would impede a criminal investigation or cause damage to national security.
Changes to this Notice
We reserve the right to change this notice. We reserve the right to make changes to terms described in this notice and to make the new notice terms effective to all health/clinical information that
St. Margaret’s Center maintains. We will post the new notice with the effective date on our website at www.stmargaretscenter.org and in our facilities. In addition, we will offer you a copy of the revised notice at your next scheduled service/planning meeting.
If you believe your privacy rights have been violated:
- You may file a complaint with the St. Margaret’s Center Corporate Compliance Officer at 314 South Manning Blvd., Albany, NY 12208, 518-944-2129. Or, you may contact the Secretary of the Department of Health and Human Services at 200 Independence Avenue, S.W., Washington, DC 20201, 877-696-6776.
- You may file a grievance with the Office of Civil Rights by calling 866-OCR-PRIV or (866) 627-7748, or (886) 788-4989 (TTY).
All complaints must be submitted in writing. You will not be penalized for filing a complaint.