We are required by law to:
1. Maintain the privacy of your protected health information.
2. Provide you this detailed Notice of our legal duties and privacy practices relating to your personal health information.
3. Abide by the terms of the Notice that are currently in effect.
For more information see: www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/noticepp.html.
We may use and disclose your personal health information for the treatment, payment, and health care operations without needing to obtain your consent:
1. Treatment: We will use and disclose your personal health information in providing you with treatment and services. We may disclose your personal health information to facility and non-facility personnel who may be involved in your care, such as physicians, nurses, nurse aides, and physical therapists. For example, a nurse caring for you will report any change in your condition to your physician. We also may disclose personal health information to individuals who will be involved in your care after you leave the facility.
2. Payment: We may use and disclose your personal health information so that we can bill and receive payment for the treatment and services you receive at the facility. For billing and payment purposes. We may disclose your personal health information to your representative, insurance or managed care company, Medicare, Medicaid or another third party payor. For example, we may contact Medicare or your health plan to confirm your coverage or to request prior approval for a proposed treatment or service.
3. Health Care Operation: We may use and disclose your personal health information for facility operations. These uses and disclosures are necessary to manage the facility and to monitor our quality of care. For example, we may use personal health information to evaluate our facility's services, including the performance of our staff.
We may use or disclose personal health information about you for the following specific purposes:
1. As specifically required or permitted by law or for law enforcement purposes.
2. To an organization assisting in disaster relief.
3. For public health purposes, which may include:
a. Reporting to a public health or other government authority for preventing or controlling disease, injury or
disability, or reporting child abuse or neglect
b. Reporting to the federal Food and Drug Administration (FDA) concerning adverse events or problems
with products for tracking products in certain circumstances, to enable product recalls or to comply with
other FDA requirements.
c. To notify a person who may have been exposed to a communicable disease or may otherwise be at risk
of contracting or spreading a disease or condition.
d. For certain purposes involving workplace illness or injuries.
4. As appropriate to comply with a court or administrative order, warrant, subpoena, summons, investigating demand, or similar legal process, including requests from entities providing workers' compensation coverage to the resident or employee, in which case efforts will be made to contact you about the request or to give you an opportunity to obtain an order or agreement protecting the information.
5. If we believe you have been a victim of abuse, neglect or domestic violence, to notify a government authority if required or authorized by law, or if you agree to the report.
6. To a health oversight agency for oversight activities authorized by law, which may include, for example, audits, investigations, inspections and licensure actions or other legal proceedings. These activities are necessary for government oversight of the health care system, government payment or regulatory programs, and compliance with civil rights laws.
7. To identify or locate a suspect, fugitive, material witness, or missing person.
8. When information is requested about the victim of a crime if the individual agrees or under other limited circumstances.
9. As appropriate to report information about a suspicious death.
10. As appropriate to provide information about criminal conduct occurring at the facility.
11. As appropriate to report information in emergency circumstances about a crime.
12. As appropriate to identify or apprehend an individual in relation to a violent crime or an escape from lawful custody.
13. As expressly permitted by the resident, the employee, or a person who has the power to provide such permission on behalf of the resident or employee (for example, a person with an applicable power of attorney).
14. As appropriate to affect, administer services, process or enforce a transaction, product, service requested or authorized by the resident or employee.
15. When necessary to prevent a serious threat to your health or safety or the health of safety of the public or another person, but any such disclosure would be made only to someone able to help prevent the threat.
16. If you are a veteran or member of the armed forces, upon death we may release information as required to military command authorities.
17. As appropriate to remind a resident about an appointment or to inform the resident about treatment alternatives or to inform residents and employees about benefits and services.
18. We will provide family members and clergy with information regarding your room number and general information on your condition unless you object.
19. We may provide individual medical information for medical research but only with approval from the employee or resident or person with authority to give such authorization for the resident such as the attorney-in-fact or guardian.
20. We may contact you for fundraising efforts for the facility. You may request to opt out of such fundraising communications at any time.
21. Medicare and Medicaid participating long-term care facilities are required to conduct comprehensive, accurate, and reproducible standardized assessments of each resident's functional capacity and health status. To implement this requirement, the facility must obtain information from every resident. This information also is used but the Federal Centers for Medicare and Medicaid Services (CMS) to ensure that the facility meets quality standards and provides appropriate care to all residents. For this purpose, as of June 22, 1998, all such facilities are required to establish a database of resident assessment information, and to electronically transmit the information to the CMS contractor in the State government, which in turn transmits the information to CMS.
Because the law requires disclosure of this information to the Federal and State sources as discussed above, a resident does not have the right to refuse consent to these disclosures.
Your authorization is required for all other uses of personal heath information. We will use and disclose personal heath information only with your written authorization. You may revoke your authorization to use or disclose personal health information in writing, at any time. If you revoke your authorization, we will no longer use or disclose your personal health information for the purposes covered by the authorization, except where we have already relied on the authorization.
Residents and employees have certain rights regarding personal health information:
1. The right to request restrictions on the use or disclosure of personal health information. We are not required to agree to your requested restriction (except that while you are competent you may restrict disclosures to family members and friends), unless the disclosure is to a health plan for purposes of carrying out payment or health care operations and the information pertains solely to a health care item or service for which you have paid in full out of pocket. If we do agree to accept your requested restriction, we will comply with your request except as needed to provide you emergency treatment.
2. The right to inspect and copy your medical or billing records or other health information. If we maintain your information in an electronic record, you may obtain from us a copy of such information in an electronic format and direct us to transmit such copy directly to an entity or person designated by you. We must allow you to inspect your records within 24 hours of your request. If you request copies of the records, we must provide you with copies within 2 days of that request. We may charge a reasonable fee for our costs. We may deny your request in certain limited circumstances and you will have the opportunity to request a review of the denial.
3. The right to request amendment to the information if you think it is incorrect or incomplete for as long as the information is kept by or for the facility. The request must be in writing and state the reason for the request. We may deny the request if the information:
a. Was not created by the facility, unless the originator of the information is no longer available to act on our request.
b. Is not part of the personal health information maintained by or for the facility.
c. Is not part of the information to which you have a right of access.
d. Is already accurate and complete, as determined by the facility.
If we deny your request, we will provide you a written denial and the reasons for the denial and you will have the right to submit a written statement disagreeing with the denial.
4. The right to request an accounting of our disclosures of the resident's or employee's personal health information. This generally will not include disclosures for treatment, payment and health care operations or certain other exceptions allowed by law, except that if we implement the use of electronic health records, disclosures for treatment, payment and health care operations will be included in an accounting requested by you. The request must be in writing. An accounting will include, if requested: the disclosure date; the name of the person or entity that received the information and address, if known; a brief description of the information disclosed; a brief statement of the purpose of the disclosure or a copy of the authorization or request; or certain summary information concerning multiple similar disclosure. If requested, we will provide one such list per year without charge; for further requests, we will charge a reasonable, cost-based fee.
5. The right to a paper copy of this Notice.
6. The right to request that we communicate with the resident or employee concerning personal health matters in a certain manner or at a certain location. We will accommodate reasonable requests.
We are required to notify you in the event that your unsecured protected health information (PHI) is breached. A breach is defined as the unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of the PHI, but does not include unintentional acquisition, access or use of such information, inadvertent disclosure of such information within a facility, and disclosure to a person not reasonable able to retain it. "Unsecured protected health information" refers to PHI that is not secured through the use of valid encryption process approved by the Secretary of Health and Human Service or the destruction of the media on which the PHI is recorded or stored. Such encryption or destruction methods are not mandated on covered entities such as ours. We will evaluate the propriety of securing PHI for our residents, and act using our own discretion. However, should any of your "unsecured" PHI held by us be "breached", then we will notify you in the following manner:
1. We will notify you no later than 60 days after discovery of such breach via first-class mail or e-mail, if specified by you as your preference. If the breach involves the information of more than 500 individuals, we will also provide notice to prominent media outlets. We will also notify the Secretary of Health and Human Services of the breach (immediately if the breach involves the information of more than 500 individuals or in an annual notification for all other breaches).
2. Our notification to you will include:
a. A brief description of what happened, including the date of breach and date of discovery (if known).
b. A description of the types of PHI that were involved in the breach.
c. Any steps you should take to protect yourself from potential harm resulting from the breach.
d. A brief description of what we are doing to investigate the breach, mitigate harm to the resident, and protect against further breaches.
e. Contact procedures for you to ask questions or learn additional information, which must include a telephone number, an e-mail address, web site, or postal address.
These rights are in addition to the rights provided to our resident under the Resident’s Bill of Rights.
If you believe your privacy rights have been violated, you may file a complaint in writing with the facility or with the Office of Civil Rights in the U.S Department of Health and Human Services. To file a complaint with the Department of Health and Human Services you may write to 200 Independence Avenue, S.W. Washington, D.C. 20201, by calling 1-800-696-6775, or by visiting www.hhs.gov/ocr/privacy/hipaa/complaints/. To file a complaint with the facility, you may contact the PHI Security Officer, by writing to 116 S. Central Mulvane, KS 67110, or by calling 316-777-1129. There will be no retaliation against you if you file a complaint.
We may change this policy at any time. We reserve the right to make new provisions effective for all personal health information we have already received and for all personal health information we may obtain in the future. Revised notices will be available upon request, at the facility, and on our website.
Effective January 01, 2014
This Notice of Privacy Practices applies to the following organizations:
Villa Maria, Inc. (facility)
Via Christi Villages, Inc. (Management Company)
If you have any questions concerning this policy, please contact: Dena Johnson, Administrator, at firstname.lastname@example.org; or Jackie Johnson, PHI Security Officer, at email@example.com. Or you may call at 316-777-1129.