Ridley-Tree Cancer Center
MyChart
1-800-472-6786
Sansum Clinic / Patient Information / Policies / Notice of Privacy Practices (NPP) for Protected Health Information (PHI)

Notice of Privacy Practices (NPP) for Protected Health Information (PHI)

Your Information. Your Rights and Choices. Our Responsibilities.

Alternate Translation Español >

(AVISO DE LAS PRÁCTICAS DE PRIVACIDAD DE INFORMACIÓN DE LA SALUD PROTEGIDA >)

This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review this notice carefully.

UNDERSTANDING YOUR MEDICAL RECORD AND HEALTH INFORMATION

Each time you visit a hospital, doctor, or other healthcare provider, your visit is documented. Typically, such documentation contains information about your health signs and symptoms; results of your physical examination and diagnostic tests; an assessment of your current medical condition; and a plan for your future care or treatment. Often referred to as your health or medical record, this body of information is considered protected health information (PHI), and it also serves as a basis for planning and tracking your care and treatment, as well as a means of communication among the individual healthcare professionals who participate in your care.  

The medical record is a legal document, describing in detail the care you received and is the means by which you and your insurance carrier can verify that the services billed were actually provided. The medical record serves as a tool in educating health professionals and can provide a valuable source of data for medical research and for quality improvement initiatives. It may also be utilized by public health officials charged with improving the overall health of the community. Moreover, the medical record may be used as a resource for information needed in organization planning and service marketing.  

Therefore, understanding what is contained in your medical record and how your PHI is or may be used helps you (a) to examine and ensure its accuracy; (b) to understand more clearly how others may access your health information; and (c) to make more informed decisions when authorizing use or disclosure of that information to others. 

While the medical record is the property of Sansum Clinic, the information contained therein belongs to you. Subsequent sections of this Notice delineate how the law permits us to use, share, or disclose your protected health information and define your rights and choices with respect to your PHI and our responsibilities as custodian and steward of your health record.

USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION FOR TREATMENT, PAYMENT AND HEALTHCARE OPERATIONS

Sansum Clinic requests that you sign a General Consent for Treatment form annually or whenever necessary to keep your medical record accurate and up-to-date. This General Consent allows the organization, including Sansum Clinic’s Prescription Pharmacy, the Ambulatory Surgery Center, and the Ridley-Tree Cancer Center, to use or disclose your health information for purposes relating to treatment, payment, and healthcare operations, as follows: 

For treatment. We can use your health information and share it with other professionals who are treating you. Information obtained by a nurse, physician, health educator, and other members of your healthcare team will be documented in your medical record and will be used to determine the appropriate course of treatment for your particular medical issues, problems, or concerns, as well as to ensure that there will be continuity when transitions in your care occur. Your record may also contain copies of results from tests performed in the Clinic (e.g. laboratory and radiology studies) and correspondence from other healthcare professionals who have been or are treating you outside the Clinic. We may share your medical information with other physicians or other health care providers who will provide services that we do not provide, or we may share this information with a pharmacist who needs it to dispense a prescription to you, or a laboratory that performs a test for you. Hence, your physician will have an accurate, timely, and complete picture of your medical history and overall health condition when viewing your PHI and will be better able to treat your current medical problems safely. 

For payment. We can use and share your health information to bill and get payment from health plans and other payers. Following your treatment, a bill for services rendered is sent to you or to a third party payer (e.g. insurance company, health plan, etc.). The information on the bill may include information that identifies you, as well as your diagnosis, any procedure performed, and medications and supplies used. However, you may request that PHI associated with that portion of your healthcare for which you paid out-of-pocket in full not be disclosed to your health plan or insurance company.

For our operations. We can use and share your health information to run our practice, improve care, and plan for the future. We may use and disclose information about you to keep Sansum Clinic in operation. Medical staff, the risk manager, quality management personnel, or members of the process and quality improvement team may use information in your medical record to assess the care and outcomes in your case and others like it. This information will then be used to enhance the quality and improve the effectiveness of the healthcare and services we provide all our patients. We may also use and disclose PHI when necessary for medical reviews, attorney services and legal audits, including fraud and abuse detection and compliance programs, as well as business planning and facility management.

For working with our business associates. There are services provided in our organization through agreements with contractors or “business associates.” Examples include billing companies that perform billing and invoicing services for us; outside transcription vendors that transcribe physician dictations and upload these reports into our electronic health record system; and consultants we may hire to assist us in various aspects of health care administration. When these services are contracted, we may disclose your protected health information to such business associates and their subcontractors so that they can perform the job they are contracted to do. These business associates must agree to safeguard your PHI.

For continuity of care. As indicated earlier, we may share PHI with, or permit access to your PHI to, authorized providers and outside healthcare entities (i.e. covered entities) responsible for your care and treatment. More specifically, for example, we may allow Cottage Community Health Information Exchange (CCHIE) to have HIPAA-compliant access to your protected health information.  CCHIE is a nonprofit electronic information network which enables providers to share information securely with one another in order to better coordinate and enhance medical care involving the same patient population. When clinical records are available to the provider at the point of care, the patient receives more accurate and timely service that leads to improved overall patient experience. 

For notifications and reminders. We may contact you by postal mail, e-mail (via MyChart), or telephone in order to remind you of an upcoming appointment or to inform you about test results. Sansum Clinic takes privacy and security matters very seriously, and in the event of a privacy violation or security breach involving your PHI, we are also obligated to notify you in accordance with Federal privacy regulations and/or State confidentiality requirements.

For communicating with your family and patient representatives. We can use your health information for internal and external communications. Using their best judgment and your authorization, Clinic healthcare professionals may disclose PHI to your family member, patient representative, or any other person you identify as being involved in your personal care or bill payment. 

For research. We can use or share your information for health research activities. We may disclose information to researchers when an institutional review board (IRB) or privacy board, which among other requirements has reviewed the research proposal and established protocols to ensure the privacy and confidentiality of your health information, has approved the research.

For informing funeral directors, medical examiners, and coroners. We can share health information when a patient expires. We may disclose health information to medical examiners or funeral directors consistent with applicable law in order to assist them in performing duties involving deceased patients. 

For marketing. We can use your protected health information for marketing purposes. We may contact you to provide information about treatment alternatives, new medications, or other health-related benefits, programs, and services that may be of interest to you.

For fundraising. We may contact you as part of a fundraising or philanthropic effort. In this situation you have the right to opt out of the specific fundraising or philanthropic solicitation, and you will be provided timely instructions on how to opt out. You can simply tell us not to contact you again. You also have the option of sending a request to be removed from our mailing list. You may do so by directly emailing donotmail@sansumclinic.org. Moreover, we may not condition treatment on your decision concerning the receipt of fundraising information, and you may opt-in anytime.

For Food and Drug Administration (FDA). We send time-sensitive reports to the FDA. We may disclose to the FDA any health information that relates to unusual or adverse events in connection with medications, supplements, or healthcare equipment in order to facilitate timely medication and/or equipment recalls.

For addressing Workers’ Compensation. We can use and share PHI when reporting on Workers’ Compensation cases. We may disclose health information to the extent authorized by law and to the extent necessary to comply with legal requirements pertinent to any disability involving Workers’ Compensation and other similar programs established by law.

For reporting cases pertaining to public health. As required by law, we may disclose your health information to public health officials or legal authorities charged with preventing or controlling disease, injury, or disability, as well as with helping to recall products. Such information reporting may include, but is not limited to, the documentation and reporting of abuse, neglect, or domestic violence; the reporting of communicable diseases; and the reporting of reactions to medications or problems with products or devices. Additionally, we may share your PHI for the express purpose of preventing or reducing a serious threat to anyone’s health or safety.

For health oversight activities. We may disclose your health information to a health oversight agency for activities authorized by law. Oversight activities can include audits, investigations, inspections, depositions, subpoenas, surveys, licensure and disciplinary actions, criminal procedures or actions, or other activities necessary for the government to monitor programs, compliance with civil rights laws, and the health care system in general.

For law enforcement purposes. We may disclose your health information if requested by law enforcement, military police, homeland security, presidential protective services, or legal authorities. If asked to do so by such law enforcement officials or legal agencies, we may release your PHI in the following circumstances: (a) suspicion of criminal conduct or potential death due to criminal conduct; or (b) in response to a warrant, summons, administrative order, court order, subpoena or other similar legal process.

For compliance with the law. We will share your health information if Federal or State laws require it. This type of disclosure includes sharing your PHI with the Department of Health and Human Services, the California Department of Public Health, and, more specifically, with the Office of Civil Rights as evidence of compliance with HIPAA Privacy Rules.

AUTHORIZATIONS

When Sansum Clinic is requesting permission to use your protected health information for purposes other than treatment, payment or healthcare operations (TPO), to disclose your PHI to a third party for purposes not outlined above in Section II of this Notice, or for any use or disclosure for the purpose of marketing or the sale of your PHI, you will be asked to sign an authorization. Typical examples include (a) disclosing information to an employer for employment decisions and (b) disclosing information for eligibility for life insurance. Moreover, an authorization will be required to use or disclose psychotherapy notes for treatment purposes by persons other than the originator of the notes.

YOUR RIGHTS AND CHOICES

Your protected health information as contained in the medical record belongs to you. Hence, you have certain rights and defined choices regarding your PHI that we store and maintain for you. For example, you can make a choice with regard to what we can disclose when sharing information in a disaster relief situation and also when allowing the Clinic to include information about you in one of our publications. Other choices you can make are as follows:

1. Obtain a paper copy of this Notice of Privacy Practices for Protected Health Information (NPP) promptly upon request.   When you sign the General Consent for Treatment form at registration, you are provided a copy of this NPP to read and take home with you. A copy of this same NPP is posted at all Clinic locations and in our website, www.sansumclinic.org. Even if you have obtained this NPP in another form or at another time or somewhere else, you are still entitled to a paper copy of this Notice anytime you request it.

2. Inspect your medical record. You have the right to inspect your PHI as defined in the Designated Record Set (DRS), which is that set of information used to make decisions about your care. DRS includes medical and billing documents but may exclude certain specific provider records, such as mental health information (e.g., psychotherapy notes, certain psychiatric records, etc.). To view your medical record in person, you must submit a request in writing to the Sansum Clinic Health Information Services, Release of Information (ROI) Department, 89 South Patterson Avenue, Santa Barbara, CA 93111. You will obtain a response regarding your request within five (5) business days, after which you may come to the ROI Correspondence Office to view your records, both paper and electronic, per your request. In some limited circumstances, your provider may deny your request to inspect your medical record and you would be notified of this denial in writing with an explanation of the basis for the denial within 60 days. In such cases, you may request that your denial be reviewed. Another licensed health care professional chosen by Sansum Clinic will review both your request and the denial. The Clinic will be bound by the outcome of this secondary review. 

3. Obtain a copy of your medical record. You may obtain a copy of your medical record by putting your request in writing or submitting an Authorization for Use/Disclosure of Protected Health Information form to the Health Information Services, ROI Department, 89 South Patterson Avenue, Santa Barbara, CA 93111. There may be administrative fees involved in providing you either a paper-based or electronic copy for your personal use. However, once a valid release form is on file, there are no charges if the copy is to go directly from the ROI Correspondence Office to your physician, to another healthcare provider, or to any other third party per your personal directive. Your request will be processed in a timely manner according to policy, format, and type of release, and you will be notified as soon as your request is completed. As outlined above, a request to obtain a copy of certain mental health information or parts thereof may be denied by your provider and you will be notified regarding that denial within five (5) business days from receipt of your request.

4. To make an addendum or request an amendment or a correction. If you believe that medical information we have about you is incorrect or incomplete, you may provide us a written addendum to any entry or statement in your medical record or you may ask us to amend the information. To file a written addendum, you must fill out a Request to File an Addendum to Protected Health Information form. To request an amendment, you must complete a Request to Amend Protected Health Information form. The applicable form can be submitted by mail, by fax (805-692-4699), or in person to Health Information Services, ROI Department, 89 South Patterson Avenue, Santa Barbara, CA 93111. If your request is not in writing or—in the case of an amendment request—does not state a valid and acceptable reason (as determined by your provider) to support your request, it may be denied.  In addition, we may deny your request if you ask us to change information that:

A. Was not originated by the Clinic or involved a provider or entity no longer available to make the amendment.

B. Is not part of the medical record (your PHI) as defined in the Designated Record Set and maintained by the Clinic.

C. Is not part of the information which you would be permitted to inspect and/or copy under Clinic policy.
 
D. Is accurate and complete as is.

5. You will receive a response from the ROI Correspondence Office regarding your request within 15 business days following receipt. In the case of any denial, you will be informed in writing regarding the reason(s) for the denial within 60 days.

6. To revoke your authorization to use or disclose Protected Health Information at any time except to the extent that the information has already been used or disclosed. For example, Sansum Clinic may obtain your written authorization to use or disclose your PHI for purposes other than treatment, payment or health care operations (e.g. you may sign an authorization allowing the Clinic to disclose your PHI to a life insurance company in order to obtain life insurance coverage). Any authorization you provide to us regarding the use and/or disclosure of your PHI may be revoked at any time. You must submit your request in writing to Health Information Services, ROI Department, 89 South Patterson Avenue, Santa Barbara, CA 93111. Your request shall be processed within 15 business days following receipt. After you revoke your authorization, we will no longer use or disclose your health information for the purposes described in the authorization.

7. To obtain an “Accounting of Disclosures” (AOD) of your Protected Health Information. You can ask for a list of events we have shared your PHI over a specified period of six (6) years prior to the date of your request, including to whom your information was disclosed and why. An AOD is a list of certain non-routine disclosures that Sansum Clinic has made involving your PHI for purposes other than treatment, payment or health care operations and for which you have not given authorization, such as disclosures to public health officials. In order to obtain this list, you must complete a Request for an Accounting of Disclosures of Protected Health Information form available at any Sansum Clinic location. You may submit this form by mail, by fax (805- 692-4699), or in person to Health Information Services, ROI Department, 89 South Patterson Avenue, Santa Barbara, CA 93111. Your request will be processed within 30 days from receipt. The first list you request within a twelve-month period is free of charge, but Sansum Clinic may charge for additional lists within the same twelve-month period.

8. To request a restriction on certain uses and disclosures of your Protected Health Information. You have the right to request a restriction or limitation on the PHI we use or disclose about you. For example, you may restrict or deny disclosure of your PHI to your health plan or insurance company if you paid out-of-pocket in full for the treatment and services received as contained in, or described by, such PHI. We must comply with this type of request. Additionally, you have the right to request that we restrict our disclosure of your PHI to only certain individuals involved in your care, such as family members or friends, as indicated in your medical record. For example, you may ask that we do not use or disclose information about a surgery or treatment that you had at the Clinic to anyone other than your daughter. Sansum Clinic is not required to agree to your request; however, if we do agree, we are bound by our agreement with you except when otherwise required by law, in emergencies, or when the information is necessary to treat you.  In order to request a restriction of the Clinic’s use or disclosure of your PHI, you must obtain and complete a Request for Special Restriction on Use or Disclosure of Protected Health Information form and submit this form by mail, by fax (805-692 4699), or in person to Health Information Services, ROI Department, 89 South Patterson Avenue, Santa Barbara, CA 93111. The request must describe (a) the information you wish restricted; (b) whether you are requesting to limit Sansum Clinic’s use, disclosure or both; and (c) to whom you want the limits to apply. Your request will be processed within 30 days from receipt.

9. To request that Sansum Clinic communicate with you about your health and related issues in a particular manner or at a certain location. For example, you may ask that we contact you at home rather than at work.  To request this type of confidential communication, you must obtain and complete a Request for Restriction on the Manner/ Method of Confidential Communications form and submit it by mail, by fax (805-692-4699), or in person to Health Information Services, ROI Department, 89 South Patterson Avenue, Santa Barbara, CA 93111. Your request should specify the requested method of contact or the location where you wish to be contacted, although you need not give a reason for your request. The Clinic will accommodate all reasonable requests and your request will be processed and implemented within 30 days from receipt.

10. To be notified promptly by Sansum Clinic and/or a business associate following a confirmed breach of your Protected Health Information. For example, upon discovery that protected health information about you, such as your lab results or x-ray reports, was sent to an unauthorized recipient, we must inform you within required time limits. Furthermore, without unreasonable delay, we must notify certain government agencies as required by law.

11. To choose someone to act for you as your patient representative. If you have given someone medical power of attorney or if someone is your designated legal guardian, that person can exercise your rights on your behalf and make choices about your health information. Sansum Clinic will, however, make sure that your personal representative has such authority and can act for you before we take any action, e.g. before granting proxy access to your MyChart account.


OUR RESPONSIBILITIES

Sansum Clinic is required by law to maintain the privacy and security of your protected health information. We must provide you with a notice as to our legal duties and privacy practices with respect to the information we collect and maintain about you. The Clinic must abide by the terms of this Notice of Privacy Practices and must notify you promptly if we are unable to agree to a requested restriction. We will let you know promptly if a breach occurs that may have compromised the privacy or security of your PHI.  We reserve the right to change our practices and to make the new provisions effective for all PHI we maintain. We will not use or disclose your PHI without your authorization except as described in this NPP. If you tell us we can use your PHI, you may change your mind at any time as long as you notify us in writing. Should our information practices change, we will post an updated NPP, and it shall be also made available to you though our website, www.sansumclinic.org, in a timely manner or anytime upon request. 

FOR MORE INFORMATION, TO REPORT A PROBLEM OR TO FILE A COMPLAINT

If you have questions and would like additional information, you may contact the Sansum Clinic Privacy Office by phone at (805) 681-1719, via fax at (805) 679-8302, or anonymously at (855-530-0006) or reports@lighthouse-services.com (include Sansum Clinic name with report). If you believe your privacy rights have been violated, you can file a written complaint with the Compliance and Privacy Officer at 470 South Patterson Avenue, Santa Barbara, CA 93111, or with the Sansum Clinic Quality Management Department at 470 South Patterson Avenue, Santa Barbara, CA 93111.

Additionally, you may file a complaint with the U. S. Secretary of the Department of Health and Human Services (DHHS), Office for Civil Rights, by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201; by calling (877) 696-6775; or by visiting its official website at https://www.hhs.gov/hipaa/filing-a-complaint/complaint-process/. There will be no retaliation for filing a complaint with us or with the Office for Civil Rights.


EFFECTIVE DATE: April 14, 2003
REVISION DATE: August 17, 2006
REVISION DATE: April 22, 2009
REVISION DATE: June 9, 2009
REVISION DATE: April 15, 2014
REVISION DATE: April 6, 2016
REVISION DATE: May 8, 2017
REVISION DATE: July 8, 2017
REVISION DATE: August 3, 2017
REVISION DATE: October 25, 2019
REVISION DATE: December18, 2019

 

 

Related Links

Patient Rights, Responsibilities and Organizational Ethics >

Consent and Authorization Forms >

Payment Policies >

Pet Policy >

Photo or Video Policy >

Unresolved Patient Quality of Care Concerns >