Privacy Policy

SCOPE

This policy is applicable to all Team Members of Unified Women’s Healthcare of Texas’s subsidiaries, as defined below.

PURPOSE

To ensure that Unified Women’s Healthcare of Texas adopts and implements a Notice of Privacy Practices that meets the requirements of the HIPAA Privacy Rule.

DEFINITIONS

Company- For the purposes of this policy, “Company” refers to Unified Women’s Healthcare of Texas’s subsidiary care centers.

Notice of Privacy Practices (NPP) - Describes the HIPAA defined patient rights related to use and disclosure of the individual’s health information.

Protected Health Information (PHI) - Protected Health Information, (according to HIPAA 45 C.F.R. § 160.103) is all “individually identifiable health information” in any form or media, whether electronic, paper, or oral. “Individually identifiable health information” is information, including demographic data, that relates to an individual’s past, present or future physical or mental health or condition, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

Team Members - All individuals working at the Company’s care centers including all providers, employees, employees of the Company’s management company, temporary employees, and contractors.

POLICY

It is the policy of the Company that appropriate individuals, at appropriate times, are provided with a Notice of Privacy Practices (NPP) that describes how the Company may use and disclose their Protected Health Information (PHI), their rights with respect to PHI and the legal obligations of the Company and that meets the requirements of the HIPAA Privacy Rule. The NPP must be provided to a patient upon their first visit and annually thereafter. The patient must be presented with an Acknowledgement for receipt of the NPP for their signature. The NPP must also be posted in a prominent location, visible to all patients. Only the NPP approved by the Compliance Office can be utilized by the Company.

PROCEDURE

1.Provision of Notice. The Company must make the notice available on request to any person and to individuals as specified below.

a.The Company must:

i.Provide the NPP no later than the date of the first service delivery after compliance; or as soon as reasonably practicable after an emergency treatment situation.

ii.Except in an emergency treatment situation, make a good faith effort to obtain a written acknowledgment of receipt of the NPP (either paper or electronic) and, if not obtained, document its good faith efforts to obtain the acknowledgment and the reason why the acknowledgment was not obtained.

2.Right to Notice of Privacy Practices. An individual has a right to adequate notice of the uses and disclosures of PHI that may be made by the Company and of the individual's rights and the Company’s legal duties with respect to PHI.

3.Content of Notice of Privacy Practices. The Company’s Privacy Office must ensure that the NPP is written in plain language and includes:

a.The Header: The NPP must contain the following statement as a header or otherwise prominently displayed:

“THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.”

b.Uses and Disclosures: The NPP must contain a description of how the Company may use and disclose PHI about an individual, including:

i.A description, including at least one example, of the types of uses and disclosures that the Company is permitted to make for each of the following purposes: Treatment, Payment and Health Care Operations, in sufficient detail and reflecting the requirements of laws or regulations that are more stringent than the HIPAA Privacy Rule, if any, to put the individual on notice.

ii.A description of each of the other purposes for which the Company is permitted or required to use or disclose PHI without the individual's written Authorization, in sufficient detail and reflecting the requirements of laws or regulations that are more stringent than the HIPAA Privacy Rule, if any, to put the individual on notice.

iii.A statement that other uses and disclosures will be made only with the individual's written Authorization and that the individual may revoke such Authorization.

iv.The intention of the Company, if applicable, to engage in the following activities:

A.Appointment reminders or information about treatment alternatives of other health-related benefits and services that may be of interest to the individual,

B.Communications to the individual for fundraising purposes to benefit the Company and the individual’s right to opt out of receiving such communications,

C.The disclosure of PHI to the sponsor of a Group Health Plan or HMO or Health Insurance Issuer.

c.The Individual’s Rights: The NPP must contain a description of the individual’s rights with respect to the PHI and a brief description of how the individual may exercise the following rights:

i.The right to request restrictions on certain uses and disclosures of PHI including a statement that the Company is not required to agree to a requested restriction except in the case where the individual, or someone on his/her behalf, pays for the health care service or item out-of-pocket,

ii.The right to receive communications by alternative means,

iii.The right to inspect and copy PHI,

iv.The right to amend PHI,

v.The right to receive an Accounting of Disclosures of PHI, and

vi.The right of an individual, including an individual who has agreed to receive the NPP electronically, to obtain a paper copy of the NPP from the Company upon request, and

vii.The individual’s right to submit a complaint to the Company and/or the Secretary of HHS if they believe their privacy rights have been violated, including a brief description of how the individual may file a complaint with the Company and a statement that the individual will not be retaliated against for filing a complaint.

d.The Company’s Rights and Responsibilities: The NPP must contain a brief description of the Company’s rights and responsibilities with respect to the PHI, including:

i.A statement that the Company is required by law to maintain the privacy of PHI and to notify affected individuals following a breach of unsecured PHI,

ii.The requirement that the Company must act in accordance with its NPP,

iii.An effective date on which the NPP is first in effect, which may not be earlier than the date on which the NPP is printed or otherwise published,

iv.The Company's duty to promptly revise and distribute its NPP whenever there is a material change to the uses or disclosures, the individual's rights, the Company's legal duties, or other privacy practices stated in the notice.

v.A statement that the Company reserves the right to change the terms of its NPP and to make the new NPP provisions effective for all PHI that it maintains, before issuing the revised NPP and a statement that describes how the Company will provide individuals with a revised NPP.

e.Contact Information. The NPP must contain a point of contact for further information about the Company’s privacy policies and for making complaints.

4.Revisions to Notice of Privacy Practices. The Company must promptly revise and distribute its NPP whenever there is a material change to the uses or disclosures, the individual's rights, the Company’s legal duties, or other privacy practices stated in the notice. Except when required by law, a material change to any term of the NPP may not be implemented prior to the effective date of the NPP in which such material change is reflected.

5.Specific requirements for electronic notice.

i.If the Company maintains a website that provides information regarding customer services or benefits, it will post its NPP prominently on, and make it available electronically from, its website.

ii.The Company may provide the notice to Individual by email if the individual has agreed or requested and has not subsequently withdrawn that agreement.

iii.Provision of electronic notice by the Company will satisfy the provision requirements of Section 4 above when timely made in accordance with that Section.

iv.A paper copy of the notice must be timely provided by the Company if the Company knows that the e-mail transmission has failed and when requested by the recipient of an electronic notice.

ENFORCEMENT

Failure to follow any provisions of this policy may result in disciplinary action up to and including termination, in accordance with the Sanctions, Enforcement and Discipline policy (TXCOM-040).

EXCEPTIONS TO POLICY

Any exceptions to these policies must be for valid patient care or a business reason and must be approved by the Clinical Governance Board and/or the Compliance Committee, as appropriate.

ATTACHMENTS & FORMS

∙TXCOM-019.00.a01 - Notice of Privacy Practices Document

REFERENCES

∙TXCOM-040 – Sanctions, Enforcement and Discipline