SavesTheDay Dermatology Privacy Practice and Security Notice - Effective September 2014

At SavesTheDay Dermatology we respect your privacy and take safeguarding it very seriously. From the first moment of contact when you make an appointment to diagnosing and treating your concerns, we must both on ethical and legal grounds protect the information about you while it is being exchanged and stored. Federal law sets certain standards with respect to health care related information and our privacy policy abides by these standards. In general, the law permits the sharing of healthcare information between healthcare providers directly involved in your care, between providers, insurance claim clearing houses, and health care insurers which provide financial coverage for services rendered to you, and between heath care providers and law enforcement or public health and safety official entities. The law does not permit the sharing of healthcare information with any other person or entity unless you give written permission to us to do so.

The transmission and storage of your healthcare and demographic information is guarded by certain security features we implement. At SavesTheDay Dermatology, we utilize an electronic computerized Electronic Health Records (EHR) software-based system compliant with the CCHIT (Certification Commission for Health Information Technology) Standard, a Federal Government-recognized non-profit organization in charge of setting quality standards for EHR systems. We do not keep physical paper charts. All information is stored within our “in house” computerized server, in other words, we do not use an outside facility such as a server farm or cloud computing. However, the information stored on the server is backed up both to a local tape drive twice a day and to an outside facility provided by our electronic medical records system vendor with whom we have a third party security agreement, to provide an extra measure of data protection. The EHR requires our staff to provide passwords in order to access the system and the system automatically logs out after standing idle for 15 minutes. In addition, staff will only have access to that part of your record which pertains to the tasks the staff member fulfills. For example, our receptionists do not have access to the doctor's notes about your health and illnesses, only to your demographic information collected from you to make the appointment and to bill you or your insurance company for the services. The computer components which constitute our private network hosting the EHR are protected against security breaches from both the internet and from local wireless access attempts. We do not store any paper records about you with very few exceptions such as consent forms with your signature which require a physical record in order to be legally binding. All other paper records are shredded after use.

Our Privacy Policy also extends to how we meet and speak with you when you come to our office. For example, we will only address you by your first name to protect your identity. We may ask you to write identifying information on a piece of paper so that other people in the waiting area cannot overhear you revealing your private information to us during registration. We will confine discussion about your healthcare to the patient rooms and not engage you about it in the waiting room or other common areas. If you bring friends or family members to the office, we will offer the option to be seen alone by the doctor while we host them in the waiting area. In general, we will always strive to disclose only the minimum necessary and reasonable amount of your protected private information even when permitted to disclose more unless we are required by law to disclose all. If you authorize us to disclose your private information we will give you the option to specify which part of your record you permit us to disclose on our release authorization form.Our Privacy Policy also extends to how we meet and speak with you when you come to our office. For example, we will only address you by your first name to protect your identity. We may ask you to write identifying information on a piece of paper so that other people in the waiting area cannot overhear you revealing your private information to us during registration. We will confine discussion about your healthcare to the patient rooms and not engage you about it in the waiting room or other common areas. If you bring friends or family members to the office, we will offer the option to be seen alone by the doctor while we host them in the waiting area. In general, we will always strive to disclose only the minimum necessary and reasonable amount of your protected private information even when permitted to disclose more unless we are required by law to disclose all. If you authorize us to disclose your private information we will give you the option to specify which part of your record you permit us to disclose on our release authorization form.

We are committed to protecting your privacy rights with this Bill of Patient Rights:

We must obtain written permission from you to release healthcare and demographic information (Protected Individually Identifiable Health Information) about you to any person or organization unless such person or organization is exempt by law as specified in the Privacy Rule of the U.S. Health Information Portability and Privacy Act of 1996 (HIPAA). The following persons and organizations are exempt:

We must notify you in writing, at the time of your first visit, of our Privacy Policy with this “Notice of Privacy Rights” which we will ask you to sign as proof that we presented it to you and that you consent to its content.

You have the right to ask us, in writing, to correct your medical record by amendment if you believe an error has occurred and we must note such request in your record even if we disagree with the correction.

You have a right to ask us to account for all authorized disclosures of your private healthcare information to persons or organizations except those permitted by law without specific authorization listed above, for a period of 6 years prior to your request.

You have the right your healthcare information except when such information may cause harm to you in which case you have the right to obtain a second opinion to confirm such risk of harm to you. You do not have the right to the physical means we employ to store your private healthcare information such as computers, servers, and backup tapes.

You have the right to evaluation and treatment regardless of whether or not you waive any rights granted to you by HIPAA or whether you object to a practice which you believe, in good faith, violates this rule.

The Federal Privacy Rule protects you against (preempts) any state or local law which may compromise your privacy and we will abide by it except where preemption does not apply when permitted by the Privacy Rule itself or when granted by exception by the US Department of Health and Human Services.

You have the right to request to view or receive a copy of this Privacy Policy.

You have the right to request that your protected information be transmitted to you by any means, even those not deemed safe by us. We must inform you if the method you request is unsafe, but we must abide by your requested method, if you insist on it.

We cannot market third party products and services to you based on your private medical information unless you consent to that in writing. We cannot sell or provide access to your private medical information without your consent. The same standard applies to third party contractor such as electronic medical records providers and IT contractors, as well as to fund raisers. (Note to patients: We do not market to patients using PHI, but the law requires that we disclose these new rules to you)

 If required by law, we can provide immunization information about you to government authorities, but we must inform you, if we do.

We are permitted to release PHI about patients dead for over 50 years. But only to individuals directly involved with care or payment for care of that deceased person.

You have the right to request that we do not submit diagnostic coding information to third party payers as part of a claim, if you pay us in cash for the service.

If a Medicare beneficiary requests a restriction on the disclosure of PHI to Medicare for a covered service and pays out of pocket for the service, we must also restrict the disclosure of PHI regarding the service to Medicare.

We must notify you if your PHI has been breached. The final rule changed what incidents are exceptions to the definition of "breach." Before, an incident was an exception to the definition of breach if the PHI used or disclosed a limited data set that did not contain any birthdates or ZIP codes. Under the final rule, breaches of limited data sets — regardless of their content — must be handled like all other breaches of PHI.

If you believe that your health information privacy has been violated you can file a complaint with us in writing addressed to:

SavesTheDay Dermatology
M. Seyfzadeh
188 East 17th Street Suite 101
Costa Mesa, CA 92627

If we fail to or are unable to address the issue, you can contact the Federal Office of Civil Rights. Please refer to the following webpage for instructions:
How to File a Complaint

For a condensed version of your rights please refer to this pamphlet:Consumer Rights

For the complete legal text of the Privacy Rule contained in the HIPAA here:HIPAA Privacy Rule

By signing your consent to this Privacy Practice and Security Notice, usually presented to you at the time of your first visit, you accept its provisions and acknowledge that we presented it to you.

Previous Privacy Policy