NOTICE OF PRIVACY PRACTICES
THIS InTeleDerm NOTICE OF PRIVACY PRACTICES DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
This notice applies to the InTeleDerm® medical service for the website located at http://www.InTeleDerm.com. The website provides teledermatology medical services through the website and the mobile application of the same name.
InTeleDerm is required by law as a business associate of the participating dermatologists (“Participants”) to maintain the privacy of Protected Health Information (PHI) and to provide individuals with notice of its privacy practices and legal duties. This notice explains the following: 1) the uses and disclosures of your PHI which may be made by InTeleDerm or its designee; 2) your individual rights; and 3) InTeleDerm’s legal duties pertaining to your PHI.
PHI means individually identifiable information created or received by InTeleDerm or its designee that relates to your past, present, or future; physical or mental health or condition, the provision of health care to you, or the past, present, or future payment for the provision of health care to you.
By submitting your information to InTelDerm using the Website in order to request teledermatology medical services, your PHI will be made available online through the InTeleDerm service and the website. Participants will have access to your PHI by using the InTeleDerm Service through the Website review your request for teledermatology medical dermatology services. InTeleDerm will have access to your PHI as the administration of the service. InTeleDerm’s designated payment processor will have access to your PHI for use in connection with payment related activities. Other third parties may have access to your PHI either to fulfill healthcare operations of the participants or as a result of a valid authorization which you have granted.
The effective date of this 03/28/2015. InTeleDerm is required to abide by the terms of this notice which are currently in effect, but reserves the right to change its privacy practices as required or permitted by the privacy regulations of the Health Insurance Privacy and Accountability Act of 1996 (“HIPAA Privacy Rule”) and other applicable law. InTeleDerm also reserves the right to revise and distribute this Notice whenever there is a material change to the uses or disclosures of PHI, your individual rights pertaining to your PHI, InTeleDerm’s legal duties, or InTeleDerm’sprivacy practices.
provide you with a summary of your PHI in lieu of providing access to your PHI or
A . MINIMUM NECESSARY AND INCIDENTAL USES AND DISCLOSURES
Minimum Necessary. InTeleDerm has implemented policies and procedures which limit how much PHI is used, disclosed, and requested for certain purposes. These policies and procedures reasonably limit who within InTeleDerm has access to PHI, and under what conditions, based on who needs access to perform their job duties for InTeleDerm. Certain incidental uses and disclosures of PHI are permitted since InTeleDerm has reasonable safeguards and minimum necessary policies and procedures to protect your privacy. The minimum necessary standard does not apply to disclosures among health care providers for treatment purposes.
When using or disclosing PHI or when requesting PHI from another entity covered under the HIPAA Privacy Rule,InTeleDerm will make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request unless any of the following apply: (i) the uses, disclosures, or requests are made by a health care provider for treatment; (ii) the uses or disclosures are provided to you as permitted under the HIPAA Privacy Rule; (iii) the disclosures are made pursuant to a valid written authorization; (iv) the disclosures are made to the Secretary of the U.S. Department of Health and Human Services; (v) the uses or disclosures are required by law; or (vi) the uses or disclosures are required for compliance with the HIPAA Privacy Rule.
Incidental Uses and Disclosures Permitted . The HIPAA Privacy Rule permits certain incidental uses and disclosures of PHI which may occur as a by-product of another permissible or required use or disclosure since InTeleDerm has in place reasonable safeguards and minimum necessary policies and procedures to protect your privacy. An incidental use or disclosure is a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted by the HIPAA Privacy Rule.
B . USES & DISCLOSURES OF PHI NOT REQUIRING AUTHORIZATION OR OPPORTUNITY TO OBJECT
USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS
InTeleDerm will use or disclose your PHI for treatment, payment, or health care operations. Disclosures are made to others who are subject to the HIPAA Privacy Rule and who are also involved in your health care or with vendors, agents, or subcontractors with whom we have contracted to assist us in providing health care services.
InTeleDerm may also use or disclose your PHI without your authorization and without giving you an opportunity to agree or object in the following instances:
• When required by law;
• For public health activities and purposes as authorized by law to collect or receive such information (e.g., public health agency requesting statistics concerning a chronic disease);
• For cases of abuse or neglect (e.g., to a government agency, social service agency, or protective services agency);
• For health oversight activities to a public health authority (e.g., audit by an agency);
• For judicial and administrative proceedings (e.g., subpoena or court order);
• For a law enforcement purpose to a law enforcement official;
• For workers’ compensation purposes (e.g., InTeleDerm may need to report information which is relevant to any job-related injuries that by state law are deemed to be involved in workers’ compensation coverage);
• For sharing a limited data set with third parties, subject to a data use agreement;
• For specific government requirements or emergencies (e.g., national security and intelligence activities);
• To avert serious threat or safety (e.g., in an emergency);
• To business associates who perform services on behalf ofInTeleDerm;
• When required by the Secretary of the U.S. Department of Health and Human Services to investigate HIPAA compliance; and
• When contacting you about health-related benefits and services that may be of interest to you, where applicable.
C. USES AND DISCLOSURES REQUIRING WRITTEN AUTHORIZATION
Other uses and disclosures of your PHI will be made only with your written authorization, such as sharing your PHI obtained by INTELEDERM or its designees with certain third parties. If you give INTELEDERM written authorization to use or disclose your PHI for a purpose that is not described in this Notice, then you may revoke it in writing at any time unless: (1) InTeleDerm has taken action in reliance on your authorization; or (2) the authorization was obtained as a condition of obtaining insurance coverage and other law provides the insurer with the right to contest a claim under the policy or the policy itself provides for such a right.
D. USES AND DISCLOSURES OF DE-IDENTIFIED INFORMATION
As permitted by the HIPAA Privacy Rule, InTeleDerm may use de-identified information (which consists of information which does not identify any individual) for any use or disclosure in its sole and exclusive discretion. De-identified information is not PHI and therefore is not subject to any protections under the HIPAA Privacy Rule.
E . YOUR RIGHTS
Right to Receive Confidential Communications . You have the right to request that InTeleDerm communicate your PHI to you through alternate means (e.g., alternate address or mode of communication). InTeleDerm will accommodate reasonable requests from you to receive communications of PHI from InTeleDerm by alternative means or at alternative locations. Electronic communications such as e-mail and facsimile are not completely secure. InTeleDerm is notresponsible for incorrect e-mail addresses or facsimile numbers.
Right to Access Your PHI . You generally have the right of access to inspect and obtain a copy of your PHI which InTeleDerm collects or maintains in its files.
Providing access to PHI if the request is granted . InTeleDerm will provide the access requested, including inspection or obtaining a copy of your PHI. InTeleDerm will provide you with access to your PHI in the form or format requested if feasible, in a readable hardcopy form, or another form as agreed by InTeleDerm and you.
InTeleDerm may may provide an explanation of your PHI if you agree in advance to such summary or explanation and you agree in advance to the fees imposed, if any, by InTeleDerm for such summary or explanation.
InTeleDerm will provide you with access to your PHI within thirty (30) days after receipt of the request if your PHI is maintained on site or within sixty (60) days if maintained off-site. InTeleDerm will arrange with you a convenient time and place to inspect or obtain a copy or otherwise mail you a copy of your PHI at your request. InTeleDerm may charge you for the cost of copying the materials and any postage involving your requested PHI. InTeleDerm may discuss with you the scope, format, and other aspects of your request as necessary to process your request.
InTeleDerm will not provide you access, however, to certain PHI, namely, information compiled for use in civil, criminal, or administrative proceedings, and health information that is covered by federal laws governing clinical laboratories.
Legal duties of InTeleDerm for denial of access to PHI. If InTeleDerm denies access to PHI, in whole or in part, then InTeleDerm will do the following:
• Make other PHI that was requested accessible to the extent possible;
• Provide a timely, written denial to you within thirty (30) days after receipt of the request if your PHI is maintained on-site or within sixty (60) days if maintained off-site. But, if InTeleDerm is unable to comply with this time frame, then InTeleDerm may extend the time for thirty (30) days from the initial time period. However, in such a case, InTeleDerm will provide you with a written statement of the reasons for the delay and the date by which InTeleDerm will complete its action on the request within the initial time period.
• The denial will be written in plain language and will include the basis for the denial. If the denial is reviewable, then the denial will provide a statement of your rights to have the denial reviewed and include a description of how you may complain to InTeleDerm either through its procedures or the procedures as designated by the Secretary of the U.S. Department of Health and Human Services. The denial will also provide the name, or title, and telephone number or office, where applicable.
Other duties of InTeleDerm regarding access to PHI. If InTeleDerm does not maintain your PHI that is the subject of your request for access and INTELEDERM knows where the requested PHI is maintained, then InTeleDerm will inform you of where to direct the request for access to your PHI.
Reviewable grounds for denial of access to PHI. InTeleDerm may deny you access for any of the following reasons; however, you will have the right to have the denial reviewed in the following instances:
• A licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of yourself or another person;
• Your PHI makes reference to another person (unless such other person is a health care provider) and a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to such other person; or
• The request for access is made by your personal representative and a licensed health care professional has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to you or another person.
Review of denial regarding access to PHI . If your request is denied and the grounds for denial are reviewable, then you have the right to have the denial reviewed by a licensed health care professional who is designated by InTeleDerm to act as a reviewing official and who did not participate in the original decision to deny access to your PHI. InTeleDerm will provide you with instructions for requesting a review of the denial (if the grounds are reviewable). IN InTeleDerm will either provide access or deny access in accordance with the determination of the reviewing official.
Right to Amend PHI. You have the right to request that InTeleDerm amend your PHI or a record about you so long as InTeleDerm maintains your PHI in the designated record set. Any request must be made in writing and you must provide a reason to support a requested amendment. InTeleDerm will act on your request within sixty (60) days after the receipt of such a request. If it cannot comply with the request within the initial sixty (60) days, then it may extend the time for an additional thirty (30) days provided that InTeleDerm has informed you in writing of the reasons for the delay and the date by which InTeleDerm will act on your request. InTeleDerm may grant or deny your request to amend your PHI.
Grant of the amendment . If InTeleDerm grants your request to amend your PHI, then it will obtain from you an identification of relevant persons (or entities) with whom the amendment needs to be shared. InTeleDerm will also make the appropriate amendment to your PHI or record that is the subject of the request for amendment by, at minimum, identifying the records in the designated record set that are affected by the amendment and appending or otherwise providing a link to the location of the amendment.
Denial of the amendment . If InTeleDerm denies your request to amend your PHI, then the denial will be written in plain language and contain the basis for the denial. The denial will include a description of your right to disagree with denial and how you may submit a statement of disagreement. InTeleDerm may prepare a written rebuttal to your statement of disagreement and provide you with a copy.
However, if you choose not to submit a statement of disagreement, then you may request that InTeleDerm provide your request for amendment and the denial with any future disclosure of your PHI that is subject to the amendment.
Right to Receive an Accounting of PHI Disclosures . You have the right to request an accounting of disclosures of PHI made by InTeleDerm in the six (6) years prior to the date of your request except in the following instances (unless otherwise required by law):
• To carry out treatment, payment and health care operations;
• To you about your own PHI;
• Incident to a permitted or required use or disclosure;
• Pursuant to an authorization;
• To persons involved in your care or for other notification purposes;
• For national security or intelligence purposes;
• Occurred prior to the HIPAA compliance date for InTeleDerm;
• To correctional institutions or law enforcement officials in custodial situations; or
• As part of a limited data set in accordance with 45 CFR 164.514(e).
Suspension of individual right to receive an accounting of certain disclosures which are made to a health oversight agency or law enforcement officials. InTeleDerm will suspend your individual right to receive an accounting of certain disclosures to a health oversight agency or law enforcement official if the agency or official provides InTeleDerm with a written statement that the accounting would be reasonably likely to impede the agency’s activities and specifies a time for which the suspension requires.
However, if the agency or official statement as described above is made orally, then INTELEDERM will: (1) InTeleDerm document the statement, including the identity of the agency or official making the statement; (2) temporarily suspend your right to an accounting of disclosures subject to the statement; and (3) limit the temporary suspension to no longer than thirty (30) days from the date of the oral statement, unless a written statement as described above is submitted during that time .
When accounting will be provided . InTeleDerm generally will act on the request for an accounting no later than sixty (60) days after receipt. However, if InTeleDerm cannot act on the request within this period of time, it will send you a written explanation of why it cannot act on the request within the timeframe and also the date by which it will act on the request.
Fees that may be charged for an accounting. InTeleDerm will provide the first accounting to you in any twelve (12) month period without charge. However, InTeleDerm may impose a reasonable, cost-based fee for each subsequent request for an accounting by you within the twelve (12) month period, provided that InTeleDerm has informed you in advance of the fee and provides you with an opportunity to withdraw or modify the request for a subsequent accounting in order to avoid or otherwise reduce the fee.
Right to Copy of Notice. You have the right to obtain a copy of this Notice upon request even if you agreed to receive the Notice electronically.
Procedure for Exercising Your Rights . If you want to exercise any of the rights described in this Notice, please contact the Privacy Officer using the contact information listed below. The Privacy Officer will give you the necessary information and forms for you to complete and return. In some cases, you may be charged a cost-based fee to carry out your request.
A Note Regarding Your Personal Representative. Your rights may be exercised by a person who qualifies as your personal representative in accordance with 45 CFR 164.502(g). If under applicable law a person has authority to act on behalf of an individual who is an adult or an emancipated minor in making decisions related to health care, InTeleDerm will treat such person as a personal representative with respect to PHI relevant to such personal representation.
Exceptions may apply in certain circumstances involving minor children and in cases involving suspected domestic violence, abuse or neglect by the personal representative such as when InTeleDerm has a reasonable belief that the individual has been or may be subjected to domestic violence, abuse, or neglect by such person or treating such person as the personal representative could endanger the individual and INTELEDERM, in the exercise of professional judgment, decides that it is not in the best interest of the individual to treat the person as the individual’s personal representative.
F . COMPLAINTS AND ADDITIONAL INFORMATION
If you believe your privacy rights have been violated by InTeleDerm,you have the right to file a complaint with InTeleDerm’s Privacy Officer or the Secretary of the U.S. Department of Health and Human Services. You will not be retaliated against you if you choose to file a complaint with InTeleDerm or with the U.S. Department of Health and Human Services. You may also contact InTeleDerm’s Privacy Officer to request additional copies of this Notice or to receive more information about the matters covered by this Notice, and to review a denial of access of PHI.
Contacting the Privacy Officer.
Attn: Privacy Officer
21346 Brewers Farm Lane
Carrollton, VA 23314
Contacting Health and Human Services . If you wish to file a complaint, you may do so by either sending the complaint to the appropriate Office of Civil Rights Regional office or Office of Civil headquarters; alternatively, you may file a complaint online at the www.hhs.gov website.