NOTICE OF PRIVACY PRACTICES
THIS InTeleDerm NOTICE OF
PRIVACY
PRACTICES
DESCRIBES
HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND
DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW
IT CAREFULLY.
Introduction
This notice applies to the InTeleDerm® medical
service for the website located at http://www.InTeleDerm.com. The website
provides teledermatology medical services through the website and the mobile
application of the same name.
InTeleDerm is required by law as a business associate of the
participating dermatologists (“Participants”) to maintain the privacy of
Protected Health Information (PHI) and to provide individuals with notice of
its privacy practices and legal duties. This notice explains the following: 1)
the uses and disclosures of your PHI which may be made by InTeleDerm or its
designee; 2) your individual rights; and 3) InTeleDerm’s legal duties
pertaining to your PHI.
PHI means individually identifiable information created or
received by InTeleDerm or its designee that relates to your past, present, or
future; physical or mental health or
condition, the provision of health care to you, or the past, present, or future
payment for the provision of health care to you.
By submitting your information to InTelDerm
using the Website in order to request teledermatology medical services, your
PHI will be made available online through the InTeleDerm service and the
website. Participants will have access to your PHI by using the InTeleDerm
Service through the Website review your request for teledermatology medical
dermatology services. InTeleDerm will have access to your PHI as the
administration of the service. InTeleDerm’s designated payment processor
will have access to your PHI for use in connection with payment related
activities. Other third parties may have access to your PHI either to
fulfill healthcare operations of the participants or as a result of a valid
authorization which you have granted.
The effective date of this
03/28/2015.
InTeleDerm
is required to abide by the terms of this notice which are currently in effect,
but reserves the right to change its privacy practices as required or permitted
by the privacy regulations of the Health Insurance Privacy and Accountability
Act of 1996 (“HIPAA Privacy Rule”) and other applicable law. InTeleDerm
also reserves the right to revise and distribute this Notice whenever there is
a material change to the uses or disclosures of PHI, your individual rights
pertaining to your PHI, InTeleDerm’s legal duties, or
InTeleDerm’sprivacy
practices.
provide
you
with a summary of your PHI in lieu of providing access to your
PHI or
A
.
MINIMUM NECESSARY AND INCIDENTAL
USES AND DISCLOSURES
Minimum Necessary.
InTeleDerm
has implemented policies and
procedures which limit how much PHI is used, disclosed, and requested for
certain purposes. These policies and procedures reasonably limit who
within InTeleDerm has access to
PHI, and under what conditions, based on who needs access to perform their job
duties for InTeleDerm.
Certain incidental uses and disclosures of PHI are permitted since InTeleDerm has reasonable safeguards
and minimum necessary policies and procedures to protect your privacy.
The minimum necessary standard does not apply to disclosures among health care
providers for treatment purposes.
When using or disclosing PHI or when requesting PHI from another
entity covered under the HIPAA Privacy Rule,InTeleDerm will make reasonable efforts to limit PHI to the
minimum
necessary
to accomplish the intended purpose of the use, disclosure,
or request unless any of the following apply: (i) the uses,
disclosures, or requests are made by a health care provider for treatment; (ii)
the uses or disclosures are provided to you as permitted under the HIPAA
Privacy Rule; (iii) the disclosures are made pursuant to a valid written
authorization; (iv) the disclosures are made to the Secretary of the U.S.
Department of Health and Human Services; (v) the uses or disclosures are
required by law; or (vi) the uses or disclosures are required for compliance
with the HIPAA Privacy Rule.
Incidental Uses and Disclosures Permitted
.
The HIPAA Privacy Rule permits certain incidental uses and disclosures of PHI
which may occur as a by-product of another permissible or required use or
disclosure since InTeleDerm has
in place reasonable safeguards and minimum necessary policies and procedures to
protect your privacy. An incidental use or disclosure is a secondary use
or disclosure that cannot reasonably be prevented, is limited in nature, and
that occurs as a result of another use or disclosure that is permitted by the
HIPAA Privacy Rule.
B
.
USES & DISCLOSURES OF PHI NOT
REQUIRING AUTHORIZATION OR OPPORTUNITY TO OBJECT
USES AND
DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS
InTeleDerm
will
use or disclose your PHI for treatment, payment, or health care
operations. Disclosures are made to others who are subject to the HIPAA
Privacy Rule and who are also involved in your health care or with
vendors, agents, or subcontractors with whom we have contracted to assist us in
providing health care services.
|
InTeleDerm may also use or disclose your PHI without your
authorization and without giving you an opportunity to agree or object in the
following instances:
• When
required by law;
• For
public health activities and purposes as authorized by law to collect or
receive such information (e.g., public health agency requesting statistics
concerning a chronic disease);
• For
cases of abuse or neglect (e.g., to a government agency, social service agency,
or protective services agency);
• For
health oversight activities to a public health authority (e.g., audit by an
agency);
• For
judicial and administrative proceedings (e.g., subpoena or court order);
• For
a law enforcement purpose to a law enforcement official;
• For
workers’ compensation purposes (e.g., InTeleDerm
may need to report information which is relevant to any job-related injuries
that by state law are deemed to be involved in workers’ compensation coverage);
• For
sharing a limited data set with third parties, subject to a data use agreement;
• For
specific government requirements or emergencies (e.g., national security and
intelligence activities);
• To
avert serious threat or safety (e.g., in an emergency);
• To
business associates who perform services on behalf ofInTeleDerm;
• When
required by the Secretary of the U.S. Department of Health and Human Services
to investigate HIPAA compliance; and
• When
contacting you about health-related benefits and services that may be of
interest to you, where applicable.
C.
USES AND
DISCLOSURES REQUIRING WRITTEN AUTHORIZATION
Other uses and disclosures of your PHI will be made only with
your written authorization, such as sharing your PHI obtained by INTELEDERM or
its designees with certain third parties. If you give INTELEDERM written
authorization to use or disclose your PHI for a purpose that is not described
in this Notice, then you may revoke it in writing at any time unless: (1) InTeleDerm has taken action in
reliance on your authorization; or (2) the authorization was obtained as a
condition of obtaining insurance coverage and other law provides the insurer
with the right to contest a claim under the policy or the policy itself
provides for such a right.
D.
USES AND
DISCLOSURES OF DE-IDENTIFIED INFORMATION
As
permitted by the HIPAA Privacy Rule, InTeleDerm
may use de-identified information (which consists of information which does not
identify any individual) for any use or disclosure in its sole and exclusive
discretion. De-identified information is not PHI and therefore is not
subject to any protections under the HIPAA Privacy Rule.
E
.
YOUR RIGHTS
Right to Receive Confidential
Communications
. You have the right to request that InTeleDerm communicate your PHI to
you through alternate means (e.g., alternate address or mode of communication).
InTeleDerm will accommodate
reasonable requests from you to receive communications of PHI from InTeleDerm by alternative means or at
alternative locations. Electronic communications such as e-mail and
facsimile are not completely secure.
InTeleDerm
is notresponsible for incorrect e-mail addresses or
facsimile numbers.
Right to Access Your PHI
. You generally have the
right of access to inspect and obtain a copy of your PHI which InTeleDerm collects or maintains in
its files.
Providing access to PHI if the request is granted
.
InTeleDerm will provide the access requested, including
inspection or obtaining
a copy of your PHI. InTeleDerm
will provide you with access to your PHI in the form or format requested if
feasible, in a readable hardcopy form, or another form as agreed by InTeleDerm and you.
InTeleDerm
may may provide an explanation of your PHI if you agree in
advance to such summary or explanation and you agree in advance to the fees
imposed, if any, by InTeleDerm for
such summary or explanation.
InTeleDerm
will
provide you with access to your PHI within thirty (30) days after receipt of
the request if your PHI is maintained on site or within sixty (60) days if
maintained off-site. InTeleDerm
will arrange with you a convenient time and place to inspect or obtain a copy
or otherwise mail you a copy of your PHI at your request. InTeleDerm may charge you for the
cost of copying the materials and any postage involving your requested
PHI.
InTeleDerm
may discuss with you the
scope, format, and other aspects of your request as necessary to process your
request.
InTeleDerm
will
not provide you access, however, to certain PHI, namely, information compiled
for use in civil, criminal, or administrative proceedings, and health
information that is covered by federal laws governing clinical laboratories.
Legal duties of
InTeleDerm
for denial of access to
PHI.
If InTeleDerm
denies access to PHI, in whole or in part, then InTeleDerm will do the following:
• Make
other PHI that was requested accessible to the extent possible;
• Provide
a timely, written denial to you within thirty (30) days after receipt of the
request if your PHI is maintained on-site or within sixty (60) days if
maintained off-site. But, if InTeleDerm
is unable to comply with this time frame, then InTeleDerm may extend the time for thirty (30) days from the
initial time period. However, in such a case, InTeleDerm will provide you with a written statement of the
reasons for the delay and the date by which InTeleDerm will complete its action on the request within the
initial time period.
• The
denial will be written in plain language and will include the basis for the
denial. If the denial is reviewable, then the denial will provide a
statement of your rights to have the denial reviewed and include a description
of how you may complain to InTeleDerm
either through its procedures or the procedures as designated by the Secretary
of the U.S. Department of Health and Human Services. The denial will also
provide the name, or title, and telephone number or office, where applicable.
Other duties of InTeleDerm
regarding access to PHI. If
InTeleDerm does not maintain
your PHI that is the subject of your request for access and INTELEDERM knows
where the requested PHI is maintained, then InTeleDerm will inform you of where to direct the request for
access to your PHI.
Reviewable grounds for denial of
access to PHI. InTeleDerm
may deny you access for any of
the following reasons; however, you will have the right to have the denial
reviewed in the following instances:
• A
licensed health care professional has determined, in the exercise of
professional judgment, that the access requested is reasonably likely to
endanger the life or physical safety of yourself or another person;
• Your
PHI makes reference to another person (unless such other person is a health
care provider) and a licensed health care professional has determined, in the
exercise of professional judgment, that the access requested is reasonably
likely to cause substantial harm to such other person; or
• The
request for access is made by your personal representative and a licensed
health care professional has determined, in the exercise of professional
judgment, that the provision of access to such personal representative is reasonably
likely to cause substantial harm to you or another person.
Review of denial regarding access to
PHI
. If your request is denied and the grounds for denial are reviewable, then you have the
right to have the denial reviewed by a licensed health care professional who is
designated by InTeleDerm to act
as a reviewing official and who did not participate in the original decision to
deny access to your PHI. InTeleDerm
will provide you with instructions for requesting a review of the denial (if
the grounds are reviewable). IN InTeleDerm
will either provide access or deny access in accordance with
the determination of the reviewing official.
Right to Amend PHI.
You
have the right to request that InTeleDerm
amend your PHI or a record about you so long as InTeleDerm maintains your PHI in the designated record
set. Any request must be made in writing and you must
provide a reason to support a requested amendment. InTeleDerm will act on your request
within sixty (60) days after the receipt of such a request. If it cannot
comply with the request within the initial sixty (60) days, then it may extend
the time for an additional thirty (30) days provided that InTeleDerm has informed you in
writing of the reasons for the delay and the date by which InTeleDerm will act on your
request. InTeleDerm may
grant or deny your request to amend your PHI.
Grant
of the amendment
. If InTeleDerm
grants your request to amend your PHI, then it will obtain from you an
identification of relevant persons (or entities) with whom the amendment needs
to be shared. InTeleDerm will
also make the appropriate amendment to your PHI or record that is the subject
of the request for amendment by, at minimum, identifying the records in the
designated record set that are affected by the amendment and appending or
otherwise providing a link to the location of the amendment.
Denial
of the amendment
. If InTeleDerm
denies your request to amend your PHI, then the denial will be written in plain
language and contain the basis for the denial. The denial will include a
description of your right to disagree with denial and how you may submit a
statement of disagreement. InTeleDerm
may prepare a written rebuttal to your statement of disagreement and provide
you with a copy.
However, if you choose not to submit a statement of
disagreement, then you may request that InTeleDerm
provide your request for amendment and the denial with any future disclosure of
your PHI that is subject to the amendment.
Right to Receive an Accounting of PHI
Disclosures
. You have the right to request an accounting of
disclosures of PHI made by InTeleDerm
in the six (6) years prior to the date of your request
except in the
following instances
(unless otherwise required by law):
• To
carry out treatment, payment and health care operations;
• To
you about your own PHI;
• Incident
to a permitted or required use or disclosure;
• Pursuant
to an authorization;
• To
persons involved in your care or for other notification purposes;
• For
national security or intelligence purposes;
• Occurred
prior to the HIPAA compliance date for InTeleDerm;
• To
correctional institutions or law enforcement officials in custodial situations;
or
• As
part of a limited data set in accordance with 45 CFR 164.514(e).
Suspension of individual right to
receive an accounting of certain disclosures which are made to a health
oversight agency or law enforcement officials. InTeleDerm
will
suspend your individual right to receive an accounting of certain disclosures
to a health oversight agency or law enforcement official if the agency or
official provides InTeleDerm
with a written statement that the accounting would be reasonably likely to
impede the agency’s activities and specifies a time for which the suspension
requires.
However,
if the agency or official statement as described above is made orally, then INTELEDERM
will: (1) InTeleDerm document the statement, including the identity of the
agency or official making the statement; (2) temporarily suspend your right to
an accounting of disclosures subject to the statement; and (3) limit the
temporary suspension to no longer than thirty (30) days from the date of the
oral statement, unless a written statement as described above is submitted
during that time
.
When accounting will be provided
. InTeleDerm
generally will act on the request for an accounting no later than sixty (60)
days after receipt. However, if InTeleDerm
cannot act on the request within this period of time, it will send you a
written explanation of why it cannot act on the request within the timeframe
and also the date by which it will act on the request.
Fees that may be charged for an accounting.
InTeleDerm will provide the first accounting
to you in any twelve (12) month period without charge. However, InTeleDerm may impose a reasonable,
cost-based fee for each subsequent request for an accounting by you within the
twelve (12) month period, provided that InTeleDerm
has informed you in advance of the fee and provides you with an opportunity to
withdraw or modify the request for a subsequent accounting in order to avoid or
otherwise reduce the fee.
Right to Copy of Notice.
You
have the right to obtain a copy of this Notice upon request even if you agreed
to receive the Notice electronically.
Procedure for Exercising Your Rights
.
If you want to exercise any of the rights described in this Notice, please
contact the Privacy Officer using the contact information listed below.
The Privacy Officer will give you the necessary information and forms for you
to complete and return. In some cases, you may be charged a cost-based
fee to carry out your request.
A Note Regarding Your Personal Representative.
Your
rights may be exercised by a person who qualifies as your personal
representative in accordance with 45 CFR 164.502(g). If under applicable
law a person has authority to act on behalf of an individual who is an adult or
an emancipated minor in making decisions related to health care, InTeleDerm will treat such person as
a personal representative with respect to PHI relevant to such personal
representation.
Exceptions may apply in certain circumstances involving minor
children and in cases involving suspected domestic violence, abuse or neglect
by the personal representative such as when InTeleDerm has a reasonable belief that the individual has been
or may be subjected to domestic violence, abuse, or neglect by such person or
treating such person as the personal representative could endanger the
individual and INTELEDERM, in the exercise of professional judgment, decides
that it is not in the best interest of the individual to treat the person as
the individual’s personal representative.
F
.
COMPLAINTS AND ADDITIONAL
INFORMATION
If you believe your privacy rights have been violated by InTeleDerm,you
have the right to file a complaint with InTeleDerm’s
Privacy Officer or the Secretary of the U.S. Department of Health and Human
Services. You will not be retaliated against you if you choose to file a
complaint with InTeleDerm or
with the U.S. Department of Health and Human Services. You may also
contact InTeleDerm’s Privacy
Officer to request additional copies of this Notice or to receive more
information about the matters covered by this Notice, and to review a denial of
access of PHI.
Contacting
the Privacy Officer.
InTeleDerm.d/b/aInTeleDerm
Attn:
Privacy Officer
21346 Brewers
Farm Lane
Carrollton,
VA 23314
Contacting Health and Human Services
.
If you wish to file a complaint, you may do so by either sending the complaint
to the appropriate Office of Civil Rights Regional office or Office of Civil
headquarters; alternatively, you may file a complaint online at the www.hhs.gov
website.
InTeleDerm