EnWella Health Platform Effective Date: [INSERT DATE]
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
This Notice of Privacy Practices ("Notice") describes how [PRACTICE NAME] ("we," "us," "our," or "Practice"), using the EnWella electronic health record platform, may use and disclose your protected health information ("PHI") to carry out treatment, payment, and health care operations, and for other purposes that are permitted or required by law.
This Notice also describes your rights to access and control your PHI and our obligations regarding the use and disclosure of your PHI.
We are required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, to: - Maintain the privacy and security of your protected health information - Provide you with this notice of our legal duties and privacy practices - Follow the terms of this Notice currently in effect - Notify you following a breach of your unsecured PHI
Protected Health Information (PHI) is information about you — including demographic information, medical history, diagnosis, treatment information, lab results, insurance information, and other health-related information — that can reasonably be used to identify you and that relates to your past, present, or future: - Physical or mental health condition - Provision of health care to you - Payment for your health care
Treatment We may use and disclose your PHI to provide, coordinate, or manage your health care and related services. For example, we may share your medical records with a specialist who is treating you, or with a hospital if you are admitted for care.
Payment We may use and disclose your PHI to obtain reimbursement for the treatment and services you receive. For example, we may submit claims to your insurance company and share information necessary to process those claims, including diagnoses, treatments, and dates of service.
Health Care Operations We may use and disclose your PHI for health care operations. These activities are necessary to run our practice and improve the quality of care we provide. For example: - Quality assessment and improvement activities - Training healthcare students, residents, and staff - Licensing, accreditation, and credentialing activities - Business management and general administrative activities - Conducting or arranging for legal, audit, accounting, or consulting services
Treatment Alternatives and Reminders We may use your PHI to contact you to remind you of upcoming appointments or to provide information about treatment alternatives or other health-related benefits and services that may be of interest to you.
Business Associates We may share your PHI with third parties ("Business Associates") that perform services on our behalf, such as billing companies, IT service providers (including EnWella), and transcription services. Our Business Associates are required to protect the privacy of your PHI under contracts that comply with HIPAA.
Required by Law We will disclose your PHI when required to do so by federal, state, or local law.
Public Health Activities We may disclose your PHI for public health activities, including: - Reporting of diseases, injuries, or vital statistics to public health authorities - Reporting adverse drug reactions to the FDA - Notifying appropriate authorities if we believe you may be a victim of abuse or neglect, in accordance with applicable law - Notifying the appropriate authority about certain workplace-related conditions or injuries
Health Oversight Activities We may disclose your PHI to health oversight agencies (such as state health departments or the Centers for Medicare & Medicaid Services) for oversight activities authorized by law, including audits, investigations, inspections, and licensure.
Judicial and Administrative Proceedings We may disclose your PHI in the course of a judicial or administrative proceeding, including in response to a court order, subpoena, discovery request, or other lawful process.
Law Enforcement We may disclose your PHI to law enforcement officials for law enforcement purposes, subject to applicable legal requirements and limitations.
Serious Threats to Health or Safety We may disclose your PHI when necessary to prevent or lessen a serious and imminent threat to the health or safety of you or another person, to the extent required or permitted by law.
Workers' Compensation We may disclose your PHI to comply with laws related to workers' compensation or similar programs established by law.
Military and Veterans If you are a member of the armed forces, we may release your PHI as required by military command authorities.
Correctional Institutions If you are an inmate of a correctional institution or in the custody of a law enforcement official, we may release your PHI to the correctional institution or law enforcement official for certain purposes.
Research We may use or disclose your PHI for research purposes when the research has been approved by an institutional review board (IRB) or privacy board that has established protocols to ensure the privacy of your PHI, or with your written authorization.
Organ and Tissue Donation If you are an organ donor, we may disclose PHI to organizations that facilitate organ procurement, banking, or transplantation.
National Security and Intelligence We may disclose your PHI to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law.
Coroners and Funeral Directors We may disclose your PHI to a coroner, medical examiner, or funeral director as necessary to carry out their duties.
We will only use or disclose your PHI for the following purposes with your written authorization:
If you provide written authorization, you may revoke it at any time in writing. We will stop using or disclosing your PHI after we receive your written revocation, except where we have already acted in reliance on the authorization.
Certain categories of PHI are subject to heightened privacy protections under federal or state law. These include:
Mental Health and Substance Use Records related to substance use disorder treatment may be subject to additional restrictions under federal law (42 C.F.R. Part 2) and state law, which may be more protective than HIPAA. We will comply with all applicable laws in handling these records.
HIV/AIDS Information Many states require special authorization for disclosure of HIV/AIDS test results and diagnosis information. We comply with all applicable state law in this regard.
Reproductive Health Information related to reproductive health care (including abortion, contraception, sterilization, and fertility treatment) may be subject to heightened protections under state law. We comply with applicable state law and support patients' rights under applicable law.
Genetic Information Your genetic information is PHI and may not be used for underwriting purposes under the Genetic Information Nondiscrimination Act (GINA) and HIPAA.
Minor Patients State law governs the extent to which parents and guardians may access the PHI of minor patients, particularly for sensitive services (reproductive health, mental health, substance use). We will comply with applicable state law.
You have the following rights with respect to your PHI:
You have the right to inspect and receive a copy of your PHI maintained in a designated record set. We may charge a reasonable cost-based fee for paper copies; electronic records provided electronically should be made available at no or minimal charge.
To request access, submit a written request to: [PRIVACY_OFFICER_CONTACT]
We will provide access or notify you of our decision within 30 days of your request (with one 30-day extension for good cause).
We may deny your request in limited circumstances (e.g., if the information was compiled in anticipation of litigation, or if access could endanger your life or the life of another). You may request that we review a denial.
If you believe that your PHI is incorrect or incomplete, you may ask us to amend the information. To request an amendment, submit a written request with your reason for the amendment to: [PRIVACY_OFFICER_CONTACT]
We will respond within 60 days (with one 30-day extension for good cause). We may deny the request if the PHI was not created by us, is not part of our records, is not available for inspection, or is accurate and complete.
You may request a list of disclosures we have made of your PHI for purposes other than treatment, payment, health care operations, or disclosures you authorized. This accounting covers disclosures made in the previous six years.
To request an accounting, submit a written request to: [PRIVACY_OFFICER_CONTACT]
The first accounting in any 12-month period is free; subsequent requests may be subject to a reasonable fee.
You may request that we restrict how we use or disclose your PHI for treatment, payment, or health care operations, or with family members or others involved in your care.
We are required to agree to your request if: - The disclosure is to a health plan for purposes of payment or health care operations - The PHI pertains solely to a health care item or service for which you or someone on your behalf (other than your health plan) paid in full
We are not required to agree to other restriction requests, but if we agree, we will comply unless the information is needed to provide you emergency treatment.
To request restrictions, contact: [PRIVACY_OFFICER_CONTACT]
You may request that we communicate with you about your PHI in a certain way or at a certain location (e.g., that we send appointment reminders to a different address or phone number). We will accommodate reasonable requests without requiring you to explain your reasons.
To request confidential communications, contact: [PRIVACY_OFFICER_CONTACT]
We are required to notify you if there is a breach of your unsecured PHI. We will notify you by first-class mail (or email if you have agreed to electronic notice) within 60 days of discovering the breach.
You may request a paper copy of this Notice at any time, even if you received it electronically.
If we use your PHI for fundraising activities, we will provide you with an opportunity to opt out of receiving future fundraising communications. You may opt out at any time.
We are required to: - Maintain the privacy of your PHI - Provide you with this Notice of our legal duties and privacy practices - Abide by the terms of this Notice currently in effect - Not use or disclose your PHI other than as described in this Notice or as required by law - Notify you in the event of a breach of your unsecured PHI
We reserve the right to change our privacy practices and this Notice at any time, provided such changes are permitted by law. We reserve the right to apply the new privacy practices to PHI we have already created or received, as well as to PHI we create or receive after the date of the revision. If we make a material change, we will provide a revised Notice and post it in our facilities and on our website. We will provide the new Notice to you on your next visit or upon your request.
To exercise any of your rights described in this Notice, contact our Privacy Officer:
Privacy Officer [PRACTICE NAME] [PRACTICE ADDRESS] Phone: [PRACTICE_PHONE] Email: [PRIVACY_OFFICER_EMAIL]
You will not be retaliated against for exercising your privacy rights or for filing a complaint.
If you believe your privacy rights have been violated, you may file a complaint with:
1. Our Privacy Officer (contact information above)
2. The U.S. Department of Health and Human Services Office for Civil Rights 200 Independence Avenue, S.W. Washington, D.C. 20201 Hotline: 1-800-368-1019 TTY: 1-800-537-7697 Website: www.hhs.gov/ocr/privacy/hipaa/complaints
3. Your State Health Department or Attorney General's Office (for state-law privacy violations)
This Notice is effective as of [INSERT DATE] and replaces all previously issued Notices of Privacy Practices.
[PRACTICE NAME] — Powered by EnWella EnWella — Your health, elevated.
ATTORNEY REVIEW NOTICE: This Notice of Privacy Practices template must be reviewed by a licensed healthcare attorney before use. State law may impose additional requirements beyond HIPAA (particularly in California, New York, Texas, Illinois, and other states with comprehensive health privacy statutes). The Notice must be customized to reflect the actual privacy practices of the specific covered entity.