BLOOM PHYSICAL THERAPY PLLC
PRIVACY NOTICE
THIS NOTICE DESCRIBES HOW YOUR MEDICAL INFORMATION
MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO
THAT INFORMATION.
PLEASE REVIEW THIS NOTICE CAREFULLY.
PURPOSE
This Notice describes how health information about you may be used and disclosed and how you
can get access to this information. Please review this Notice carefully. Please note that to provide you with the best possible care and treatment, all professional staff involved in your treatment and employees involved in the health care operations of the Provider may have access to your records. Bloom Physical Therapy PLLC (“Provider”) is committed to maintaining the privacy of your protected health information (“PHI”), which includes electronic PHI, and which includes information about your medical condition and the care and treatment you receive from the Provider and other health care providers, all in accordance with the provisions of the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act, and their regulations (collectively, the “HIPAA Rules”). This Notice details how your PHI may be used and disclosed to third parties for purposes of your care, payment for your care, health care operations of the Provider, and for other purposes permitted or required by law and the HIPAA Rules. This Notice also details your rights regarding your PHI.
USE OR DISCLOSURE OF PHI
Your personal health record will be retained by the Provider for at least six years after your last
clinical contact with the Provider, unless a longer time frame is required by law. After that time has elapsed, the record will be destroyed or otherwise maintained in a way that protects your privacy. Until the records are destroyed, they may be used appropriately by the Provider (subject to any disclosure restrictions), for the following purposes without the need for a written authorization from you:
The Provider may use and/or disclose your PHI for purposes related to your care, payment for your care, and health care operations of the Provider. The following are examples of the types of uses and/or disclosures of your PHI that may occur. These examples are not meant to include all possible types of uses and/or disclosures.
Care - In order to provide, coordinate and manage your care, the Provider will provide your PHI to those health care professionals, whether on the Provider's staff or not, directly involved in your care so that they may understand your medical condition and needs and provide advice or treatment (e.g., a specialist or laboratory).
Payment - In order to get paid for some or all of the health care provided by the Provider, the Provider may provide your PHI, directly or through a billing service, to appropriate third party payors, pursuant to their billing and payment requirements.
Health Care Operations - In order for the Provider to operate in accordance with applicable law and in order for the Provider to provide quality and efficient care, it may be necessary for the Provider to compile, use and/or disclose your PHI. For example, the Provider may use your PHI in order to evaluate the performance of the Provider's personnel in providing care to you.
AUTHORIZATION NOT REQUIRED
The Provider may use and/or disclose your PHI, without a written Authorization from you, in the following instances:
De-identified Information - Your PHI is altered so that it does not identify you and, even without your name, cannot be used to identify you.
Business Associate - To a business associate, which is someone who the Provider contracts with to provide a service necessary for your treatment, payment for your treatment and health care operations (e.g., billing service or transcription service). The Provider will obtain satisfactory written assurance, in accordance with applicable law and the HIPAA Rules, that the business associate will appropriately safeguard your PHI and that the business associate will ensure its subcontractors, if any, appropriately safeguard your PHI as well.
To You or a Personal Representative - To you, or to a person who, under applicable law, has the authority to represent you in making decisions related to your health care.
Public Health Activities - Such activities include, for example, information collected by a public health authority, as authorized by law, to prevent or control disease, injury or disability. This includes reports of child abuse or neglect.
Food and Drug Administration - If required by the Food and Drug Administration to report adverse events, product defects or problems or biological product deviations, or to track products, or to enable product recalls, repairs or replacements, or to conduct post marketing surveillance.
Abuse, Neglect or Domestic Violence - To a government authority if the Provider is required by law to make such disclosure. If the Provider is authorized by law to make such a disclosure, it will do so if it believes that the disclosure is necessary to prevent serious harm or if the Provider believes that you have been the victim of abuse, neglect or domestic violence. Any such disclosure will be made in accordance with the requirements of law, which may also involve notice to you of the disclosure.
Health Oversight Activities - Such activities, which must be required by law, involve government agencies involved in oversight activities that relate to the health care system, government benefit programs, government regulatory programs and civil rights law. Those activities include, for example, criminal investigations, audits, disciplinary actions, or general oversight activities relating to the community's health care system.
Judicial and Administrative Proceeding - For example, the Provider may be required to disclose your PHI in response to a court order or a lawfully issued subpoena.
Law Enforcement Purposes - In certain instances, your PHI may have to be disclosed to a law enforcement official for law enforcement purposes. Law enforcement purposes include: (1) complying with a legal process (i.e., subpoena) or as required by law; (2) information for identification and location purposes (e.g., suspect or missing person); (3) information regarding a person who is or is suspected to be a crime victim; (4) in situations where the death of an individual may have resulted from criminal conduct; (5) in the event of a crime occurring on the premises of the Provider; and (6) a medical emergency (not on the Provider's premises) has occurred, and it appears that a crime has occurred.
Coroner or Medical Examiner- The Provider may disclose your PHI to a coroner or medical examiner for the purpose of identifying you or determining your cause of death, or to a funeral director as permitted by law and as necessary to carry out its duties.
Organ, Eye or Tissue Donation - If you are an organ donor, the Provider may disclose your PHI to the entity to whom you have agreed to donate your organs.
Research - If the Provider is involved in research activities, your PHI may be used, but such use is subject to numerous governmental requirements intended to protect the privacy of your PHI such as approval of the research by an institutional review board and the requirement that protocols must be followed.
Avert a Threat to Health or Safety - The Provider may disclose your PHI if it believes that such disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public and the disclosure is to an individual who is reasonably able to prevent or lessen the threat.
Specialized Government Functions - When the appropriate conditions apply, the Provider may use PHI of individuals who are Armed Forces personnel: (1) for activities deemed necessary by appropriate military command authorities; (2) for the purpose of a determination by the Department of Veteran Affairs of eligibility for benefits; or (3) to a foreign military authority if you are a member of that foreign military service. The Provider may also disclose your PHI to authorized federal officials for conducting national security and intelligence activities including the provision of protective services to the President or others legally authorized.
Inmates - The Provider may disclose your PHI to a correctional institution or a law enforcement official if you are an inmate of that correctional facility and your PHI is necessary to provide care and treatment to you or is necessary for the health and safety of other individuals or inmates.
Workers' Compensation -If you are involved in a Workers' Compensation claim, the Provider may be required to disclose your PHI to an individual or entity that is part of the Workers' Compensation system.
Disaster Relief Efforts - The Provider may use or disclose your PHI to a public or private entity authorized to assist in disaster relief efforts.
Required by Law - If otherwise required by law, but such use or disclosure will be made in compliance with the law and limited to the requirements of the law.
AUTHORIZATION
As detailed in the HIPAA Rules, certain uses and disclosures of psychotherapy notes, uses and
disclosures of PHI for marketing purposes (as described in the “Marketing” section of this Privacy Notice), and disclosures that constitute a sale of PHI require a written authorization from you, and other
uses and disclosures not otherwise permitted as described in this Privacy Notice will only be made with
your written authorization, which you may revoke at any time as detailed in the “Your Rights” section of
this Privacy Notice.
SIGN-IN SHEET
The Provider may use a sign-in sheet at the registration desk. The Provider may also call your name in the waiting room when your provider is ready to see you.
APPOINTMENT REMINDER
The Provider may, from time to time, contact you to provide appointment reminders. The reminder may be in the form of an email or text message. The Provider will try to minimize the amount of information contained in the reminder. The Provider may also contact you by phone and, if you are not available, the Provider will leave a message for you.
TREATMENT ALTERNATIVE/BENEFITS
The Provider may, from time to time, contact you about treatment alternatives, or other health
benefits or services that may be of interest to you.
MARKETING
The Provider may only use and/or disclose your PHI for marketing activities if we obtain from you a prior written Authorization. "Marketing" activities include communications to you that encourage you to purchase or use a product or service, and the communication is not made for your care or treatment. However, marketing does not include, for example, sending you a newsletter about this Provider. Marketing also includes the receipt by the Provider of financial remuneration, directly or indirectly, from engages in marketing and will obtain your prior Authorization.
FUNDRAISING
The Provider may use and/or disclose some of your PHI in order to contact you for fundraising
activities supportive of the Provider and you have a right to opt out of receiving such communications. Any fundraising materials sent to you will describe how you may opt out of receiving any further communications.
FAMILY/FRIENDS
The Provider may disclose to your family member, other relative, a close personal friend, or any
other person identified by you, your PHI directly relevant to such person's involvement with your care or
the payment for your care. The Provider may also use or disclose your PHI to notify or assist in the
notification (including identifying or locating) of a family member, a personal representative, or another
person responsible for your care, of your location, general condition, or death. However, in both cases, the following conditions will apply:
(a) The Provider may use or disclose your PHI if you agree, or if the Provider provides you with opportunity to object and you do not object, or if the Provider can reasonably infer from the circumstances, based on the exercise of its judgment, that you do not object to the use or disclosure.
(b) If you are not present, the Provider will, in the exercise of its judgment, determine whether the use or disclosure is in your best interests and, if so, disclose only the PHI that is directly relevant to the person's involvement with your care.
GOVERNMENT REGULATION
The Provider is subject to various rules and regulations of New York State and the federal
government. As a result of those rules and regulations, periodically representatives from federal or state
agencies will audit the operations of the Provider and, in the process of that audit, will review medical
records, some of which may contain your PHI.
YOUR RIGHTS
1. You have the right to:
Revoke any Authorization, in writing, at any time. To request a revocation, you must submit a written request to the Provider.
Request restrictions on certain uses and/or disclosures of your PHI as provided by law and the HIPAA Rules. However, the Provider is not obligated to agree to every requested restriction, except to the extent required by the HIPAA Rules or by law. To request restrictions, you must submit a written request to the Provider's Privacy Officer. In your written request, you must inform the Provider of what information you want to limit, whether you want to limit the Provider's use or disclosure, or both, and to whom you want the limits to apply. If the Provider agrees to your request, the Provider will comply with your request unless the information is needed in order to provide you with emergency treatment.
Restrict certain disclosures of PHI about you to a health plan where you pay out of pocket in full for the health care item or service.
Receive confidential communications of PHI by alternative means or at alternative locations. You must make your request in writing to the Provider. The Provider will accommodate all reasonable requests.
Inspect and copy your PHI as provided by law. To inspect and copy your PHI, you must submit a written request to the Provider. In certain situations that are defined by law, the Provider may deny your request, but you will have the right to have the denial reviewed. The Provider can charge you a fee for the cost of copying, mailing or other supplies associated with your request, all in accordance with applicable law.
Amend your PHI as provided by law. To request an amendment, you must submit a written request to the Provider. You must provide a reason that supports your request. The Provider may deny your request if it is not in writing, if you do not provide a reason and support of your request, if the information to be amended was not created by the Provider (unless the individual or entity that created the information is no longer available), if the information is not part of your PHI maintained by the Provider, if the information is not part of the information you would be permitted to inspect and copy, and/or if the information is accurate and complete. If you disagree with the Provider's denial, you have the right to submit a written statement of disagreement.
Receive an accounting of disclosures of your PHI as provided by law. To request an accounting, you must submit a written request to the Provider which must comply with the applicable HIPAA Rules. The request should indicate in what form you want the list (such as a paper or electronic copy). The first list you request within a 12 month period will be free, but the Provider may charge you for the cost of providing additional lists in that same 12 month period. The Provider will notify you of the costs involved and you can decide to withdraw or modify your request before any costs are incurred.
Receive a paper copy of this Privacy Notice from the Provider upon request to the Provider.
Be notified following a breach of your Unsecured PHI (as such term is defined by the HIPAA Rules).
Complain to the Provider, or to the United States Department of Health and Human Services, Office for Civil Rights, Centralized Case Management Operations, U.S. Department of Health and Human Services, 200 Independence Avenue, S.W., Room 509F HHH Bldg., Washington, D.C. 20201. To file a complaint with the Provider, you must contact the Provider. All complaints must be in writing.
To obtain more information on, or have your questions about your rights answered, you may contact Bloom Physical Therapy PLLC, at 585-502-9531 or via e-mail at hello@bloom-pt.com
PROVIDER'S REQUIREMENTS
The Provider:
Is required by law to maintain the privacy of your PHI and to provide you with this Privacy Notice of the Provider's legal duties and privacy practices with respect to your PHI.
Is required to abide by the terms of this Privacy Notice, which is currently in effect.
Reserves the right to change the terms of this Privacy Notice and to make the new Privacy Notice provisions effective for all of your PHI that it maintains.
Will not retaliate against you for making a complaint.
Must make a good faith effort to obtain from you an acknowledgement of receipt of this Notice.
Will post this Privacy Notice on the Provider's web site, if the Provider maintains a web site.
Will provide this Privacy Notice to you by e-mail if you so request. However, you also have the right to obtain a paper copy of this Privacy Notice.
EFFECTIVE DATE
This notice is in effect as of December 2, 2022.