HIPAA Notice of Privacy Practices

Revised 9/12/2022

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

If you have any questions about this Notice, please contact our HIPAA Compliance Officer, Michelle Bryant.

We are required by law to maintain the privacy of Protected Health Information (“PHI”) and to provide you with notice of our legal duties and privacy practices with respect to PHI. References to Gastroenterology Associates of Central VA—“we,” “us,” and “our”—refer to GACV for purposes of compliance with the Health Insurance Portability and Accountability Act (“HIPAA”).

This center, our employees, and workforce members are involved in providing and coordinating health care and are all bound to follow the terms of this Notice of Privacy Practice (“Notice”). We may share PHI between offices for the treatment, payment, and health care operations of the covered entity, as permitted by HIPAA and this Notice.

PHI is information that may identify you and that relates to your past, present, or future physical or mental health or condition, the provision of health care products and services to you, or payment for such services. This Notice describes how we may use and disclose PHI about you, as well as how you can obtain access to such PHI. This Notice also describes your rights with respect to your PHI. We are required by HIPAA to provide this Notice to you.

Gastroenterology Associates of Central Va. Inc. is required to follow the terms of this Notice or any change to it that is in effect. We reserve the right to change our practices and this Notice at any time and to make the new Notice effective for all PHI we maintain. If we do so, the updated Notice will be posted on our website and will be available at our facilities and locations where you receive health care products and services, or summarized at said location. Upon request, we will provide any revised Notice to you.

WHO WILL FOLLOW THIS NOTICE

This Notice describes our practice and that of:

  • Any health care professional authorized to enter information into your office chart;

  • All departments and units of this facility;

  • Any member of a volunteer group we allow to help you while you are at the facility;

  • Any medical student, intern, resident, or fellow that we allow to help you while you are in the facility;

  • Any representative of an insurance carrier, managed care organization, clinical research organization, or data analysis organization that is participating in a review of your medical care;

  • All employees, staff, and other office personnel; and

  • All other entities, sites, and locations where the health care professionals in this office practice and follow the terms of this Notice.

In addition, these entities, sites, and locations may share PHI with each other for treatment, payment, or operations purposes as described in this Notice.

OUR PLEDGE REGARDING PROTECTED HEALTH INFORMATION

We understand that PHI about you and your health is personal. We are committed to protecting PHI about you. We create a record of the care and services you receive at the endoscopy center. We need this record to provide you with quality care and to comply with certain legal requirements.

This Notice applies to all records of your care generated by the office. It will tell you about the ways in which we may use and disclose PHI about you. We also describe your rights and certain obligations we have regarding the use and disclosure of PHI.

We are required by law to:

  • Make sure that PHI that identifies you is kept private, in accordance with applicable law;

  • Give you this Notice of our legal duties and privacy practices with respect to PHI about you; and

  • Follow the terms of the Notice that is currently in effect.

HOW WE MAY USE AND DISCLOSE PROTECTED HEALTH INFORMATION ABOUT YOU

The following categories describe different ways that we use and disclose PHI. We have provided examples in certain categories; however, not every permissible use or disclosure will be listed in this Notice.

Treatment – We may use and disclose your PHI to provide, coordinate, and manage the treatment, medications, and services you receive. For example, we may disclose your PHI to doctors, nurses, technicians, clinical supervisors, or other personnel and team members who are involved in your care.

We may also disclose your PHI to third parties such as hospitals and other health care providers, facilities, and agencies to facilitate the provision of health care services, medications, and supplies you may need. For instance, we may disclose your PHI to a pathologist or laboratory to order a test. This helps to coordinate your care and ensures that everyone involved in your care has the information they need. Different office locations may share PHI about you to coordinate your care. We may also disclose PHI to people outside the office who may be involved in your care after you leave, such as family members, other physicians, or service providers.

Payment – We may use and disclose your PHI in order to obtain payment for the health care products and services that we provide to you, and for other related payment activities. This may include billing you, your insurance company, or another third party.

For example, we may disclose PHI to your health insurance company to get prior approval for a procedure or to determine if a service is covered under your health plan. We may share information about the services you received so your health plan can pay us or reimburse you. This can also include providing information on upcoming treatment for pre-approval purposes. We may also share your PHI with other health care providers or covered entities who require it for their payment activities.

Health Care Operations – We may use and disclose your PHI for our internal health care operations. These activities are necessary to operate our health care business and to ensure that all of our patients receive quality care.

For example, we may use PHI to assess the quality of our services or evaluate the performance of our staff. We may also combine PHI from many patients to determine what services should be offered or whether new treatments are effective. In some cases, we may disclose PHI to doctors, nurses, technicians, medical students, and staff for educational purposes. Additionally, we may compare PHI from other facilities to improve our services. When used for study, any identifying information may be removed.

Appointment Reminders and Health Benefits – We may call or write to remind you of appointments, upcoming procedures, or provide pre-procedure instructions. These reminders may be left on your voicemail or with someone who answers your phone.

We may also send written correspondence. Additionally, we may inform you about treatment alternatives or other health-related benefits and services that could be of interest. PHI may also be disclosed when answering your questions or giving test results.

We may also use and disclose your PHI without your prior authorization for the following purposes:

Business Associates – We may engage third-party service providers—such as billing companies, copy services, or consultants—who require access to PHI to perform their tasks. These providers are known as Business Associates and are legally obligated to protect your PHI and use it only as needed to perform their services for us.

As Required by Law – We will disclose PHI when required by federal, state, or local law. We may also share PHI with the Secretary of the Department of Health and Human Services, if required.

Individuals Involved in Your Care or Payment for Your Care – We may disclose PHI about you to a family member, friend, or personal representative who is involved in your medical care or payment for your care.

We may also inform your family or friends about your condition or procedures. If someone has legal authority to make health decisions for you, we will generally treat them as your personal representative and extend your PHI rights to them.

To Avert a Serious Threat to Health or Safety – We may use or disclose PHI when necessary to prevent a serious threat to your health and safety, or the health and safety of the public or another person.

OTHER PERMITTED USES AND DISCLOSURES OF PHI

Organ and Tissue Donation – If you are an organ donor, we may release PHI to organizations that handle organ procurement or organ, eye, or tissue transplantation, or to any organ donation bank, as necessary to facilitate organ or tissue donation and transplantation.

Specified Government Functions – In certain circumstances, federal regulations authorize the facility to use or disclose your PHI to facilitate specific government functions. These include military and veterans’ activities, national security and intelligence activities, protective services for the President and others, medical suitability determinations, correctional institutions, and law enforcement custodial situations.

Worker’s Compensation – To the extent required by law, we may disclose your PHI to worker’s compensation or similar programs established by law for work-related injuries or illnesses.

Public Health Risks – We may disclose your PHI for public health activities to public health or legal authorities responsible for preventing or controlling disease, injury, or disability. These activities may include reporting child abuse or neglect, reactions to medications, or problems with products; notifying individuals of product recalls; notifying persons who may have been exposed to a disease or may be at risk of spreading a disease or condition; and notifying the appropriate authorities if we believe a patient has been the victim of abuse, neglect, or domestic violence. In some cases, we may also report work-related illnesses and injuries to employers to support workplace safety.

Health Oversight Activities – We may disclose your PHI to a health oversight agency for activities authorized by law. These may include audits, investigations, inspections, licensure, and credentialing, which are necessary for oversight of the health care system, government programs, and compliance with civil rights laws.

Lawsuits, Administrative Proceedings, and Disputes – If you are involved in a lawsuit or dispute, we may disclose your PHI in response to a court or administrative order. We may also respond to a subpoena, discovery request, or other lawful process initiated by another party, but only if efforts have been made to notify you or to obtain an order protecting the requested information, unless otherwise permitted by law.

Law Enforcement – We may disclose your PHI for law enforcement purposes when required or permitted by law. Examples include responding to legal processes such as subpoenas or court orders, or limited disclosures under specific circumstances requested by law enforcement.

Coroners, Medical Examiners, and Funeral Directors – We may release PHI to a coroner or medical examiner for purposes such as identifying a deceased person or determining the cause of death. We may also disclose PHI to funeral directors as required to carry out their duties.

Disaster Relief – We may use or disclose your PHI to authorized organizations involved in disaster relief efforts to coordinate care or notify family members of your condition and location.

Food and Drug Administration (FDA) – We may disclose PHI to persons or entities under the jurisdiction of the FDA for purposes such as tracking adverse events, product defects, or post-marketing surveillance to support product recalls, repairs, or replacements.

Research – Under certain conditions, we may use or disclose PHI for research purposes. In most cases, we will ask for your authorization before allowing researchers access to your PHI. However, authorizations for research may be combined with other written permissions and may apply to future research studies. We may also include both conditioned and unconditioned authorizations in the same document, provided we clearly distinguish between them and allow you the choice to opt in to the unconditioned research activities.

Victims of Abuse or Neglect – We may disclose your PHI to a government authority if we reasonably believe you are a victim of abuse or neglect. Such disclosures will be limited to what is required by law, or made with your agreement, or when necessary to prevent serious harm to you or another individual.

USES AND DISCLOSURES PERMITTED WITHOUT AUTHORIZATION BUT WITH OPPORTUNITY TO OBJECT

We may disclose your PHI to a family member or close personal friend if the information is directly relevant to that person’s involvement in your procedure or in the payment for your care. We may also disclose your PHI when trying to locate or notify family members or others involved in your care regarding your location, condition, or death.

You have the right to object to these disclosures. If you do not object, or if we reasonably infer from the circumstances that you do not object, or if we determine in our professional judgment that it is in your best interest, we may proceed with such disclosures.

USES AND DISCLOSURES THAT REQUIRE YOUR PRIOR AUTHORIZATION

Specific Uses or Disclosures Requiring Authorization – We will obtain your written authorization before using or disclosing your PHI for certain purposes, including the use or disclosure of psychotherapy notes (if ever received by our office), the use or disclosure of PHI for marketing purposes, and the sale of PHI—except in limited circumstances where applicable law allows such use or disclosure without your authorization.

Other Uses and Disclosures – We will obtain your written authorization before using or disclosing your PHI for any purpose not described in this Notice or otherwise permitted by law. You may revoke your authorization in writing at any time. Upon receipt of the revocation, we will stop using or disclosing your PHI, except to the extent that we have already relied on your authorization.

YOUR RIGHTS REGARDING PHI

You have the following rights regarding the PHI we maintain about you:

Right to Inspect and Copy – With certain exceptions, you have the right to access and obtain a copy of the PHI we maintain about you. If your PHI is maintained electronically, you may request it in an electronic format. To inspect or obtain a copy of your PHI, you must send a written request to the Privacy Officer. You may request that we send your PHI to another individual or entity of your choosing.

We may deny your request under specific circumstances. If we deny access, you may request a review of that denial. If your PHI is maintained electronically, we will provide it in the format you request if it is readily producible, or in a mutually agreed upon format. If we cannot agree, we may provide a hard copy or PDF. We may charge a fee, as allowed by state law, for copying, mailing, or supplies related to your request.

Right to Amend – If you believe your PHI is incorrect or incomplete, you may request an amendment. You must submit your request in writing to the Privacy Officer and include a reason supporting your request. We may deny your request if:

  • The information was not created by us (unless the original creator is unavailable),

  • The information is not part of the PHI we maintain,

  • The information is not subject to inspection by you, or

  • The information is already accurate and complete.

Right to an Accounting of Disclosures – You have the right to receive a list of certain disclosures of your PHI made in the six years prior to your request, excluding disclosures for treatment, payment, or operations. Requests must be in writing and specify a time period.

Right to Request Restrictions – You may request additional restrictions on the use or disclosure of your PHI. Requests must be made in writing to the Privacy Officer. While we are not required to agree to all requests, we must comply with a request to restrict disclosure to a health plan for payment or health care operations if the PHI relates solely to a health care item or service that you or someone on your behalf has paid for in full out of pocket.

Right to Request Confidential Communications – You may request that we communicate with you through alternative means or at alternative locations (e.g., via email or at a different address). If you choose electronic communications, please note that they may not be secure and may be accessed by unauthorized third parties. Requests must be submitted in writing to the Privacy Officer and must specify how or where you wish to be contacted. We will accommodate reasonable requests, but if your request is impractical, we may use the contact information we have on file.

Right to a Paper Copy of This Notice – You may request a paper copy of the current Notice at any time, even if you have previously agreed to receive it electronically. You can obtain a paper copy at any of our health care sites or by contacting the Privacy Officer. The Notice is also available on our website.

Breach Notification – You have the right to be notified if your unsecured PHI is breached. We will provide such notification as required by applicable law.

CHANGES TO THIS NOTICE

We reserve the right to change this Notice at any time. Any revised or changed Notice will apply to PHI we already have about you, as well as any information we receive in the future.

We will post a copy of the current Notice in the facility. In addition, each time you register or are seen at the office for treatment or health care services as an outpatient, you may request a copy of the Notice that is in effect.

COMPLAINTS

If you believe your privacy rights have been violated, you may file a complaint with our office or with the Secretary of the Department of Health and Human Services. All complaints must be submitted in writing.

To file a complaint with the office, contact:

Michelle Bryant, HIPAA Compliance Officer
121 Nationwide Drive
Lynchburg, VA 24502
Phone: (434) 384-1862

You will not be penalized for filing a complaint.

OTHER USES OF PROTECTED HEALTH INFORMATION

Any other uses and disclosures of PHI not covered by this Notice or applicable laws will be made only with your written permission. If you provide us permission to use or disclose PHI about you, you may revoke that permission in writing at any time.

Once we receive your written revocation, we will stop using or disclosing your PHI for the purposes covered by your authorization. Please note that we are unable to take back any disclosures we have already made based on your previous permission, and we are required to retain records of the care we provided to you.