THIS PRIVACY NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
If you have any questions, please contact our privacy officer by telephone at (641) 628-1162 or (866) COC-DIFF or by mail at 1553 Broadway St., Box 347, Pella, IA 50219.
This Notice of Privacy Practices describes how we may use and disclose your protected health information to carry out treatment, payment or healthcare operations and for other purposes that are permitted or required by law. This Notice also describes your rights regarding protected health information we maintain about you and a brief description of how you may exercise these rights. It further states the obligations we have to protect your PHI.
“Protected health information” (hereafter referred to as PHI) means any identifying information associating you with COC’s services that we have collected from you or received from your health care providers, health plans, your employer, or a health care clearinghouse. For the purposes the Health Insurance Portability and Accountability Act (HIPAA) that governs this notice, COC is regarded as a health care provider because we provide a variety of services with respect to the mental and physical condition of people. Your PHI may include any information about your past, present or future physical or mental health or condition, the provision of your services, and payment for your services.
We are required by law to maintain the privacy of your PHI and to provide you with this notice of our legal duties and privacy practices with respect to your PHI. We are also required to comply with the terms of this Notice of Privacy Practices.
II. How we will use and disclose your PHI
We will use and disclose your PHI as described in each category listed below. For each category, we will explain what we mean in general, but not describe all specific uses or disclosures of PHI.
A. Uses and disclosures for treatment, payment and healthcare operations
We will use and disclose your PHI without your authorization to provide you with services. We will also use and disclose your PHI to coordinate and manage your services. For example, we may need to disclose information to a case manager who is responsible for obtaining your funding and coordinating your services. We may also disclose your PHI among to our staff so that they can carry out their duties. In addition, we may disclose your PHI without your authorization to another service provider (e.g., your primary care physician, therapist, or a case manager) working outside of COC for purposes of your services.
We may use or disclose your PHI without your authorization so that the services you receive are billed to, and payment is collected from, your funders or other interested parties. By way of example, we may disclose your PHI to permit funders to approve or pay for your services. This may include:
- making a determination of eligibility for services;
- reviewing your services;
- reviewing your services to determine if they were appropriately authorized;
- reviewing your services for purposes of utilization review, to ensure the appropriateness of your services, or to justify the charges for your services.
We may also disclose your PHI to another provider so that provider can bill you for services they provided to you such as going to the dentist.
3. Healthcare operations
We may use and disclose PHI about you without your authorization for our administrative operations. These uses and disclosures are necessary to run our organization and make sure that you receive quality services. These activities may include, by way of example, quality assessment and improvement, reviewing the performance or qualifications of staff, licensing, accreditation, business planning and development, and general administrative activities. We may combine PHI of the people we support to decide what additional services we should offer, what services are no longer needed, and whether certain services are effective. We may also provide your PHI to other service providers or to your funders to assist them in performing their own operations. We will do so only if you have or have had a relationship with the other provider or funder. For example, we may provide information about you to your funder to assist them in their quality assurance activities. Finally, we may use and disclose your PHI to inform you about possible service options or alternatives that may be of interest to you.
B. Uses and disclosures for fundraising activities
We may use or disclose PHI about you to contact you about raising money for our services. If we disclose such information, we will only release basic contact information, such as your name and address and the dates you were provided service, but we will not provide information about your services. Although we may contact you to raise funds for COC, you have the right to opt out of receiving fundraising communications if we do so. If you receive fundraising communications from us and do not want to receive them in the future, you must notify the Privacy Officer:
- In writing at 1553 Broadway St, Box 347, Pella, Iowa 50219;
- By email at email@example.com; or
- By phone at 641-628-1162
and state clearly that you do not want to receive any fundraising solicitations from us.
C. Uses and disclosures that may be made without your authorization, but for which you will have an opportunity to object
1. Agency directory
We maintain a limited agency directory by region to facilitate connections between the people we support and the community at large. This limited information will only be provided to individuals who ask for you by name and may include your name and location.
2. Persons involved in your services
We may provide PHI about you to persons involved in your services, including family members, significant others, friends, and other community supports. These support people may be involved in your services on a regular and ongoing basis or only on a limited basis or for a specific circumstance. We may use or disclose your PHI to notify these persons of your location, general condition or death.
3. When you are not present, you are unable to make your own decisions, or you are in an emergency situation
We may disclose your PHI to family members, significant others, friends, and other community supports involved in your services so that such persons may assist in your services when you are not present, are unable to make your own decisions, or are in an emergency situation. In these situations, we will determine whether the disclosure is in your best interest, and, if so, only disclose information that is directly relevant to participation in your services.
4. Disaster relief purposes
We may disclose your PHI to federal, state, or local agencies involved in disaster relief activities.
D. Uses and disclosures that may be made without your authorization or opportunity to object
1. Required by law
We will disclose PHI about you when required to do so by federal, state or local law.
2. Public health activities
We may disclose PHI about you as necessary for public health activities including, by way of example, disclosures to:
- report to public health authorities for the purpose of preventing or controlling disease, injury or disability;
- report child abuse or neglect;
- report certain events to the Food and Drug Administration (FDA) or to a person subject to the jurisdiction of the FDA including information about defective products, problems with medications, or, FDA-initiated product recalls;
- notify a person who may have been exposed to a communicable disease or who is at risk of contracting or spreading a disease or condition;
- report to an employer, where there are work-related injuries or workplace medical surveillance;
3. Abuse, neglect or domestic violence
We may notify the appropriate government authority if we believe you have been a victim of abuse, neglect or domestic violence. We will only notify them if we obtain your agreement or if we are required or authorized by law to report such abuse, neglect or domestic violence.
4. Health oversight activities
We may disclose PHI about you to a health oversight agency for activities authorized by law. Oversight agencies include government agencies that oversee the disability services system, government benefit programs such as Medicare or Medicaid, other government programs regulating health services, and civil rights laws.
5. Disclosures in legal proceedings
We may disclose PHI about you to a court or administrative agency when a judge or administrative agency orders us to do so. We also may disclose PHI about you in legal proceedings without your permission or without a judge or administrative agency’s order when we receive a subpoena for your PHI. We will not provide this information in response to a subpoena when we do not feel it is in your best interest or if we do not want to participate in order to protect our confidential relationship with you.
6. Law enforcement activities
We may disclose PHI to a law enforcement official for law enforcement purposes.
7. Medical examiners or funeral directors
We may provide PHI about you to a medical examiner or a funeral director as necessary to carry out their duties.
8. Organ and tissue donation
If you are an organ donor, we may release your PHI to an organ procurement organization or to an entity that conducts organ, eye or tissue transplantation, or serves as an organ donation bank, as necessary to facilitate organ, eye or tissue donation and transplantation.
We may disclose your PHI to researchers when their research has been approved by COC after reviewing the research proposal and established protocols to protect the privacy of your PHI.
10. To avert a serious threat to health or safety
We may use and disclose PHI about you when necessary to prevent a serious and imminent threat to your health or safety or to the health or safety of the public or another person. Under these circumstances, we will only disclose PHI to someone who is able to help prevent or lessen the threat.
11. Military and veterans
If you a member of the armed forces, we may disclose your PHI as required by military command authorities. We may also disclose your PHI for the purpose of determining your eligibility for benefits provided by the Department of Veterans Affairs.
12. Workers’ compensation
We may disclose PHI about you to comply with the state’s Workers’ Compensation Law.
E. Uses and disclosures with your written authorization
All other uses and disclosures not described above will generally only be made with your written permission, called an “authorization.” With certain exceptions, the use of your PHI for purposes of marketing requires your written authorization. Your PHI will never be sold without your written authorization.
You have the right to revoke an authorization at any time. If you revoke your authorization we will not make any further uses or disclosures of your PHI under that authorization, unless we have already taken an action relying upon the uses or disclosures you have previously authorized.
III. Your rights regarding your PHI
A. Inspect and copy
You have the right to request an opportunity to inspect or copy PHI used to make decisions about your services – whether they are decisions about your services or payment of your services.
You must make a request with your Program Coordinator or designee to inspect and copy your PHI. If you request a copy of the information, we may charge a reasonable fee for the cost of copying, mailing and supplies associated with your request. We may deny your request to inspect or copy your PHI in certain limited circumstances. If you disagree with the denial, in some cases you will have the right to have the denial reviewed by a COC staff not involved in the original decision. We will inform you in writing if the denial of your request may be reviewed. Once the review is completed, we will honor the decision made.
For as long as we keep records about you, you have the right to request us to amend any PHI used to make decisions about your services – whether they are decisions about your services or payment of your services.
To request an amendment, you must contact your Program Coordinator or designee and tell us why you believe the information is incorrect or inaccurate. We may deny your request for an amendment if it there is insufficient reason to support the request. We may also deny your request if you ask us to amend PHI that:
- was not created by us;
- is not part of the PHI we maintain to make decisions about your services;
- is not part of the PHI that you would be permitted to inspect or copy; or
- is accurate and complete.
If we deny your request to amend, we will send you a written notice of the denial stating the basis for the denial and offering you the opportunity to provide a written statement disagreeing with the denial. If you do not wish to prepare a written statement of disagreement, you may ask that the requested amendment and our denial be attached to all future disclosures of the PHI that is the subject of your request. If you choose to submit a written statement of disagreement, we have the right to prepare a written rebuttal to your statement of disagreement. In this case, we will attach the written request and the rebuttal (as well as the original request and denial) to all future disclosures of the PHI that is the subject of your request.
C. Accounting of disclosures
You have the right to request that we provide you with an accounting of disclosures we have made of your PHI. An accounting is a list of disclosures, but this list will not include certain disclosures of your PHI, by way of example, those we have made for purposes of services, payment, and administrative operations. To request an accounting of disclosures, you must submit your request to your Program Coordinator. The request should state the time period for which you wish to receive an accounting. This time period should not be longer than six years and not include dates before April 14, 2003.
D. Request restrictions
You have the right to request a restriction on the PHI we use or disclose about you for treatment, payment or healthcare operations, including a restriction of a disclosure of PHI to a health plan with respect to health care for which you paid out of pocket. To request a restriction, you must submit your request to your Program Coordinator. We are not required to agree to a restriction that you may request. If we do agree, we will honor your request unless the restricted PHI is needed to provide you with emergency services.
E. Request confidential communications
You have the right to request that we communicate with you about your services only in a certain location or through a certain method. To request such a confidential communication, you must submit your request to your Program Coordinator. We will accommodate all reasonable requests. You do not need to give us a reason for the request; but your request must specify how or where you wish to be contacted.
If you believe your privacy rights have been violated, you may file a complaint with us or with the Secretary of the U.S. Department of Health and Human Services. To file a complaint with us, contact our Privacy Officer by telephone at (641) 628-1162 or (866) COC-DIFF or by mail at 1553 Broadway St, Box 347, Pella, IA 50219. Your Program Coordinator will assist you with writing your complaint, if you request such assistance. We will not retaliate against you for filing a complaint.
V. Changes to this notice
We reserve the right to change the terms of our Privacy Notice. We also reserve the right for our Privacy Notice to be effective for all PHI we already have about you as well as any PHI we receive in the future. We will post a copy of the current Privacy Notice at our administrative offices in each region and on our agency web site at www.christianopportunity.org.
VI. Following this notice
COC will follow this Privacy Notice in addition to other organizations who have a role in your services, including: funders, regulators, accrediting agencies, case managers, social workers, and other community support agencies.
In the case of a breach of unsecured PHI, it is COC’s responsibility to notify any individuals affected by the breach.