HIPAA PRIVACY NOTICE
Last Revised: February 2019 | En Español
Notice of Privacy Practices
This Notice is provided to you pursuant to the privacy regulations enacted as a result of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This joint notice of privacy practices describes how your medical information may be used and disclosed and how you can get access to your information. This Notice applies to all your medical information created or maintained by Privia (“Privia” is further defined in Section D of this Notice). Please review this notice carefully.
A. Our Commitment to Your Privacy
Privia is committed to maintaining the privacy of your health information. We are required by law to (i) maintain the privacy of your health information; (ii) provide you with this notice of our legal duties and privacy practices with respect to your health information; (iii) follow the terms of the notice of privacy practices currently in effect; and (iv) notify you if there is a breach of your health information. We must also provide you with the following important information: (a) how we may use and disclose your health information; (b) your privacy rights; and (c) our obligations concerning the use and disclosure of your health information.
This Notice of Privacy Practices is NOT an authorization. Rather it describes how we, our Business Associates, and their subcontractors may use and disclose your Protected Health Information to carry out treatment, payment, or health care operations, and for other purposes as permitted or required by law. It also describes your rights to access and control your Protected Health Information.
“Protected Health Information” (“PHI”) means information that identifies you individually; including demographic information, and information that relates to your past, present, or future physical or mental health condition and/or related health care services.
The terms of this notice apply to all your PHI created or maintained by Privia. We reserve the right to revise or amend this Notice at any time. Any revision or amendment to this notice will be effective for all of your records that we created or maintained in the past and for any of your records that we may create or maintain in the future. We will post a copy of our current Notice online at: http://www.priviahealth.com/HIPAA and you may request a copy of our most current Notice at any time.
B. Summary of this Notice
1. We may use and share your information to:
- Provide care and treatment
- Bill or seek payment for services we have provided
- Conduct our business
- File reports with public health and safety entities
- Conduct certain research activities
- Respond to organ and tissue donation requests
- Work with a medical examiner or funeral director
- Respond to workers’ compensation, law enforcement and other government requests
- Defend lawsuits and legal actions
- Comply with the law
For more information, see Section E below.
2. You may have certain choices about how we use and share information when we:
- Share information with your family and friends
- Provide disaster relief
- Provide mental health care
- Market our services
- Conduct certain research activities
For more information see Section F below.
3. You have the right to:
- Get a copy of your medical record
- Request a correction of your medical record
- Request how we communicate with you
- Ask us to further restrict the information we share
- Get a list of those with whom we’ve shared your information
- Get a copy of this privacy notice
- Choose someone to act for you if you are unable to make your own decisions
- File a complaint if you believe your privacy rights have been violated
For more information see Section G below.
C. Contact for Questions
For more information or questions about Privia Medical Group’s privacy policies, please contact:
950 N Glebe Rd, Suite 4000
Arlington, VA 22203
D. Persons/Entities Covered by This Notice
Your provider is part of an Organized Health Care Arrangement (OHCA) by virtue of his or her affiliation with a member of the Privia Medical Group or Texas Health Care family and/or Privia Quality Network (Privia Health’s Clinically Integrated Networks and Accountable Care Organizations) (collectively these entities are referred to as “Privia”). For the purposes of complying with federal privacy and security requirements, the above-described entities have designated themselves as an OHCA. An OHCA is a clinically integrated care setting in which patients may receive care from multiple providers who share a common set of privacy practices. Privia providers have agreed to follow the terms of this Notice when providing services through Privia. Although each care center is legally separate and responsible for its own acts, Privia coordinates privacy practices among the Privia care centers. Patient information is shared across the OHCA for treatment, payment, and healthcare operations related to the OHCA. Your PHI can be shared across the OHCA for the purposes of your treatment, payment, and healthcare operations. When PHI is shared for healthcare operations, the person or organization using your PHI must have a relationship with you, unless your PHI is used for quality assurance, utilization review, and peer review purposes.
Note: This notice applies to all care centers affiliated with Privia, including those whose providers are members of Privia Medical Group Mid-Atlantic, Privia Medical Group – Georgia, Privia Medical Group – Gulf Coast, and Texas Health Care / Privia Medical Group – North Texas. The complete list of Privia providers for whom this Notice of Privacy Practices applies can be viewed at: http://www.priviahealth.com/HIPAA.
Important: Privia may disclose your PHI to members of a Privia medical group and other independent medical professionals in order to provide treatment, payment and healthcare operations. Although those professionals have agreed to follow this Notice and participate in the Privia privacy program, they are independent professionals and Privia expressly disclaims any responsibility or liability for their acts or omissions relating to your care or privacy/security rights.
E. Use and Disclosure of your Individually Identifiable Health Information (PHI)
- Treatment. Privia may use or share your PHI to provide medical treatment or services for you and manage and coordinate your medical care. Privia may disclose your PHI to physicians and health care providers (including pharmacists), durable medical equipment (DME) vendors, surgery centers, hospitals, rehabilitation therapists, home health providers, laboratories, nurse case managers, worker’s compensation adjusters, etc. to ensure that your medical providers have the necessary information to diagnose and provide treatment to you. For example, a doctor treating you for a broken leg may need to know if you have diabetes because diabetes may affect the healing process. Privia may also disclose your PHI to individuals who are directly involved in your care, including family members, friends or other care providers. If you participate in a virtual visit (telehealth), your information will be shared electronically via a secure transmission to facilitate the virtual visit.
- Payment. Privia may use and disclose your PHI in order to bill for services provided and collect payment from health plans or other entities. For example, we may disclose PHI to your health insurance plan so it will pay for your services, determine your eligibility for coverage, or to obtain prior approval from the insurer to cover payment for treatment. Privia also may use and disclose your PHI to obtain payment from third parties that may be responsible for such costs, including family members. Privia may also disclose your information to a collection agency to obtain overdue payment or to a regulatory agency or insurance company to determine whether the services we provided were medically necessary or appropriately billed.
- Health Care Operations. Privia may use and disclose your PHI to run our practices, improve your care, and contact you when necessary. For example: We may use or disclose your PHI: (1) to conduct quality or patient safety activities, population-based activities relating to improving health or reducing health care costs, case management and care coordination, and contacting your health care providers and you with information about treatment alternatives; (2) when conducting training programs or performing accreditation, licensing, or credentialing activities; (3) when conducting or arranging for medical review, legal services, and auditing functions; and (4) for our proper management and administration, including customer service, resolving complaints, strategic planning, etc. In addition, we may use or disclose de-identified information or a limited data set for certain healthcare operations purposes. We may also record your visit in order to facilitate the documentation of your care by your provider via a scribe or virtual scribe service.
- Appointment Reminders, Check-In and Results. Privia may use and disclose your PHI to contact you and remind you of an appointment. Privia may use a sign-in sheet at the registration desk and call you by name in the waiting room when your provider is ready to see you. Privia may also use your PHI to contact you about test results. Privia may leave a message reminding you of an appointment or the results of certain tests, but will leave the minimum amount of information necessary to communicate this information.
- Treatment Options and Health-Related Benefits and Services. Privia may use and disclose your PHI to inform you of treatment options or alternatives as well as certain health-related benefits or services that may be of interest to you. Privia may also use and disclose your PHI to describe health-related products or services (or payment for such products or services) provided through your benefit plan or to offer information on other providers participating in a healthcare network that we participate in.
- Disclosures to Family or Friends. Privia may disclose your PHI to individuals involved in your care or treatment or responsible for payment of your care or treatment. If you are incapacitated, we may disclose your PHI to the person named in your Durable Power of Attorney for Health Care or your personal representative (the individual authorized by law to make health-related decisions for you). In the event of a disaster, your PHI may be disclosed to disaster relief organizations to coordinate your care and/or to notify family members or friends of your location and condition.
- Disclosures Required By Law. Privia will use and disclose your PHI when we are required to do so by federal, state or local law. For example, Privia may disclose PHI to comply with child and elder abuse reporting laws or to report certain diseases, injuries or deaths to state or federal agencies.
F. Use and Disclosure of Your PHI in Certain Special Circumstances
- Public Health Reporting. Privia may disclose and may be required by law to disclose your PHI for certain public health purposes. For example, Privia may disclose your PHI to the Food and Drug Administration (FDA) regarding the quality and safety of an FDA-regulated product or activity; to prevent or control disease; report births and deaths; to report child abuse and/or neglect; to report reactions to medications or problems with health products; to provide notification of recalls of products; or report a person who may have been exposed to a disease or may be at risk of contracting and/or spreading a disease or condition. In addition, Privia may provide proof of immunizations to a school that requires a patient’s immunization record prior to enrollment or admittance of a student if you have informally agreed to the disclosure for yourself or on behalf of your legal dependent.
- Health Oversight Activities. Privia may disclose your PHI to a health oversight agency for investigations, inspections, audits, surveys, licensure and disciplinary actions, and in certain civil, administrative, and criminal procedures or actions, or other health oversight activities as authorized by law.
- Lawsuits and Disputes. Privia may disclose your PHI in response to a court or administrative order, subpoena, request for discovery, or other legal processes. However, absent a court order, Privia will generally disclose your PHI if you have authorized the disclosure or efforts have been made to inform you of the request or obtain an order protecting the information requested. Your information may also be disclosed if required for our legal defense in the event of a lawsuit.
- Law Enforcement. Privia may disclose your PHI if requested by a law enforcement official: (a) regarding a crime victim in certain situations, if we are unable to obtain the person’s agreement; (b) about a death we believe resulted from criminal conduct; (c) regarding criminal conduct on our premises; (d) in response to a warrant, summons, court order, subpoena or similar legal process; (e) to identify/locate a suspect, material witness, fugitive or missing person; or (f) in an emergency, to report a crime (including the location or victim(s) of the crime, or the description, identity or location of the perpetrator).
- Deceased Patients. Privia may disclose your PHI to a medical examiner or coroner to identify a deceased individual or to identify the cause of death. In addition, we may disclose PHI necessary for funeral directors to fulfill their responsibilities.
- Organ and Tissue Donation. Privia may disclose your PHI to organizations that handle organ, eye or tissue procurement or transplantation, including organ donation or blood banks, as necessary to facilitate donation and transplantation if you are a donor.
- Research. Privia may use and disclose your PHI to researchers for the purpose of conducting research with your written authorization or when the research has been approved by an Institutional Review and is in compliance with law governing research. In certain situations, the need for your individual consent may be waived by a Privacy Board.
- Serious Threats to Health or Safety. Privia may use and disclose your PHI when necessary to reduce or prevent a serious threat to your health and safety or the health and safety of another individual or the public. Under these circumstances, we will only make disclosures to a person or organization able to help prevent the threat.
- Military, National Security, and other Specialized Government Functions: If you are in the military or involved in national security or intelligence, Privia may disclose your PHI to authorized officials. Privia also may disclose your PHI to authorized federal officials in order to protect the President, other officials or foreign heads of state, or to conduct certain investigations.
- Workers’ Compensation. Privia will disclose only the PHI necessary for worker’s compensation in compliance with worker’s compensation laws. This information may be reported to your employer and/or your employer’s representative in the case of an occupational injury or illness.
- Inmates. If you are an inmate or in the custody of a law enforcement official, Privia may disclose your PHI to correctional institutions or law enforcement officials as necessary: (a) for the institution to provide health care services to you; (b) for the safety and security of the law enforcement officer or the correctional institution; and/or (c) to protect your health and safety or the health and safety of other individuals.
- Minors. If you are a minor (generally an individual under 18 years old), we may disclose your PHI to your parent or guardian unless otherwise prohibited by law.
G. Your Privacy Rights Regarding Your PHI
- Inspection and Copies. You may request a copy of, or request to inspect, the PHI that is used to make decisions about you, including medical and billing records and laboratory and imaging reports. You have the right to obtain an electronic copy if it is readily producible by us in the form and format requested, or you may request that we provide a paper copy of your record. You may also request a summary of your record. We will provide your health information, to you or whomever you designate to receive it, usually within thirty (30) days of your request, or fifteen (15) days if your provider is in Texas. Privia may charge a reasonable cost-based fee to cover the costs of copying, mailing, labor and supplies associated with your request. Privia may deny your request to inspect and/or copy in certain limited circumstances; however, you may request a review of our denial. There may be times that your provider, in his or her professional judgment, may not think it is in your best interest to have access to your medical record. Depending on the reason for the decision to deny a request, we may ask another licensed provider chosen by us to conduct a review of your request and its denial.
- Confidential Communications. You may request in writing that we communicate with you in a specific way or send mail to a different address. For example, you may request that we contact you at home, rather than work or by mail. Privia will accommodate all reasonable requests. You do not need to give a reason for your request. We will comply with your request if you are reasonably able to do so.
- Amendment. You may request a correction or amendment of your PHI if you believe it is incorrect or incomplete. You may make a written request for a correction or amendment for as long as your PHI is maintained by or for Privia. Requests must provide a reason or explanation that supports the request. Privia will deny your request if it is not in writing or if, in the provider’s opinion, the information is: (a) accurate and complete; (b) not part of the PHI maintained by or for Privia; (c) not part of the PHI that you have the right to inspect and copy; or (d) not created by Privia, unless the individual or entity that created the information is not available to amend the information. Privia will notify you in writing within sixty (60) days if we cannot fulfill your request.
- Accounting of Disclosures. You may request an accounting of certain disclosures that Privia has made of your PHI. This accounting will list the disclosures that we have made of your PHI but will not include disclosures made for the purposes of treatment, payment, health care operations, disclosures required by law, and certain other disclosures (such as any you asked us to make). Your request must be in writing and state the time period for which you want the accounting (not to exceed six (6) years prior to the date you make the request). Privia will provide one accounting a year for free but will charge a reasonable, cost-based fee if you ask for another one within twelve (12) months. Privia will notify you of the costs involved with any additional request and you may withdraw your request before you incur any costs.
- Requests for Restrictions. You have the right to request that Privia not use or share your PHI for treatment, payment, or health care operations. We are not required to agree to your request, and we may say “no” if we believe it might affect your care. If you pay for a service or health care item out-of-pocket in full, you may ask us not to share that information for the purpose of payment or our operations with your health insurer. In that case, we will approve your request unless a law specifically requires us to share that information.
- Health Information Exchange Opt-Out: You have the right to opt-out of disclosure of your medical records to or via an electronic health information exchange (“HIE”) (For example, Surescripts, Commonwell, CareQuality aka The Sequoia Project, ConnectVirginia and/or the Chesapeake Regional Information System for our Patients, Inc. (“CRISP”)). However information that is sent to or via an HIE prior to processing your opt-out may continue to be maintained by and be accessible through the HIE. You must opt out of disclosures to or via an HIE through each of your individual treating providers who may participate in any given HIE. See I. USING TECHNOLOGY TO IMPROVE HEALTHCARE below for more information regarding HIE.
- Right to Receive a Notice of a Breach of Unsecured Medical/Billing Information. You have the right to receive prompt notice in writing of a breach of your PHI that may have compromised the privacy or security of your information.
- Right to a Paper Copy of This Notice. You have the right to receive a paper copy of this notice at any time even if you have agreed to receive the notice electronically. You may also obtain a copy of this notice at our website: http://www.priviahealth.com/HIPAA.
- Right to File a Complaint. If you believe your rights have been violated, you may file a complaint with us or with the Secretary of the Department of Health and Human Services (“HHS”), Office for Civil Rights, 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-877-696-6775, or visiting www.hhs.gov/ocr/privacy/hipaa/complaints/. All complaints must be submitted in writing. You will not be penalized for filing a complaint.
H. Additional Information
- Patient Portal and Other Patient Electronic Correspondence. Privia may use and disclose your PHI through various secure patient portals that allow you to view, download and transmit certain medical and billing information and communicate with certain health care providers in a secure manner through the portal. For more information on the Privia patient portal, please visit our website at http://www.priviahealth.com/signin.html.
- Your Contact Information: Home and Email Addresses/Phone Numbers. If you provide us with a home or email address, home/work/cell telephone number, or other contact information during any registration or administrative process we will assume that the information you provided us is accurate and that you consent to our use of this information to communicate with you about your treatment, payment for service and health care operations. You are responsible to notify us of any change of this information. Privia reserves the right to utilize third parties to update this information for our records as needed.
- Email or Downloading PHI. If you email us medical or billing information from a private email address (such as a Yahoo, Gmail, etc. account), your information may not be secure in transmission. We therefore recommend you use your Privia patient portal to communicate with us regarding your care and/or billing issues. If you request that Privia email your PHI to a private email address, we will send it in an encrypted manner unless you request otherwise. Privia is not responsible for the privacy or security of your PHI if you request that we send it to you in an unsecured manner or download or post it on a dropbox, unencrypted USB drive, CD or other unsecure medium. In addition, Privia is not responsible if your PHI is redisclosed, damaged, altered or otherwise misused by an authorized recipient. In addition, if you share an email account with another person (for example, your spouse/partner/roommate) or you choose to store, print, email, or post your PHI, it may not be private or secure.
- Sensitive Health Information. Federal and state laws provide special protection for certain types of health information, including psychotherapy notes, information about substance use disorders and treatment, mental health and AIDS/HIV or other communicable diseases, and may limit whether and how we may disclose information about you to others.
- Substance Use Disorder Records and Information. The confidentiality of patient records maintained by federally assisted substance use disorder rehabilitation programs is protected by Federal law and regulations. Generally, such programs may not disclose any information that would identify an individual as having or being treated for a substance use disorder unless:
- the individual consents in writing;
- the disclosure is allowed by a court order;
- the disclosure is made to medical personnel in a medical emergency or to qualified personnel for research, audit, or program evaluation; or
- as otherwise permitted by law.
(Notwithstanding the preceding, we may disclose certain information that could identify you as having a substance use disorder pursuant to paragraph 6, below.) Violation of these laws and regulations is a crime. Suspected violations may be reported to appropriate authorities in accordance with Federal regulations. Federal law and regulations do not protect any information about a crime committed by a patient either at the program or against any person who works for the program or about any threat to commit such a crime. Federal laws and regulations do not prevent any information about suspected child abuse or neglect from being reported under state law to appropriate state or local authorities.
- Consent to Disclose Sensitive Health and Substance Use Disorder Information. The Privia Authorization & Consent to Treat form you sign as part of the registration process includes your consent to the release of federally assisted substance use disorder information, information regarding treatment of communicable diseases and mental health information for the purposes specified in this notice. If you do not wish for this information to be disclosed, you must notify us in writing and we will determine if it is feasible for us to accept your request.
- Incidental Disclosures. Despite our efforts to protect your privacy, your PHI may be overheard or seen by people not involved in your care. For example, other individuals at your provider’s office could overhear a conversation about you or see you getting treatment.Such incidental disclosures are not a violation of HIPAA.
- Business Associates. Your PHI may be disclosed to individuals or entities who provide services to or on behalf of Privia. Pursuant to HIPAA, Privia requires these companies sign business associate or confidentiality agreements before we disclose your PHI to them. However, Privia generally does not control the business, privacy, or security operations of our business associates.
- Authorization for Other Uses and Disclosures. Privia will obtain your written authorization for uses and disclosures that are not identified by this notice or otherwise required or permitted by applicable law. Any authorization you provide regarding the use and disclosure of your PHI may be revoked at any time in writing. After you revoke your authorization, we will no longer use or disclose your PHI for the reasons described in the authorization. However, your revocation will not affect actions we have already taken; in other words, we are unable to take back any disclosures of PHI we have already made.
I. Using Technology to Improve Healthcare
Health Information Exchange (HIE) enables your healthcare providers to quickly and securely share your health information electronically among a network of healthcare providers, including physicians, hospitals, laboratories and pharmacies. Your health information is transmitted securely and only authorized healthcare providers with a valid reason may access your information.
How does HIE Help You?
Improved access to information will enable us to provide better care for our patients
- Improved Care – Access to information about your health history and medical care gives your healthcare provider a more complete picture of your overall health. This can help your provider make better decisions about your care. The information may also prevent you from having repeat tests, saving you time, money and worry.
- Emergency Treatment – In an emergency, your providers may immediately check to see if you have allergies, health problems, test results, medications or previous concerns that may help them provide you with emergency care.
- Helps to Protect Privacy and Information Security – By sharing information electronically through a secure system, the risk that your paper or faxed records will be misused or misplaced is reduced.
How does HIE help protect your medical information and keep it secure?
Privia is committed to protecting the privacy and security of your health information, including the sharing and accessing of your information through HIE.
- Every HIE and its participants must protect your private medical information under HIPAA law, as well as applicable state laws and regulations.
- Information shared via HIE is encrypted, meaning it can be accessed only by authorized users. This prevents hackers from accessing your information.
- Every individual who can access your information must have their own user name and password and must receive training before they can access your information.
- The HIE records every time someone accesses your information. Upon request, the HIE can track who accessed your information and provide a report to the Privia Privacy Officer.
What HIEs does Privia participate in?
Privia participates in a number of HIEs, including, but not limited to, Surescripts (provider of medication history), Commonwell, CareQuality aka The Sequoia Project, ConnectVirginia and CRISP. (Note: This list is subject to change.)
You have choices about participating in HIE.
Privia recognizes you have certain rights related to how we share your information. You have the following choices:
Choice 1: Say Yes. No further action needed.
If you agree to have your medical information shared through HIE and you have a current Authorization and Consent to Treat form on file, you do not need to do anything. By signing the form, you have granted us permission to share your health information to HIE.
Choice 2: Say No Thanks. Follow the Instructions on the HIE Opt-Out Form.
We recognize your right to choose not to participate in HIE, also referred to as opting-out. If you decide to opt-out of HIE, healthcare providers will not be able to access your health information through HIE. You should understand that providers may still request and receive your medical information from other providers using other methods permitted by law, such as fax, mail or other electronic communication.
If you want to opt-out of participating in HIE, please follow the appropriate procedure as outlined on the Privia HIE Opt-Out Request Form and/or contact the HIE directly. You may download and print the form on your computer or ask for a copy at any Privia care center location. Please read the Opt-Out Request Form carefully and follow the instructions on the form to opt out of HIE.
Please note, your opt-out does not affect health information that was disclosed through HIE prior to the time that you opted out.
Choice 3: You can change your mind at any time.
You can consent today to the sharing of your information via HIE and change your mind later by following the instructions on the opt-out form described under Choice 2.
You can opt out of HIE today and change your mind later by submitting a Privia HIE Reinstatement of Participation Form or, in certain cases, by contacting the HIE directly. The reinstatement form is available to download and print on your computer or you may ask for a copy of the form at any Privia care center location. Please follow the instructions on the form to opt back in to HIE.
J. Changes to This Notice
Privia reserves the right to change this Notice at any time. Privia reserves the right to make the revised or changed Notice effective for medical information we already have about you, as well as for any information we receive in the future. Privia will post the current Notice at registration sites throughout Privia and on our website at http://www.priviahealth.com/HIPAA.
K. Contact/Complaint Information
If you have any questions about this Notice or wish to file a privacy complaint, please contact:
950 N Glebe Rd, Suite 4000
Arlington, VA 22203
or email firstname.lastname@example.org
If your concern relates to a Texas Health Care / Privia Medical Group – North Texas provider, please contact:
Texas Health Care / PMG – North Texas
2821 Lackland Road, Ste 300
Fort Worth, Texas 76116
or email email@example.com
You can also use Privia’s on-line Compliance portal to file a complaint on-line: https://priviahealth.complytrack.com/portal
You can file a complaint directly with the U.S. Department of Health and Human Services
Office for Civil Rights by sending a letter to:
200 Independence Avenue, S.W
Washington, D.C. 20201
or on-line at: www.hhs.gov/ocr/privacy/hipaa/complaints/
If your provider is licensed in Texas, you can also file a complaint with:
Texas Department of State Health Services Investigations
P.O. Box 141369
Austin, Texas 78714-1369.
More information is at: https://dshs.texas.gov/hipaa/privacycomplaints.shtm
We will not retaliate against you for filing a complaint.
Privia Notice of Privacy Practices
Effective: February 2019