Last Updated: May 7, 2021
The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) requires us to ask each of our patients to acknowledge receipt of our Notice of HIPAA Privacy Practices.
This Notice of HIPAA Privacy Practices (“Notice”) describes how your Protected Health Information (“PHI”) may be used and disclosed by Her M.D., Inc. (“HerMD”) and its affiliates Somi Javaid MD & Associates, LLC, SJ Medical Spa LLC and Her M.D., LLC (“HerMD Affiliates”) (together with HerMD, “we”, “us”, or “our”), and how you can get access to this information. Please review it carefully.
Each of HerMD and HerMD Affiliates together designate themselves as a single Affiliated Covered Entity (“ACE”) for purposes of compliance with HIPAA. Each of these entities, and their related sites, locations and care providers will follow the terms of this Notice. In addition, the entities, sites, locations and care providers may share medical information with each other for treatment, payment, or healthcare operations related to the ACE. This designation may be amended periodically to add new covered entities that are part of the Affiliated Covered Entity under HIPAA.
1. Our Commitment to Protect Your Health Information
We are dedicated to protecting your medical information. The “HIPAA Privacy Rule” requires that we provide detailed notice in writing of our privacy practices. Your PHI is information that identifies you and that relates to your past, present, or future healthcare. We are required by law to maintain the privacy of your PHI and to give you this notice about our privacy practices that explains your rights as our patient and how, when, and why we may use or disclose your PHI.
We are required by law to follow the privacy practices described in this Notice, but we may change our policies at any time. Changes will apply to information we already hold, as well as new information after the change occurs. We will make any such changes to this Notice by posting the revised Notice on our website. The date of the last update will be clearly indicated at the top of this Notice. Please review this Notice from time to time to ensure you are familiar with our HIPAA privacy practices.
2. How We May Use and Disclose Your PHI
Treatment, payment and healthcare operations. As described below, we will use or disclose your PHI for treatment, payment, or healthcare operations. The examples below do not list every possible use or disclosure in a category.
Treatment. We may use or disclose PHI about you to provide, coordinate or manage your healthcare and related services. We may consult with other healthcare providers regarding your treatment and coordinate and manage your healthcare with others. For example, we may use and disclose PHI when you need a prescription, lab work or other healthcare services. We may also use and disclose information about you to other healthcare providers involved in your care.
Payment. We may use and disclose PHI so that we can bill and collect payment for the treatment and services provided to you. For example, we may send your insurance company a bill for services or release certain medical information to your health insurance company so that it can determine whether your treatment is covered under the terms of your health insurance policy. We may also use and disclose PHI for billing, claims management, and collection activities.
Health care operations. We may use and disclose PHI in performing certain business activities which are called healthcare operations. Some examples of these operations include our business, accounting, and management activities. These healthcare operations may also include quality assurance, utilization review, and internal auditing, such as reviewing and evaluating the skills, qualifications, and performance of healthcare providers. If another healthcare provider, company, or health plan that is required to comply with the HIPAA Privacy Rule has or once had a relationship with you, we may disclose PHI about you for certain healthcare operations of that healthcare provider, company, or health plan. For example, healthcare operations may include assisting with the legal compliance activities of that provider, company or plan.
Business associates. We may contract with individuals and entities (business associates) to perform various functions on our behalf or to provide certain types of services. To perform these functions or to provide the services, business associates may receive, create, maintain, use or disclose your PHI. We require business associates to agree in writing to contract terms designed to appropriately safeguard your information. For example we may disclose your PHI to a business associate for claims administration purposes.
Communication to you. We may use or disclose PHI, including your email address or phone number, in order to contact you to follow up after you are discharged, for appointment reminders, to tell you about or recommend possible treatment options or alternatives that may be of interest to you, or, subject to certain limitations, to inform you about health related benefits or services that may be of interest to you, via email, phone or text message.
Your patient account. We may make certain PHI, such as information about care or treatment, appointment histories and medication records, accessible to you through online tools, such as email or your HerMD account (if applicable).
Communication to others if you agree or do not object. We may also use or disclose your PHI in the following circumstances. However, except in emergency situations, we will inform you of our intended action prior to making any such uses and disclosures and will, at that time, offer you the opportunity to object.
Notifications to friends and family. We may disclose PHI to your relatives, close friends or any other person identified by you if the PHI is directly related to that person’s involvement in your care or payment for your care. If you are unable to agree or object to such a disclosure, we may disclose such information as necessary if we determine that it is in your best interest based on our professional judgment. We may also use and disclose your health information for the purpose of locating and notifying your relatives or close personal friends of your location, general condition or death, and to organizations that are involved in those tasks during disaster situations.
Other uses and disclosures authorized by the HIPAA Privacy Rule. We may use and disclose PHI about you in the following circumstances, provided that we comply with certain legal conditions set forth in the HIPAA Privacy Rule.
Required by law. We may use or disclose PHI as required by federal, state, or local law if the disclosure complies with the law and is limited to the requirements of the law.
Public health activities. We may disclose PHI to public health authorities or other authorized persons to carry out certain activities related to public health, including to:
- Prevent or control disease, injury, or disability or report disease, injury, birth, or death;
- Report child abuse or neglect;
- Report information regarding the quality, safety, or effectiveness of products or activities regulated by the federal Food and Drug Administration;
- Notified a person who may have been exposed to a communicable disease in order to control who may be at risk of contracting or spreading the disease; or
- Report to employers, under limited circumstances, information related primarily to workplace injuries or illness or workplace medical surveillance.
Abuse, neglect, or domestic violence. We may disclose PHI to proper government authorities if we reasonably believe that you (or others) have been or may be a victim of domestic violence, abuse, or neglect.
Health oversight. We may disclose PHI to a health oversight agency for oversight activities including, for example, audits, investigations, inspections, licensure and disciplinary activities and other activities conducted by health oversight agencies to monitor the healthcare system, government healthcare programs, and compliance with certain laws.
Legal proceedings. We may disclose PHI as expressly required by the court or administrative tribunal order or in compliance with state law in response to subpoenas, discovery requests or other legal processes when we receive satisfactory assurances that efforts have been made to advise you of the request or to obtain an order protecting the information requested.
Law enforcement. We may disclose PHI to law-enforcement officials under certain specific conditions where the disclosure is:
- About a suspected crime victim if the person agrees or, under limited circumstances, we are unable to obtain the person’s agreement because of incapacity or emergency;
- To alert law enforcement of a death that we suspect was the result of criminal conduct;
- In response to authorized legal process or required by law;
- To identify or locate a suspect, fugitive, material witness, or missing person;
- About a crime or suspected crime committed on our premises; or
- In response to a medical emergency not occurring on our premises, if necessary to report a crime.
Coroners, medical examiners or funeral directors. We may disclose PHI regarding descendants to a corner, medical examiner or funeral director so that they may carry out their jobs. We may also disclose such information to a funeral director in reasonable anticipation of death.
Organ donation. We may disclose PHI to organizations that help procure, locate, and transplant organs in order to facilitate organ, eye, or tissue donation and transplantation.
Threat to health or safety. In limited circumstances, we may disclose PHI when we have a good faith belief that the disclosure is necessary to prevent a serious and imminent threat to the health or safety of a person or to the public.
Specialized government functions. We may disclose PHI for certain specialized government functions, such as military and veteran activities, national security and intelligence activities, protective services for the President and others, medical sustainability determinations, and for certain correctional institutions or in other law-enforcement custodial purposes.
Workers’ compensation. We may disclose PHI in order to comply with the law relating to workers’ compensation or other similar programs.
Research. We may disclose PHI about you for research purposes, subject to the confidentiality provisions of state and federal law. In most cases, we will ask for your written authorization before using your PHI or sharing it with others in order to conduct research. However, under some circumstances, we may use and disclose your PHI without your written authorization if an Institutional Review Board (IRB), applying specific criteria, determines that the particular research protocol poses minimal risk to your privacy, or in situations where a research project meets specific, detailed criteria established by the HIPAA Privacy Rule to ensure the privacy of PHI. Under no circumstances, however, would we allow researchers to use your name or identity publicly without your authorization. We may release your PHI without your written authorization to people who are preparing a future research project as long as any information identifying you does not leave HerMD, HerMD Affiliates or our business associates. Enrollment in a research study is completely voluntary, will not affect your treatment or welfare, and your PHI will continue to be protected.
Emergencies. We may use or disclose your PHI in an emergency treatment situation in compliance with applicable laws and regulations.
With your written authorization. Your written authorization generally will be obtained before we use or disclose psychotherapy notes about you that may be in our possession. Psychotherapy notes are separately filed notes about your conversations with a mental health professional during a counseling session; summary information about your mental health treatment does not constitute psychotherapy notes. In addition, your written authorization will be obtained for uses and disclosures of PHI, for marketing purposes and disclosures that constitute a sale of PHI, unless use and disclosure is permitted without your authorization. Except as described in this notice, all other uses and disclosures of your PHI will be made only with your written authorization. If you have authorized us to disclose or use PHI about you, you may revoke your authorization at any time, except to the extent that we have taken action based on the authorization (e.g., you cannot revoke with respect to disclosures that have already been made.)
Limited data set/minimum necessary. The amount of health information used or disclose in accordance with the above provisions will be limited, to the extent practicable, to a limited data set, or if needed by the practice, to the minimum necessary to accomplish the intended purpose of the use, disclosure or request, respectively. We commit to complying with any guidance issued in the future that relates to the minimum necessary use or disclosure of PHI.
3. Your Rights Regarding Your Protected Health Information
The HIPAA Privacy Rule gives you several rights with regard to your PHI these rates include:
Right to request restrictions. You have the right to request a restriction or limitation on the PHI we use or disclose about you for treatment, payments or healthcare operations, or that we disclose to those who may be involved in your care or payment for your care. In the instances where you have paid for healthcare items or services out of pocket in full, we are required upon request to restrict disclosures of PHI to your health plan. In all other instances, while we consider a patient’s restriction request, we are not required to agree to it. If we do agree to your request, we will comply with your request except as required by law or for emergency treatment. To request restrictions, you must make your request in writing to our Privacy Officer at the address listed on the last page of this Notice.
Right to receive confidential communications. You have the right to request that you receive communications regarding PHI in a certain manner or at a certain location. For example, you may request that we contact you at home rather than at work. You must make your request in writing to the Privacy Officer at the address listed on the last page of this Notice. We will accommodate all reasonable requests.
Right to inspect and copy. You have the right to inspect and receive a copy of your PHI contained in records we maintain that may be used to make decisions about your care. These records usually include your medical and billing records that we may maintain, but do not include psychotherapy notes, information gathered or prepared for a civil, criminal, or administrative proceeding, or PHI that is subject to law that prohibits access. To inspect or receive a copy of your PHI, you can (1) complete a Medical Records Request Form or (2) submit a written request to the Privacy Officer at the address listed on the last page of this Notice. If you request a copy of your PHI, we may charge you a reasonable fee for the copying, postage, labor and supplies used in meeting your request. If and only to the extent that the practice uses or maintains your PHI in electronic format and, upon your request, we will transmit such copy directly to an entity or individual of your designation, provided that such designation is made clear, conspicuous and specific. We may deny your request to inspect and copy PHI only under limited circumstances, and in some cases, a denial of access may be reviewable.
Right to amend. If you feel that medical information we have about you is incorrect or incomplete, you may ask us to amend the information for as long as such information is kept by us or for us. You must submit your request to amend in writing to the Privacy Officer and give us a reason for your request. We may deny your request in certain cases. If your request is denied, you may submit a written statement disagreeing with the denial, which we will keep on file and distribute with future disclosures of the information to which it relates.
Right to receive an accounting of disclosures. You have the right to request a list of certain disclosures of PHI made by us during a specific period of up to six years prior to the request, except disclosures: (i) for treatment, payment or healthcare operations, unless, as of the date required by the HITECH Act and only to the extent that the practice uses or maintains an EHR for you, such disclosures are made through your EHR (in which case the list of disclosures will be limited to those made in the three years prior to the date of your request, subject to certain restrictions); (ii) made to you; (iii) to persons involved in your care or for the purpose of notifying your family or friends of your whereabouts; (iv) for national security or intelligence purposes; (v) made pursuant to your written authorization; (vi) incidental to another permissible use or disclosure; (vii) for certain notification purposes (including national security, intelligence, correctional, and law-enforcement purposes); or (viii) made before April 14, 2003. If you wish to make such a request, please contact the Privacy Officer. The first accounting that you request in a 12 month period will be free, but we may charge you for the reasonable cost of providing additional lists in the same 12 month period. We will tell you about these costs, and you may choose to cancel your request at any time before costs are incurred.
Right to a paper copy of this notice. You have the right to receive a paper copy of this notice at any time. You are entitled to a paper copy of this notice even if you have previously agreed to receive this notice electronically. To obtain a paper copy of this notice, please contact the Privacy Officer.
The right to be notified of a breach of unsecured PHI. We are required by law to maintain the privacy of your PHI and to notify you if a breach of your unsecured PHI occurs.
If you believe your privacy rights have been violated, you may file a complaint with us, or the Secretary of the United States, Department of Health and Human Services. To file a complaint with our office, please contact our Privacy Officer. We will not take action against you in any way for filing a complaint.
5. Communication Platforms
We may also use PHI to send you appointment reminders and other communications relating to your care and treatment, or let you know about treatment alternatives or other health related services or benefits that may be of interest to you, via email, mail, phone call, or text message.
We may make certain PHI, such as information about care or treatment, appointment histories and medication records, accessible to you through secured online tools such as your HerMD account (if applicable).
If you choose to communicate with us via emails, texts or chats, you acknowledge that we may exchange PHI with you via email, text or chat, that email, text and certain chat functionality may not be a secure method of communication, and that you agree to the security risks of such communication. If you would prefer not to exchange PHI via email, text or chat, you can choose not to communicate with us via those means, and you can notify us at firstname.lastname@example.org.
If you have any questions or need additional information about this notice, please contact our Privacy Officer:
HIPAA Privacy Officer
Her M.D., Inc.
8350 East Kemper Road, Suite A
Cincinnati, OH 45249