Privacy Policy
Last updated 03/01/21
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. WORDS SUCH AS “we” AND “our Lab” REFER TO THE LABORATORY WHICH PROVIDED, OR ARRANGED FOR, LABORATORY SERVICES ON YOUR BEHALF.
PLEASE READ IT CAREFULLY
If you have any questions about this Notice, please contact AP2’s Compliance and Privacy Officer at our Lab’s parent company, American Pathology Partners, Inc., by one of the following methods:
Mail: 103 Continental Place, Suite 400, Brentwood, TN 37027
Phone: (615) 916-3200
Email: compliance@AP2.com
THE PURPOSE OF THIS NOTICE
This Notice will tell you about the ways in which our Lab protects, uses, and discloses your Protected Health Information (“PHI”). This Notice also describes your rights and certain obligations we have regarding the use and disclosure of PHI.
PHI means any information, transmitted or maintained in any form or medium, which our Lab creates or receives that relates to your physical or mental health, the delivery of health care services to you or payment for health care services, and that identifies you or could be used to identify you.
WHO IS COVERED BY THIS NOTICE
This Notice of Privacy Practices (the “Notice”) describes the privacy practices of our Lab and any of our employees and agents who are authorized to have access to PHI.
YOUR PHI AT OUR LAB
We maintain your PHI in a record we create of the services you receive from our Lab. We need this record to provide you with quality care and to comply with certain legal requirements. This Notice applies to all of those records which we create, receive, and/or maintain.
Your personal physician or other health care provider may have different policies or notices regarding his or her use and disclosure of your PHI created in the physician’s or health care provider’s office or clinic.
OUR PLEDGE REGARDING PHI
We understand that information about you and your health is personal. We are committed to protecting the confidentiality of your PHI.
OUR OBLIGATIONS AS TO PHI
We are required by law to:
- Make sure that PHI is kept private.
- Give you this Notice of our legal duties and privacy practices with respect to your PHI. (Since we rarely meet patients for whom we provide laboratory testing services, and therefore have limited opportunities to give them this notice personally, we make it available at our Lab and post it on our Lab’s website).
- Comply with the currently effective terms of this Notice.
We must notify you within 60 days if we discover that there has been a breach of your unsecured PHI. A breach occurs when there is unauthorized acquisition, use, access, or disclosure of unsecured PHI. PHI is unsecured when it is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of an approved technology or methodology, such as electronic encryption. The breach must pose more than a low probability that the unsecured PHI has been compromised based on a risk assessment considering the nature and extent of the PHI involved, the unauthorized person who accessed the PHI, whether the PHI was actually acquired or viewed, and the extent to which the risk to the PHI, such as further disclosure, has been mitigated. We are not required to notify you, though, of the following events: unintentional access or acquisition of unsecured PHI; inadvertent disclosure to another who is otherwise authorized to access PHI; any disclosure or access in which we have a good faith belief the PHI could not reasonably be retained. Normally we will provide you with individual notice via mail or other individual means. However, in certain circumstances, such as when we do not have sufficient contact information for you, we can post the notice on our website. In cases where an unusually large number of individuals are affected by the same wrongful disclosure, we must notify local media.
HOW WE MAY USE AND DISCLOSE PHI ABOUT YOU
The following categories describe different ways that we use and disclose PHI.
Use for Treatment, Payment, or Health Care Operations
We are permitted to use and disclose your PHI (1) to treat you by providing health care and related services, (2) to be paid for our services, and (3) to conduct health care operations. This section of this Notice discusses each of these types of uses and disclosures of PHI.
- For Treatment. We may use PHI about you to provide you with health care treatment or services. For example, we may use your PHI to diagnose or treat you for a particular condition. We may disclose PHI about you to our Lab personnel, as well as to doctors, nurses, hospitals, clinics, or other health care providers who are involved in your care. For example, the clinician who referred your testing to us, or other doctors treating you for a particular medical condition may need to know about the testing services we performed and any related diagnoses. Our Lab personnel may also share PHI about you in order to coordinate health care services and items that you may need.
- For Payment. We may use and disclose PHI about you so that our services may be billed to and payment may be collected from you, an insurance company, or a third party payor. For example, we may need to give your health plan information about the services provided on your behalf so that your health plan will pay us or reimburse you for the services or items.
- For Health Care Operations. We may use and disclose PHI about you for health care operations. These uses and disclosures are necessary to make sure you receive quality care. For example, we may use PHI to review our treatment and services and to evaluate the performance of our staff in providing services to you. We may also disclose information to doctors, nurses, hospitals, clinics, and other health care providers for review and learning purposes. We may remove information that identifies you from this set of PHI so others may use it to study health care and health care delivery without learning the names of the specific patients.
You may request that we not disclose your PHI for Treatment, Payment, or Health Care Operations purposes, but you must pay the cost of the lab service that is the subject of the PHI in full, and in advance, in order for us to be able to honor such a request.
Other Uses and Disclosures of PHI
Listed below are a number of other ways we are permitted or required to use or disclose PHI. This list is not exhaustive. Therefore, not every use or disclosure in a category is listed.
- Appointment Reminders. We may use and disclose protected health information to contact you as a reminder that you have an appointment with our Lab.
- Individuals Involved in Your Care or Payment for Your Care. We may release protected health information about you to a friend or family member who is involved in your medical care. We may also give information to someone who helps pay for your care. In addition, we may disclose protected health information about you to an entity assisting in an emergency so that your family can be notified about your condition, status, and location.
- As Required By Law. We will disclose protected health information about you when required to do so by federal, state, or local law.
- Public Health Risks. We may disclose protected health information about you for public health activities. These activities generally include the following:
- To prevent or control disease, injury, or disability;
- To report births and deaths;
- To report child abuse or neglect;
- To report reactions to medications or problems with products;
- To notify people of recalls of products they may be using;
- To notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition; and
- To notify the appropriate government authority if we believe a patient has been the victim of abuse, neglect, or domestic violence. We will only make this disclosure if you agree or when required or authorized by law.
- Health Oversight Activities. We may disclose protected health information to a health oversight agency for activities authorized by law. These oversight activities include, for example, audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws.
- Lawsuits and Disputes. If you are involved in a lawsuit or dispute, we may disclose protected health information about you in response to a court or administrative order. We may also disclose protected health information about you in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have been made to tell you about the request or to obtain an order protecting the information requested.
- Law Enforcement. We may release protected health information if asked to do so by a law enforcement official:
- In response to a court order, subpoena, warrant, summons, or similar process;
- To identify or locate a suspect, fugitive, material witness, or missing person;
- About the victim of a crime if, under certain limited circumstance, we are unable to obtain the person’s agreement;
- About a death we believe may be the result of criminal conduct;
- About criminal conduct; and
- In emergency circumstances to report a crime; the location of the crime or victims; or the identity, description, or location of the person who committed the crime.
- Coroners and Medical Examiners. We may release protected health information to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death.
- Organ and Tissue Donation. If you are an organ donor, we may release protected health information to organizations that handle organ procurement or organ, eye, or tissue transplantation or to an organ donation bank, as necessary to facilitate organ or tissue donation and transplantation.
- Research. Under certain circumstances, we may use and disclose protected health information about you for research purposes. All research projects, however, are subject to a special approval process. This process evaluates a proposed research project and its use of medical information, trying to balance the research needs with a patient’s need for privacy of their protected health information. We will always obtain patient authorization for research if identifiable PHI is used.
- To Avert a Serious Threat to Health or Safety. We may use and disclose protected health information about you when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat (i.e., Department of Health).
- Military and Veterans. If you are a member of the armed forces, we may release protected health information about you as required by military command authorities. We may also release protected health information about foreign military personnel to the appropriate foreign military authority.
- National Security and Intelligence Activities. We may release protected health information about you to authorized deferral officials for intelligence, counter-intelligence, and other national security activities authorized by law.
- Protective Services for the President and Others. We may disclose medical information about you to authorized federal officials so they may provide protection to the President, other authorized persons, or foreign heads of state, or conduct special investigations.
- Inmates. If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may release medical information about you to the correctional institution or law enforcement official. This release would be necessary (1) for the institution to provide you with health care, (2) to protect your health and safety of others, or (3) for the safety and security of the correctional institution.
- Health-Related Benefits and Services. We may use and disclose medical information to tell you about health-related benefits or services that may be of interest to you.
- Workers’ Compensation. We may release protected health information about you for Workers’ Compensation or similar programs. These programs provide benefits for work-related injuries or illness.
Certain uses and disclosure generally will be made only upon your written authorization, including:
- uses and disclosures of psychotherapy notes (if recorded by us);
- uses and disclosures of PHI for marketing purposes, including subsidized treatment communications;
- disclosures that constitute a sale of PHI; and
- other uses and disclosures not described in this Notice.
You have the right to revoke such authorization, in writing, except where we have previously taken action in reliance on your prior authorization, or if the authorization was a condition to obtaining insurance coverage and other law provides the insurer with the right to contest a claim under the policy. You have the right to opt-out of our use of your PHI for fundraising purposes, and to restrict our ability to disclose PHI to your family, personal representatives, and/or friends relating to your care or payment for your care or when needed to notify individuals regarding your location or general condition.
YOUR RIGHTS REGARDING MEDICAL INFORMATION ABOUT YOU
Requests for access must be made in writing:
- The Notice of Privacy Practices. The Notice of Privacy Practices (“NPP”) shall inform patients of the requirement that requests be made in writing.
- Forms. We will provide forms to facilitate requests.
- Summary. In accordance with federal and state law, if you agree, we will provide a summary or narrative of PHI when you request access to PHI.
If your request for access directs us to transmit the copy of PHI directly to another person or entity designated by you, we must provide the copy designated by you. Your request must be in writing, signed by you, and clearly identify the designated person or entity and where to send the copy of PHI. We may accept an electronic copy of a signed request (e.g., PDF), as well as an electronically executed request (e.g., via a secure web portal) that includes an electronic signature. The same requirements for providing the PHI to you, such as the fee limitations and requirements for providing the PHI in the form and format and manner requested by you, apply when you direct that the PHI be sent to another person. Further, the same limited grounds for denial of access that apply to the patient receiving the PHI apply to a designated third party.
You have the following rights with respect to your protected health information:
- Right to Inspect and Copy. You have the right to inspect and copy protected health information that may be used to make decisions about your care. Generally, this information includes medical and billing records but does not include: (1) psychotherapy notes; (2) information prepared in anticipation of or for use in a civil, criminal, or administrative action; and (3) protected health information maintained that is (a) subject to the Clinical Laboratory Improvements Amendments (“CLIA”) of 1988, 42 U.S.C. 263a if access to the individual would be prohibited by law, or (b) exempt from CLIA pursuant to 42 CFR 493.3(a)(2).To inspect and copy protected health information maintained by our Lab, you must submit your request in writing to AP2’s Compliance and Privacy Officer. We may charge a fee for the costs of copying, mailing, or other supplies associated with your request. We may deny your request to inspect and copy your protected health information in certain limited circumstances. If you are denied access to medical information, you will receive a written denial. You may request that the denial be reviewed. Thereafter, another licensed health care professional chosen by our Lab will review your request and the denial. The person conducting the review will not be the person who originally denied your request. We will comply with the outcome of the review. We may charge you reasonable fees for copying your PHI.
- Right to Amend. If you believe that the protected health information we have about you is inaccurate or incomplete, you may ask us to amend the information. You have the right to request an amendment for so long as the information is kept by or for our Lab. In order to request an amendment to your protected health information, your request must be made in writing and submitted to AP2’s Compliance and Privacy Officer. In addition, you must provide a reason that supports your request. We will generally make a decision regarding your request for amendment no later than sixty (60) days after receipt of your request. However, if we are unable to act on the request within this time, we may extend the time for thirty (30) more days, but we will provide you with written notice of the reason for the delay and the approximate time for completion. If we deny your requested amendment, we will provide you with a written denial. We have the right to deny your request for an amendment if it is not in writing or does not include a reason to support the request. We are not required to agree to your request if you ask us to amend protected health information that:
- Was not created by us, unless the person or entity that created the information is no longer available to make the amendment;
- Is not part of the protected health information kept by or for our Lab;
- Is not part of the protected health information which you would be permitted to inspect and copy; or
- Is already accurate and complete.
- Right to an Accounting of Disclosures. You have the right to request an “accounting of disclosures.” This is a list of the disclosures of protected health information we have made about you. We do not have to list certain disclosures such as those made for the purposes of treatment, payment, or healthcare operations, pursuant to a prior authorization by you or for certain law enforcement purposes. In order to request this list or accounting of disclosure, your request must be submitted in writing to AP2’s Compliance and Privacy Officer. Your request must also state a time period for which you want the accounting to cover, which may not be longer than six (6) years. Your request should also specify the format of the list you prefer (i.e., on paper or electronically). The first list you request within a twelve (12) month period will be free. For additional lists, we may charge you for the costs of providing the list. We will notify you of the costs involved and you may choose to withdraw or modify your request at that time before any costs are incurred.
- Right to Request Restriction of Uses and Disclosures. You have the right to request that we restrict the uses and disclosures of protected health information about you to carry out treatment, payment, or health care operations and/or to individuals involved in your care. We cannot restrict disclosures required by law or requested by the federal government to determine if we are meeting our privacy protection obligations. We are not required to agree to your request; however, if we do agree, we will comply with your request unless the information is needed to provide you emergency medical treatment. To request restrictions, you must make your request in writing to AP2’s Compliance and Privacy Officer. Your request must specify (1) what protected health information you want to limit; and (2) whether you want to limit our use, disclosure, or both, and to whom you want the limits to apply (i.e., disclosures to your spouse). We may terminate our agreement to the restriction if you orally agree to the termination and it is documented, you request the termination in writing, or we inform you that we are terminating our agreement with respect to any information created or received after receipt of our Notice. In addition to the right to request a restriction as described above, you have the right to order that we not send your protected health information to any insurance company or person responsible for payment for your services, in order for the Lab to be paid for our services on your behalf. However, should you wish to exercise this right, you will be required to pay for our services, at our undiscounted rates, in full and in advance.
- Right to Request Confidential Communications. You also have the right to request that we communicate with you about medical matters in a certain way or at a certain location. For example, you can ask that we only contact you at work or by mail. In order to request confidential communications, you must make your request in writing to AP2’s Compliance and Privacy Officer. We will not ask you the reason for your request. We will accommodate all reasonable requests. Your request must specify how or where you wish to be contacted.
- Right to Receive Notice Electronically. You have the right to a paper copy of this Notice. You may ask us to give you a copy of this Notice at any time. Even if you have agreed to receive this Notice electronically, you are still entitled to a paper copy of this Notice.
To obtain a paper copy of this Notice, please call or write to AP2’s Compliance and Privacy Officer by one of the following methods:
Mail: 103 Continental Place, Suite 400, Brentwood, TN 37027
Phone: (615) 916-3200
Email: compliance@AP2.com
FEES
- Notification. If the Privacy Officer accepts a request for access to PHI, the patient shall be notified in advance of the fees involved. The fee may include only the cost of (1) labor for copying the PHI requested by the patient, whether in paper or electronic form; (2) supplies for creating the paper copy or electronic media (g., CD or USB drive) if the patient requests that the electronic copy be provided on portable media; (3) postage, when the patient requests that the copy, or the summary or explanation, be mailed; and (4) preparation of an explanation or summary of the PHI, if agreed to by the patient.
- Electronic Fee.
- No Fee Permitted for CEHRT. Where a patient requests or agrees to access PHI through a View, Download, and Transmit functionality of a certified electronic health record technology (“CEHRT”) that has been certified as being capable of making the PHI accessible, there are no labor costs and no costs for supplies to enable such access. Thus, we cannot charge a patient a fee when we fulfill an access request using View, Download and Transmit functionality of our CEHRT.
- Flat Fee for Electronic Copies of PHI Maintained Electronically. We may charge patients a flat fee for all requests for electronic copies of PHI maintained electronically, provided the fee does not exceed $6.50, inclusive of all labor, supplies, and any applicable postage.
- Paper Fee.
- We may charge a reasonable, cost-based fee for patients to receive a copy of the patient’s PHI. In addition to being reasonable, the fee may include only certain labor, supply, and postage costs that may apply in providing the patient with the copy in the form and format and manner requested or agreed to by the patient. The following methods may be used, as specified below, to calculate this fee.
- Actual costs: We may calculate actual labor costs to fulfill the request, as long as the labor included is only for copying (and/or creating a summary or explanation if the patient chooses to receive a summary or explanation) and the labor rates used are reasonable for such activity. We may add to the actual labor costs any applicable supply (g., paper, or CD or USB drive) or postage costs. An example of an actual labor cost calculation would be the time it takes for the workforce member to make and send the copy in the form and format and manner requested or agreed to by the patient, multiplied by the reasonable hourly rate of the person copying and sending the PHI. What is reasonable for purposes of an hourly rate will vary depending on the level of skill needed to create and transmit the copy in the manner requested or agreed to by the patient (e.g., administrative level labor to make and mail a paper copy versus more technical skill needed to convert and transmit the PHI in a particular electronic format).
- Average costs. In lieu of calculating labor costs individually for each request, we can develop a schedule of costs for labor based on average labor costs to fulfill standard types of access requests, as long as the types of labor costs included are the ones which the Privacy Rule permits to be included in a fee (g., labor costs for copying but not for search and retrieval) and are reasonable. We may add to that amount any applicable supply (e.g., paper, or CD, or USB drive) or postage costs. The established State rules on allowing fees must be interpreted in conjunction with the HIPAA federal Rules. A per-page fee is appropriate only in cases where the PHI requested is maintained in paper form and the patient requests a paper copy of the PHI or asks that the paper PHI be scanned into an electronic format. Per-page fees are not permitted for paper or electronic copies of PHI maintained electronically.
- Notice of Fees.
- Upon providing notice to patients of the fee, we shall inform patients of any associated fees that may impact the form or format and manner in which the patient requests or agrees to receive a copy of PHI, g., a disc.
- We should make available to patients an approximate fee schedule for regular types of access requests. If a patient requests, we should provide the patient with a breakdown of charges for labor, supplies, and postage, if applicable, that make up the total fee charged.
- We may charge a reasonable, cost-based fee for patients to receive a copy of the patient’s PHI. In addition to being reasonable, the fee may include only certain labor, supply, and postage costs that may apply in providing the patient with the copy in the form and format and manner requested or agreed to by the patient. The following methods may be used, as specified below, to calculate this fee.
CHANGES TO THIS NOTICE
We reserve the right to change our privacy practices that are described in this Notice. We reserve the right to make the revised or changed privacy practices applicable to protected health information we already have about you, as well as any information we receive in the future. A copy of our current Notice will be posted and made available in our Lab offices(s) and website. Prior to a material change to the uses or disclosures, your rights, our legal duties, or other privacy practices stated in this Notice, we will revise this Notice and make the revised version of the Notice available upon request, and on our Lab’s website. This Notice will contain an effective date on the first page.
COMPLAINTS
If you believe your privacy rights have been violated, you may file a complaint with our Lab, or with the Secretary of the Department of Health and Human Services. To file a complaint with us, please write to AP2’s Compliance and Privacy Officer. All complaints must be submitted in writing to:
American Pathology Partners, Inc.
c/o Compliance and Privacy Officer
103 Continental Place, Suite 400
Brentwood, TN 37027
You will not be penalized or retaliated against for filing a complaint.
OTHER USES OF MEDICAL INFORMATION
Other uses and disclosures of medical information not covered by this Notice or the laws that apply to us will be made only with your written consent. If you provide us permission to use or disclose protected health information about you, you may revoke that consent, in writing, at any time. If you revoke your consent, we will no longer use or disclose medical information about you for the reasons covered by your written authorization. You understand that we are unable to take back any disclosures we have already made with your consent and that we are required to retain our records of the care that we provided to you.
NON-DISCRIMINATION
American Pathology Partners complies with applicable Federal civil rights laws and does not discriminate on the basis of race, color, national origin, age, disability, or sex.
Thank you.