HIPAA NOTICE OF PRIVACY PRACTICES

Effective Date: June 29, 2023

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

This notice (“Notice”) is provided to you pursuant to the Health Insurance Portability and Accountability Act of 1996, and its implementing regulations, as amended by the Health Information Technology for Economic and Clinical Health Act, as each may be amended from time to time (collectively, “HIPAA”). It is designed to tell you how we may use or disclose your health information.

CENTERS FOR ADVANCED ORTHOPAEDICS, LLC (sometimes referred to in this Notice as the “Practice”, “we” or “us”) is required by law to provide you with notice of our legal duties and privacy practices with respect to your Protected Health Information (“PHI”) that we maintain. HIPAA places certain obligations upon us to maintain the confidentiality of your PHI. We take these obligations seriously.

I. USES AND DISCLOSURES OF YOUR HEALTH INFORMATION THAT DO NOT REQUIRE YOUR AUTHORIZATION.

Under certain circumstances, we are permitted by law to use and disclose your PHI without your prior authorization (verbal, written or otherwise), as further described in this Notice. For example, we do not have to obtain your permission before we use or disclose your PHI to provide you with treatment, to obtain payment for the services we provide to you, for our health care operations or as otherwise described in this Notice.

  • Treatment, Payment and Health Care Operations.

    • Treatment. We may use and disclose your PHI to provide, coordinate, or manage your medical treatment and related services. We may disclose your PHI to physicians, nurses, technicians, medical students, and personnel who are involved in your care. For example, a physician treating you for an injury may need to know if you have diabetes because diabetes may slow the healing process.

    • Payment. We may use and disclose your PHI so that the treatment and services you receive may be billed to and payment may be collected from you, a government agency, an insurance company or other third party. For example, we may tell your insurer or governmental payer about a treatment you are going to receive to obtain prior approval or to determine whether your insurance plan or the government agency will cover the cost of the treatment.

    • Health Care Operations. We may use and disclose your PHI for the Practice’s health care operations. For example, we may use your PHI to review our treatment and services and to evaluate the performance of our staff in caring for you; we may combine your PHI with health information of our other patients to evaluate services offered, performance, effectiveness and patient needs; we may use your PHI for teaching and learning purposes, and for the Practice’s business planning, management and administrative operations. We may also disclose your PHI in order to comply with applicable law, such as mandatory reporting requirements. By removing certain data that identifies you, we may use your PHI to create de- identified health information or to create a limited data set, and thereafter use such information in a manner consistent with applicable law.

  • To Other Healthcare Providers. We may disclose your PHI to other health care providers involved in your care for their treatment purposes, to allow them to obtain payment for the services they provide to you or to allow them to perform their own health care operations.

  • Disclosures to Relatives, Close Friends, Caregivers. We may disclose your PHI to family members and relatives, close friends, caregivers, or other individuals you identify or that are involved with your care or payment related to your care.

    In situations where you are present and able to agree or object to a use or disclosure of your PHI, we will make such disclosures in the following circumstances: (1) we obtain your authorization; (2) we provide you with the opportunity to object to the disclosure and you do not object; or (3) we reasonably infer that you would not object to the disclosure.

    In situations where you are not present or, due to your incapacity or an emergency, you are unable to agree or object to such disclosure of your PHI, we may exercise our professional judgment in order to determine whether such disclosure is appropriate. In those situations, we would limit the disclosure to the PHI that we believe is directly relevant to their involvement with your care or payment related to your care.

    You may, at any time, request that we do not disclose your PHI to any of these individuals.

  • Disaster Relief. In the event of a disaster, we may use or disclose your PHI to a public or private entity authorized by law or by its charter to assist in disaster relief efforts for the purpose of notifying or assisting in the notification of (including identifying or locating) your family member, personal representative, or another person responsible for your care regarding your location, general condition, or death.

  • Public Health Activities. We may disclose your PHI for certain public health activities as required by law, including:

    • To report PHI to public health authorities for the purpose of preventing or controlling disease, injury, or disability.

    • To report certain immunization information where required by law, such as to the state immunization registry or to your child's school.

    • To report births and deaths.

    • To report child abuse to public health authorities or other government authorities authorized by law to receive such reports.

    • To report information about products and services under the jurisdiction of the U.S. Food and Drug Administration, such as reactions to medications.

    • To notify you and other patients of any product or medication recalls that may affect you.

    • To alert a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition.

    • To report information to your employer as required under laws addressing work-related illnesses and injuries or workplace medical surveillance.

  • Health Oversight Activities. We may disclose your PHI to a health oversight agency, such as Medicaid or Medicare, that oversees health care systems and delivery, to assist with audits or investigations designed for ensuring compliance with such government health care programs.

  • Victims of Abuse, Neglect, Domestic Violence. Where we have reason to believe that you are or may be a victim of abuse, neglect or domestic violence, we may disclose your PHI to the proper governmental authority, including social or protective service agencies, that are authorized by law to receive such reports.

  • Judicial and Administrative Proceedings. We may disclose your PHI pursuant to a court order, subpoena, or other lawful process in the course of a judicial or administrative proceeding.

  • Law Enforcement Officials. We may disclose your PHI to police or other law enforcement officials as may be required or permitted by law or pursuant to a court order, subpoena, or other lawful process. We may also disclose your PHI to law enforcement where it may concern criminal conduct at our premises. We may also disclose your PHI where it would be necessary in an emergency to report a crime, identify a victim of a crime, or identify or locate the person who may have committed a crime.

  • Decedents. We may disclose your PHI to medical coroners for purposes of identifying or determining cause of death or to funeral directors in order for them to carry out their duties as permitted or required by law.

  • Workers Compensation. We may use or disclose your PHI to the extent necessary to comply with state law for workers’ compensation or other similar programs, for example, regarding a work-related injury you received.

  • Research. We may use or disclose your PHI for research purposes. In situations where we seek to disclose your PHI to a third party for research purposes, we will generally ask for your written authorization to do so. There are limited circumstances under which we may disclose your PHI without your authorization to third parties for research purposes, including, where such research is overseen by an Institutional Review Board or a privacy board that meets the applicable requirements under HIPAA, or in limited situations where we receive representations from the researchers limiting their use or disclosure of, or access to, the PHI.

  • Health or Safety. We may use or disclose your PHI where necessary to prevent or lessen threat of imminent, serious physical violence against you or another identifiable individual, or a threat to the general public.

  • Military and Veterans. For members of the armed forces and veterans, we may disclose your PHI as may be required by military command authorities. If you are a foreign military personnel member, your PHI may also be released to appropriate foreign military authority.

  • Specialized Government Functions. We may disclose your PHI to governmental units with special functions under certain circumstances. For example, your PHI may be disclosed to any of the U.S. Armed Forces or the U.S. Department of State.

  • National Security and Intelligence Activities. We may disclose your PHI to authorized federal officials for purpose of intelligence, counterintelligence and other national security activities that may be authorized by law.

  • Protective Services for the President and Others. We may disclose your PHI to authorized federal officials for purposes of providing protection to the President of the United States, other authorized persons or foreign heads of state or for purposes of conducting special investigations.

  • Inmates. If you are an inmate in a correctional institution or otherwise in the custody of law enforcement, we may disclose your PHI to the correctional institution or law enforcement official(s) as permitted or required by law, including where necessary (1) for the institution to provide health care; (2) to protect your health and safety or the health and safety of others; or (3) for the safety and security of the correctional institution.

  • Organ and Tissue Procurement. If you are an organ donor, we may disclose your PHI to organizations that facilitate or procure organs, tissue or eye donations or transplantation.

  • As Required by Law. We may use or disclose your PHI in any other circumstances other than those listed above where we would be required by state or federal law or regulation to do so.

  • HIE Participation. We may use or disclose your PHI in connection with an electronic Health Information Exchange (“HIE”) in which the Practice participates for treatment, payment and health care operations purposes and other lawful purposes to the extent permitted by law. HIEs make it possible for us to electronically share patients’ PHI to coordinate their care, obtain billing information, and participate in quality improvement, public health and population health initiatives, among other purposes. Other healthcare providers (physician practices, ancillary service providers, etc.), health care entities (hospitals, surgery centers, ACOs, etc.), health plans, etc., may also have access to your information in the HIE for similar purposes to the extent permitted by law. The information accessible on the HIE may identify you personally and may include sensitive information (such as information relating to mental health, drug and alcohol treatment, HIV status and sexually transmitted diseases). You have the right to “opt-out” or decline to participate in all HIEs in which the Practice participates. To “opt-out” or decline to participate in the HIE, please notify CAO’s Privacy Officer, using the contact information in Article VII of this Notice.

II. USES AND DISCLOSURES OF YOUR HEALTH INFORMATION THAT REQUIRE YOUR WRITTEN AUTHORIZATION.

In general, we will need your specific written authorization to use or disclose your PHI for any purpose other than those listed above in Article I above. For example, in order for us to send your information to your life insurance company, we may require you to sign our HIPAA Authorization Form and tell us what information you would like sent.

We will seek your written authorization prior to disclosing the following information or your PHI for the following purposes, unless the use or disclosure is otherwise permitted or required by law:

  • HIV/AIDS Information. In most cases, we will NOT release any of your HIV/AIDS related information unless your authorization expressly states that we may do so. There are certain purposes, however, for which we may be permitted to release your HIV/AIDS information without obtaining your express authorization, such as to state agencies, upon court order or as otherwise permitted under applicable law.

  • Sexually Transmitted Disease Information. We will obtain your written authorization prior to disclosing any information that would identify you as having or being suspected of having a sexually transmitted disease. We may use and disclose information related to sexually transmitted diseases without obtaining your authorization only when permitted by law to do so.

  • Tuberculosis Information. We will obtain your written authorization prior to disclosing any information that would identify you as having or being suspected of having tuberculosis (“TB”). We may use and disclose information related to TB without obtaining your authorization where authorized by law.

  • Psychotherapy Notes. In most cases we will obtain your written authorization prior to disclosing any psychotherapy notes unless otherwise permitted by law. Nevertheless, there are certain purposes for which we may disclose psychotherapy notes, without obtaining your authorization, as permitted under HIPAA and applicable law.

  • Mental Health Information. Generally, we will obtain your written authorization prior to disclosing certain mental health information or information that would identify you as having a mental health condition. We may disclose information related to your mental health without obtaining your authorization as permitted by law.

  • Drug and Alcohol Information. We will obtain your written authorization prior to disclosing information related to drug and alcohol treatment or rehabilitation under certain circumstances such as where you received drug or alcohol treatment at a federally funded treatment facility or program.

  • Information Related to Emancipated Treatment of a Minor. If you are a minor who sought emancipated treatment from us, such as treatment related to your pregnancy or treatment related to your child, or a sexually transmitted disease, we will obtain your written authorization prior to disclosing any of your PHI related to such treatment to another person, including your parent(s) or guardian(s), unless otherwise permitted or required by law.

  • Marketing Activities. Except as otherwise permitted by law, we will obtain your written authorization prior to using your PHI for marketing purposes on most occasions. We may provide you with marketing materials face-to-face without obtaining such authorization, in addition to communicating with you about services or products that relate to your treatment, case management, or care coordination, alternative treatments, therapies, providers or care settings. If you provide us with your written authorization to send you marketing materials, you have a right to revoke your authorization at any time. If you wish to revoke your authorization, please notify CAO’s Privacy Officer using the contact information in Article VII of this Notice.

  • Activities Where We Receive Money for Giving Your Health Information to a Third- Party. For certain activities in which we would receive remuneration, directly or indirectly, from a third-party in exchange for your PHI, we will obtain your written authorization prior to doing so. We would not, however, require your authorization for activities such as for treatment, public health or research purposes. If you do provide us with your written authorization, you have a right to revoke your authorization at any time. If you wish to revoke your authorization, please notify CAO’s Privacy Officer using the contact information in Article VII of this Notice.

III. YOUR RIGHTS.

  1. Right to Request Additional Restrictions. You have the right to request restrictions on the uses and disclosures of your PHI, for treatment, payment and health care operations; to individuals involved in your care or payment related to your care; or to notify individuals about your condition or assist individuals to locate you or obtain information about your condition.

    We will carefully consider all such requests; however, we are not required to grant your request unless your request relates solely to disclosure of your PHI to a health plan or other payer for the sole purpose of payment or health care operations for a health care item or service that you or your representative have paid us for in full and out-of- pocket.

    If you’d like to request such restriction, you must submit your request for any such restrictions in writing and send your request to CAO’s Privacy Officer using the contact information in Article VII of this Notice.

  2. Right to Confidential Communications. You have the right to request to receive your PHI by an alternative means of communication or at alternative locations, and we will endeavor to accommodate all reasonable. You do not have to disclose the specific reason for your request; however, you must submit a request with specific instructions in writing. The Practice’s patient portal may provide you with a means to send and receive confidential communications conveniently and securely and to share your preferences for how we contact you.

  3. Right to Access/Copy Health Information. You have the right to access and request copies of your PHI that we maintain in a designated record set, subject to some exceptions. For PHI that we maintain in any electronic designated record set, you may request a copy of such PHI in a reasonable electronic format, if readily producible. We may deny you access to, or copies of, your PHI or health records in certain circumstances, and in such event, we will notify you of the basis of our denial. If you would like to access or request copies of your PHI that we maintain, please send your request in writing to CAO’s Privacy Officer using the contact information in Article VII of this Notice. As permitted by applicable law, we may charge you a reasonable fee for providing you with copies of your PHI.

  4. Right to Notice of Breach. We are required by law to protect the privacy and security of your PHI through appropriate safeguards. We will notify you in the event a breach occurs involves or potentially involves your unsecured PHI and inform you of what steps you may need to take to protect yourself.

  5. Right to Paper Copy of Notice of Privacy Practices. You may, at any time, request a paper copy of this Notice, even if you previously agreed to receive this Notice by email or other electronic format. Copies of the current Notice is available at CAO’s practice location where you receive treatment and on CAO’s website listed in Article VI of this Notice. Alternatively, you can obtain a paper copy by submitting your request to CAO’s Privacy Officer using the contact information in Article VII of this Notice.

  6. Right to Revoke Authorization. After providing the Practice with your authorization to use and disclose your PHI, you may, at any time, revoke such authorization regardless of whether your initial authorization was given verbally or in writing. To revoke your authorization, you must submit your request in writing to CAO’s Privacy Officer using the contact information provided in Article VII of this Notice. After you provide your authorization, the Practice is permitted to rely on it unless or until you notify CAO of your revocation of that authorization in writing.

  7. Right to Request Amendment. You may request that we amend or change your PHI that we maintain in a designated record set by submitting such request in writing to CAO’s Privacy Officer using the contact information provided in Article VII of this Notice. We may ask your provider(s) to review amendment requests to the medical record. We may deny your request if we believe the information you wish to amend is accurate and complete without your requested amendment, or amendment relates to PHI that was not created by a CAO provider, or if other special circumstances apply. We will notify you of any denial. If we accept your request for amendment, we will update your record in our files as appropriate.

  8. Right to an Accounting. You may request an accounting of disclosures of your PHI that we have made within the period of six (6) years from the date we receive your request. Please note that this accounting will not be your entire medical record and will not include certain disclosures of your PHI, such as disclosures of PHI for treatment, payment or health care operations, or disclosures of PHI that you had authorized. The first accounting you request within a period of twelve (12) months is free. Any subsequently requested accountings may result in a reasonable charge for the accounting statement. If you wish to request an accounting of disclosures, please submit your request in writing to CAO’s Privacy Officer using the contact information provided in Article VII of this Notice.

IV. OUR DUTIES.

We are required by law to protect the privacy of your PHI and to provide you with a copy of this Notice. We are also required to abide by the terms of this Notice.

We reserve the right to amend this Notice at any time without prior notice. In such event, the updated version of this Notice will apply with respect to all of your PHI, even to your PHI that was created prior to the change in the Notice, unless otherwise specified. If we change this Notice, such changes will be only to the extent permitted by law. We will also make the revised Notice available to you by posting it at CAO’s practice location where you receive treatment, as well as on our website provided in Article VI of this Notice. You may obtain a current copy of the Notice by submitting your request to CAO’s Privacy Officer using the contact information provided in Article VII of this Notice.

HIPAA generally does not “preempt” (or take precedence over) state privacy or other applicable laws that provide individuals greater privacy protections than those provided under HIPAA. Therefore, to the extent state law applies that is more stringent than HIPAA, we may be required to operate under that applicable state privacy standard. We will maintain your paper or electronic medical record for as long as required by applicable law.

V. COMPLAINTS.

If you believe your privacy rights have been violated, you may submit a complaint to the Practice by notifying CAO’s Privacy Officer in writing using the contact information provided in Article VII of this Notice. You may also submit a complaint to the Secretary of the U.S. Department of Health and Human Services using the contact information provided in Article VII of this Notice.

We will not retaliate against you for any complaint you make to the Practice or to the government about our privacy practices.

VI. ELECTRONIC NOTICE.

A current version of this Notice of Privacy Practices is maintained on our website at www.cfaortho.com.

VII. CONTACT INFORMATION.

CAO’s Privacy Officer: Contact information for the
U.S. Department of Health and Human Services:

Centers for Advanced Orthopaedics, LLC
6707 Democracy Blvd.
Suite 504
Bethesda, MD 20817

Privacy Officer: Renita Bean, CHC, CHCO, MHA, MBA
Phone: (301) 637-8713
Fax: (301) 637-8713
Email: compliancematters@cfaortho.com

U.S. Department of Health and Human Services for Civil Rights
200 Independence Avenue, S.W. Washington, D.C. 20201
Phone: (877) 696-6775
Email: OCRMail@hhs.gov

You may also file a complaint at the following website: https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf

VIII. SMS PRIVACY POLICY.

SMS CONSENT AND PHONE NUMBERS FOR THE PURPOSE OF SMS WILL NOT BE SHARED, SOLD OR DISCLOSED with any third party or any other individuals.