Western Reserve Area Agency on Aging REVISED NOTICE OF PRIVACY PRACTICES (Adopted 2003; Latest Revision 2016) THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. We at Western Reserve Area Agency on Aging (“We” or “WRAAA”) are committed to safeguarding the Privacy and Security of Protected Health Information of Consumers (“Consumers” or “You”) in paper and electronic form (“PHI”). We have adopted Privacy practices that comply with HIPAA’s Privacy and Security Rules to protect the Use and Disclosure of Your PHI. We are providing this Notice of Privacy Practices to Consumers at the initial contact. Please keep this Notice of Privacy Practices in a safe place at home. Read it. Feel free to share it with Your family or Personal Representative. This Notice of Privacy Practices is available any time on Our website: www.psa10a.org . Not every Use or Disclosure of PHI, with or without a signed Authorization, is listed in this Notice of Privacy Practices. Uses or Disclosures not specifically listed in this Notice generally require a signed Authorization. If You have questions or concerns about Our policies, or if you need another paper copy of this Notice, please call Our Privacy Officer at 216.621.0303. Use and Disclosure of PHI for Treatment, Payment, Health Care Operations (TPO) We will create, receive, access, or store Your PHI, which We may Use or Disclose to other Covered Entities, Business Associates for Treatment, Payment, or Health Care Operations (“TPO”) without Your need to sign an Authorization. Covered Entities “Covered Entities” include: health care providers (doctors, nurses, licensed social workers, nursing homes, home health agencies, durable medical equipment suppliers, other health care professionals and suppliers who may be or become involved in Your care); governmental programs and payers; and commercial group insurers and health plans. WRAAA is a Covered Entity. HIPAA’s Privacy and Security Rules apply to Us and to other Covered Entities. Business Associates We may contract with outside third-parties or entities called “Business Associates,” who may access, Use, store, transmit, or Disclose PHI to perform covered functions for Us on Your behalf. Business Associates, including their agents and subcontractors, must protect the Privacy and Security of Your PHI to the same extent as Covered Entities. Individual “Individual” means the Consumer/Waiver Consumer to whom PHI applies. We will use the term “Consumer” synonymously with the terms “Individual” and “Waiver Consumer. Personal Representative “Personal Representative” means persons acting on behalf of the Consumer, including family, spouse, guardian, attorney-in-fact under a health care power of attorney, or other persons assisting the Consumer. Personal Representative has the same meaning as Authorized Representative under Ohio Administrative Code, Section 173-42-01. Protected Health Information (“PHI”) “Protected Health Information” (abbreviated “PHI”) means individually identifiable health and demographic information in oral, paper, or electronic form, that is created or received by Covered Entities or their Business Associates that relates to the Consumer’s past, present or future physical or mental condition, the provision of health care Treatment/services to the Consumer, and the past, present or future payment for the provision of health care Treatment/services to the Consumer. Designated Record Set A “Designated Record Set” means a group of records containing PHI in paper or electronic form that is stored and maintained by or for a Covered Entity, which may include medical, healthcare and service records, billing claims/payment information, eligibility and enrollment information, and other information used to make decisions about Consumers. Safeguards We and Our Business Associates are required to adopt administrative, physical, and technical “Safeguards” to store and protect the Privacy and Security of Your PHI in compliance with HIPAA. Use of PHI Use means Our accessing, storing, sharing, employing, applying, utilizing, examining, or analyzing Your PHI within WRAAA and its Workforce, which includes Our employees, staff, volunteers, and interns. We will Use Your PHI for Treatment, Payment, and Healthcare Operations. Disclosure of PHI Disclosure means Our releasing, transferring, providing access to, divulging or sharing Your PHI with third parties outside of WRAAA, which may include Business Associates, governmental and commercial insurers and healthcare plans, as well as other agencies and programs including the Ohio Department of Aging and Ohio Department of Medicaid, which may store and safeguard Your PHI. Treatment We may Use or Disclose Your PHI for Treatment, which includes the provision, arrangement, coordination, or management of health care and services by Our Workforce that includes doctors, health care providers, licensed social workers, case managers and includes eligibility, referrals, coordination of care, and consultations between providers. We will not Disclose Your PHI to persons who are not involved (or who do not become involved) in Your Treatment or Payment for Treatment without Your signed Authorization. Payment We may Use and Disclose Your PHI when arranging for Payment of Treatment by government or commercial payers and plans. You may ask Us not to submit a claim containing certain PHI to a third-party payer. We will honor Your request if You accept full financial responsibility. Healthcare Operations We will Use PHI for Healthcare Operations, which do not require a signed Authorization. Healthcare Operations include quality assurance, performance improvement, peer review, risk management, legal financial audits, legal and compliance monitoring, supervising, training, and evaluation of staff, and general business and administrative activities. Healthcare Operations may also include preventive care, wellness programs, case management, and related services. Minimum Necessary Except when PHI is Used or Disclosed for Treatment, We will limit the Use or Disclosure of Your PHI to the minimum necessary to perform the intended purpose of that Use, Disclosure, or request for PHI. In some cases for good cause, We may redact certain information. Communicating with You, Your Family, Personal Representative, and Persons Involved in Your Care Communicating with You We may contact You (or Your Personal Representative) for scheduling appointments, reminding You of appointments, and arranging for related services or eligible programs. We may contact You at home by mail, email, telephone, or text. If We call You, We will identify Ourselves and ask to speak with You or Your Personal Representative. If You or Your Personal Representative are not available, We may leave a message to call Us, but We will not Disclose details about Your PHI in that message. You May Request that We Contact You by Different Means You may request Us to contact You by different means or at a different telephone number, address, email address, or text number from what You normally use. Let Us know if You do not want Us to send information to You at Your home address, a particular email address, text number, call You at home, or leave a message. You do not have to give reason for Your request. Communicating with Your Family, Personal Representative, and Others Most Consumers allow Us to discuss their PHI with family members, guardians, persons named in a health care power of attorney or living will, Personal Representatives, or others assisting in Your care or helping You pay Your bills. This may include discussing or answering questions a family member have about Your condition, Treatment (services), medication and refills, or appointments. It also may include answering questions about eligibility or payment for services or other programs. Please tell Us with whom We may communicate and whom We may not discuss Your condition, Treatment, or services. We will communicate with family members or others involved in Your care, unless you tell us not to, in emergencies or if Required by Law. Deceased Consumers We will Disclose PHI of deceased Consumers to the probate court’s appointed Executor or Administrator of the deceased Consumer’s estate. We also will Disclose PHI to the Consumer’s spouse, family, Personal Representative, or others involved in the Consumer’s care or management of the Consumer’s affairs, unless doing so is inconsistent with the Consumer’s express wishes known to Us. We may Disclose PHI of any deceased Consumer without an Authorization after 50 years after the Consumer’s death. Contacting You about Other Services and Fundraising and Your Ability to Opt-Out Marketing, Services and Related Programs We will never sell and Disclose Your PHI to third-parties for marketing without Your signed Authorization. We or a Business Associate may contact You about other services, health-related benefits, preventive services, case management and other programs, such as smoking cessation, weight management, and education programs. We or a Business Associate may contact You in follow-up to services regarding Your satisfaction. If You do not want to be contacted or receive information about these services and programs, You may opt out by calling 216.621.0303. Opting out will not affect any care, Treatment, or services We are providing to or arranging for You. Fundraising We or a Business Associate may contact You about fundraising. If You do not want to receive fundraising materials or be contacted about fundraising, You may opt out by contacting (800) 626.7277. Opting out will not affect any care, Treatment or services We are providing to or arranging for You. Disclosure of PHI Without an Authorization as Required by Law We may Use or Disclose PHI without an Authorization, as permitted or Required by Law, to the following, which include: Public Health Agencies. Ohio law requires Us to Disclose PHI to public health agencies for reporting births and deaths, to help control disease, injury or disability. The law requires Us to report cases of suspected abuse, neglect, or domestic violence. FDA and OSHA. Certain Federal laws from the FDA and OSHA require Us to Disclose PHI in reporting adverse events, product problems, and biological product deviations, so safety precautions, recalls and notifications can be conducted. Regulatory Agencies. We will Disclose PHI to certain Ohio and Federal governmental regulatory and health oversight agencies for purposes of their reviewing health care system, civil rights, privacy laws, and compliance with other governmental programs. National and Homeland Security. We will Disclose information concerning Consumers, when appropriate, to authorized federal officials for intelligence and other National and Homeland Security purposes. Protective Services for the President and Others. We will Disclose information concerning Consumers, when appropriate, to authorized federal officials, so they may provide protection to the President, other authorized persons, or foreign heads of state and officials, or to conduct special investigations. Red Cross and Armed Forces. We will Disclose PHI to the Red Cross or Armed Forces to assist it in notifying the Consumer’s family member of the Consumer’s location, general condition, or death. Coroners, Medical Examiners, and Funeral Directors. We will Disclose PHI to coroners, medical examiners, or funeral directors for them to perform legally authorized responsibilities. Law Enforcement. We will Disclose PHI to law enforcement officials when it: (1) is limited to identification purposes; (2) applies to victims of crime; (3) involves a suspicion that injury or death has occurred because of criminal conduct; (4) is needed in a criminal investigation; (5) necessary to prevent or lessen the threat to the health or safety of a person or to the public; (6) in response to a valid court order; (7) to identify or locate a suspect, fugitive or missing person; (8) to report a crime on WRAAA premises; or (9) as otherwise permitted or Required by Law. Emergency or Disaster. If the President declares an emergency or disaster, and the Secretary of HHS declares a public health emergency, the Secretary may waive Our obligation to comply with any or all of the following Privacy requirements to: (1) obtain the Consumer’s agreement to speak to family members or friends involved in the Consumer’s care; (2) honor a request to opt out of the facility directory; (3) distribute a Notice of Privacy Practices; (4) Consumer’s right to request Privacy restrictions; or (5) the Consumer’s right to request confidential communications. Waiver only applies if We are in an emergency area for the emergency period and for up to 72 hours until We implement Our disaster protocol. Preventing Threats of Serious Harm. We will Disclose PHI if a reasonable belief exists that it may prevent or lessen a serious and imminent threat to the health or safety to You, another person, or the public, and Disclosure is made to a person(s) reasonably able to prevent or lessen the threat, including the target of the threat. Proof of Immunization. We may Disclose PHI to schools for the limited purpose of showing proof of immunization of a student or prospective student, and the parent or guardian does not object. Release of PHI to Other State Agencies We may share Consumer PHI and other personal information with other Ohio agencies, including the Ohio Department of Aging and Ohio Department of Medicaid, as well as with Federal programs, without the need of a signed Authorization, to the extent that information is needed to: (1) establish eligibility for the program or services; (2) determine the amount of medical assistance required; (3) provide services to the Consumer; or (4) conduct or assist with an investigation, prosecution, or civil/criminal proceeding that is directly related to the administration of Medicaid. Release of PHI to Long-Term Care Ombudsman We have a procedure for addressing referrals and interaction with the State’s Long-Term Care Ombudsman Program. We may initially accept verbal consent by a Consumer, or the Consumer’s Personal Representative, to make a referral, including the Consumer’s name, phone number, address, and concern. We will not Disclose medical and other Consumer records and PHI without a signed Authorization. Subpoenas, Court Orders, Qualified Protective Orders We have established a chain of communication and procedure to handle any subpoena, court order, or Qualified Protective Order that seeks a Consumer’s PHI. We will not produce Your PHI requested by subpoena issued in a civil case unless We receive: (1) a signed Authorization from You or Your Personal Representative; (2) a valid court order; or (3) a valid Qualified Protective Order. We will produce PHI, without the need of an Authorization, in response to a valid subpoena or warrant issued by an Ohio or Federal regulatory agency that has oversight responsibilities, legal authority, or as Required by Law. Media Requests We have policies and procedures for protecting and responding to media requests for information about Consumers. We will not Disclose Your PHI or other personal information without Your signed Authorization. Other Uses and Disclosures of PHI that Require an Authorization and Your Right to Cancel Authorization General Policy We will not Use, Disclose or release Your PHI to Non-Covered Entities without Your signed HIPAA-compliant Authorization, except as stated in this Notice or as permitted or Required by Law. Examples of Non-Covered Entities include employers, life insurance companies, attorneys, and other third parties that are not performing Treatment, Payment, or Healthcare Operations. Special Circumstances Ordinarily, We do not need a signed Authorization to Use or Disclose PHI for providing or arranging for the provision of Treatment. An exception exists for psychotherapy notes, which requires a signed Authorization before they can be Disclosed, unless release is Required by Law. Specific Authorizations are required under Federal and State law before We can Disclose records and PHI related to mental health, alcohol or substance abuse, HIV or AIDS, except for treatment purposes in which case a specific Authorization is not required. Authorization You, or a guardian, attorney-in-fact under a durable power of attorney for health care, or Your Personal Representative may complete and sign (or authenticate) an Authorization on Your behalf for the Disclosure of PHI. Signing an Authorization is voluntary. Treatment/services will not be conditioned on Your signing or refusing to sign an Authorization. We will accept original and facsimiles of Your Authorization. Elements of a valid Authorization include the following: Consumer’s name, address, and other identifying information. Description of the PHI/ePHI to be Used or Disclosed. The name and address of the entity or person to whom Disclosure is to be made. A description of each purpose for the requested Disclosure. An expiration date or event triggering expiration. Statements that: ü Treatment or services will not be conditioned on the consumer’s signing an Authorization. ü Consumer may revoke an Authorization in writing. ü PHI Disclosed to a non-Covered Entity may be re-disclosed. Signature of the consumer or Responsible Party. Date of signature. If We keep hard copies of Your records, including (but not limited to) assessments and care plans, in a Designated Record Set, We will release the records and Disclose Your PHI according to Your Authorization. If We do not keep and maintain Your PHI in a Designated Record Set, We will forward Your Authorization within 30 days to the entity that is keeping and maintaining Your PHI in a Designated Record Set, which may include the Ohio Department of Aging, the Ohio Department of Medicaid, commercial payers and health plans, so that entity may release the records and Disclose Your PHI according to Your Authorization. Validity and Expiration Our policy is to honor valid Authorizations for 12 months, unless You cancel or specify a different date or event. After that, You or Your Personal Representative must sign a new Authorization. This is for Your protection. Cancellation You may cancel Your Authorization in writing at any time by notifying Us in person or faxing Us the written cancellation. Once We receive Your written cancellation, We will promptly forward it to the entity that is housing and maintaining Your PHI. We no longer will Disclose Your PHI or release records. We are not responsible for any Use or Disclosure of PHI in reliance of Your Authorization before We receive Your written cancellation. Re-Disclosure Once PHI is Disclosed to a Non-Covered Entity, HIPAA no longer applies. A person or entity that is not covered by HIPAA may use or re-disclose medical information it receives in any way that is not otherwise prohibited by law. Your HIPAA Rights You have the Right to Request Restrictions on Certain Uses and Disclosures of PHI You may request that We do not Disclose some or all of Your PHI to family members, guardian, attorney-in-fact under a health care power of attorney, Personal Representative, friends or others. We will ask You with whom We can and cannot discuss Your PHI. HIPAA’s Privacy Rule gives Us the right to deny a Consumer’s request to restrict the Use or Disclosure of PHI when it is being Used or Disclosed to other Covered Entities for Treatment. We will honor Your request to restrict Disclosure of PHI when submitting a claim to insurance, health plan, or other third-party payer for Payment, if You agree to be financially responsible for the entire payment. We will consider all other requests for restricted Use or Disclosure of PHI on a case-by-case basis. If We cannot grant Your request, We will let You know. You have a Right to Access, Inspect, and Receive a Copy of Your Own PHI You have the general right to inspect and have a copy of Your own PHI in records that We keep and maintain in a Designated Record Set. There are some exceptions: A Consumer does not have the right to inspect or copy restricted information, including psychotherapy notes or information compiled for civil, criminal or administrative proceedings. A Consumer’s right to inspect may not extend to information covered by other confidentiality laws or information created by and obtained from another Covered Entity. Access may be denied if it could endanger the life or safety of You or another. If We keep and maintain some or all of Your records containing PHI in a Designated Record Set, You may request access to Your PHI in writing, which You could give, mail or fax to Us. If We do not keep and maintain Your records containing PHI in a Designated Records, and those records are maintained in a Designated Records Set by the Ohio Department of Aging, or the Ohio Department of Medicaid, or by a health plan, We will forward Your request within 30 days to the appropriate entity and give You that entity’s contact information. Either We or the appropriate entity maintaining Your PHI in a Designated Record Set will consider Your request according to HIPAA’s Privacy Rule. Usually, You will receive a response within 30 days from the date the request is received. Sometimes, it may take more than 30 days, in which case a response will be given as soon as reasonably practical. If Your request is granted, an appointment will be scheduled for You to inspect and copy Your PHI. You may be charged a reasonable fee for labor and copying costs as permitted by HIPAA and Ohio law. If You request access to PHI that is maintained in an electronic record or electronic Designated Data Set, You may be provided with an electronic “machine readable copy” in a standard format enabling the ePHI to be processed and analyzed by a computer in a manner that accommodates requests for specific formats. If that cannot be done, other arrangements will be made as permitted by HIPAA. Alternatively, You may ask for a written summary of Your PHI instead of inspecting, copying, or electronically accessing Your records. We will promptly forward that request to the appropriate entity, which may charge You for a summary. If Your request cannot be granted, You will be notified in writing of the basis for the denial and Your appeal rights for review. You have the Right to Amend Incorrect or Incomplete Information in Your PHI If You believe that Your record is incomplete or Your PHI is incorrect, You may request that it be amended. You may send Your written request by mail or you may fax it to 216.621.0303. If We keep and maintain Your records in a Designed Record Set, we will consider Your request. If We do not maintain Your records in a Designated Record Set, We will forward Your request within 30 days to the appropriate entity that is keeping Your PHI in a Designated Record Set. Usually, You will receive a response within 60 days from the date Your request was received. Your request to amend Your records will be granted if the PHI is incorrect or incomplete. For example, if the name of the drug or its dosage is wrong, You may correct that. If Your diagnosis is wrong, that too can amend that, too. Your request cannot be granted if the PHI You seek to be amended is accurate and correct, or is not part of a Designated Record Set, or it was not created by WRAAA. If Your request is granted, the PHI in the Designated Record Set will be amended. You will be informed that the amendment was made, and persons who have received and may have relied on PHI will be informed that the PHI has been amended. If Your request is denied, You will be informed: (1) in writing of the reason for denial; (2) of Your right to submit a written statement of disagreement, which will be kept with Your record and will be included with future Disclosures; (3) of Your right to file a complaint. If You file a statement of disagreement, a written rebuttal may be created. If You have questions about this right, please contact Our Privacy Officer at 216.621.0303. You have a Right to Receive an Accounting of Disclosures of PHI You have a right to receive an Accounting of Disclosures made to others of Your PHI up to six years prior to the date in which the request for an Accounting is made. There are certain exceptions and limitations, including, but not limited to Disclosures made: (1) for Treatment, Payment, or Healthcare Operations; (2) to the Consumer (or Personal Representative) of his or her own PHI; and (3) according to a signed Authorization. You may request an Accounting of Disclosures by mailing or faxing the request or contacting Our Privacy Officer at 216.621.0303. If We made a Disclosure of Your records that We keep and maintain in a Designated Record Set, We will provide you with an Accounting. If We do not keep and maintain Your records, We will forward Your request within 30 days to the appropriate entity that keeps and maintains Your records in a Designated Record Set. The first Accounting You request within a 12-month period will be free. For additional Accountings, You may be charged the cost of preparing the list. The Accounting will include the date of Disclosure of PHI; the name of the third-party to whom PHI was Disclosed; if known, the address of the third-party; a brief description of the Disclosed PHI; and a brief explanation of the purpose for Disclosure. You have a Right to Receive a Breach Notification We or a Business Associate or other responsible Covered Entity will promptly notify You by first-class mail, at Your last known address, upon discovery of a Breach of Unsecured PHI, which includes the unauthorized acquisition, access, Use, or Disclosure of Your PHI, unless a Risk Assessment determines that a low probability exists that the compromise of Your PHI would cause You financial, reputational, or other harm. Factors for determining whether a Breach has occurred include: The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification. The unauthorized person who used the PHI or to whom the Disclosure was made. Whether the PHI was actually acquired or viewed. The extent to which the risk to the PHI has been mitigated. Included in the Breach notification will be a brief description of what happened, a description of the types of Unsecured PHI involved, steps You should take to protect yourself from potential harm, a brief description of what is being done to investigate the Breach and mitigate potential harm, as well as contact information for You to ask questions and learn additional information. Complaints We are committed to protecting Your PHI. Despite Our best efforts, questions, concerns, or problems sometimes may arise. If You have a concern, or You believe that Your Privacy rights have been violated or Breached, We encourage You to contact Us immediately. You may mail or fax Us a written complaint, or we encourage You to call Our Privacy Officer at 216.621.0303. We take all concerns and complaints very seriously and will investigate each one promptly. If We made a mistake or learn of unauthorized Disclosure or Breach, We will do what We can to correct it and take steps to prevent such mistakes or problems in the future. If we did not make a mistake, We will provide you with an explanation. We will make every effort to get back to You within 30 days, though sometimes it takes longer, based on the investigation. We will never retaliate against You for expressing a concern or filing a complaint relating to Your Privacy rights. If You are not satisfied by Our response, or if You choose not to contact Us with Your complaint, You may contact the Office for Civil Rights for the Department of Health and Human Services, 200 Independence Ave., S.E., Room 509F, HHH Building in Washington, D.C. 20201-0004 in writing or calling (800) 368-1019, within 180 days of the suspected violation or Breach. Changes to this Notification of Privacy Practices We reserve the right to change this Notice at any time, which We may make effective for PHI We already Used or Disclosed, and for any PHI We may create, receive, Use, or Disclose, or store in the future. We will make material amendments based on changes in HIPAA or applicable Ohio law. We will post a current version of Our Notice of Privacy Practices (with the effective date) on Our website. We will offer You a paper copy of Our most current, revised Notice at the initial appointment or anytime You request.