Dermatologist On Call Inc®
400 Weldon Street
Latrobe, PA 15650
PRIVACY PRACTICES AND POLICY
THIS DERMATOLOGISTONCALL ("DOC") PRIVACY PRACTICES AND POLICY ("POLICY") DESCRIBES HOW DOC USES MEDICAL INFORMATION ABOUT YOU, AND HOW YOU CAN GET ACCESS TO YOUR MEDICAL INFORMATION. PLEASE REVIEW IT CAREFULLY.
This Policy applies to the DermatologistOnCall® telehealth service (“DOC Service”) accessed at https://www.dermatologistoncall.com (“the Website”). The DOC Service is operated by DOC and provides telehealth dermatology services.
DOC is required by law as a business associate of the participating dermatologists (“Medical Providers”) to maintain the privacy of Protected Health Information (“PHI”) and to provide individuals with notice of its legal duties and privacy practices. This Policy explains the following: 1) the uses and disclosures of your PHI which may be made by DOC or its designee; 2) your individual rights; and 3) DOC’s legal duties pertaining to your PHI.
PHI means Protected Health Information created or received by DOC or its designee that relates to your past, present, or future physical or mental health or condition, the provision of health care to you, or the past, present, or future payment for the provision of health care to you.
When you use the DOC service, your PHI is provided to a Medical Provider to provide medical services. DOC will have access to your PHI as part of its operation of the DOC Service. DOC’s designated payment processor will have access to your PHI for use in connection with payment related activities. Other third parties may have access to your PHI either to fulfill healthcare operations of the Medical Providers or as a result of a valid authorization which you have granted.
The effective date of this Policy is 12/1/2020. DOC is required to abide by the terms of this Policy which are currently in effect, but reserves the right to change its privacy practices as required or permitted by the privacy regulations of the Health Insurance Privacy and Accountability Act of 1996 (“HIPAA Privacy Rule”) and other applicable law. DOC also reserves the right to revise and distribute this Policy whenever there is a material change to the uses or disclosures of PHI, your individual rights pertaining to your PHI, DOC’s legal duties, or DOC’s privacy practices.Minimum Necessary and Incidental Uses and Disclosures
Minimum Necessary. DOC has implemented policies and procedures which limit how much PHI is used, disclosed, and requested for certain purposes. These policies and procedures reasonably limit who within DOC has access to PHI, and under what conditions, based on who needs access to perform their job duties for DOC. Certain incidental uses and disclosures of PHI are permitted since DOC has reasonable safeguards and minimum necessary policies and procedures to protect your privacy. The minimum necessary standard does not apply to disclosures among healthcare providers for treatment purposes.
When using or disclosing PHI or when requesting PHI from another entity covered under the HIPAA Privacy Rule, DOC will make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request unless any of the following apply: (i) the uses, disclosures, or requests are made by a health care provider for treatment; (ii) the uses or disclosures are provided to you as permitted under the HIPAA Privacy Rule; (iii) the disclosures are made pursuant to a valid written authorization; (iv) the disclosures are made to the Secretary of the U.S. Department of Health and Human Services; (v) the uses or disclosures are required by law; or (vi) the uses or disclosures are required for compliance with the HIPAA Privacy Rule.
Incidental Uses and Disclosures Permitted. The HIPAA Privacy Rule permits certain incidental uses and disclosures of PHI which may occur as a by-product of another permissible or required use or disclosure since DOC has in place reasonable safeguards and minimum necessary policies and procedures to protect your privacy. An incidental use or disclosure is a secondary use or disclosure that cannot
reasonably be prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted by the HIPAA Privacy Rule.
Uses & Disclosures of PHI Not Requiring Authorization or Opportunity to Object
Uses and Disclosures for Treatment, Payment, and Health Care Operations DOC will use or disclose your PHI for treatment, payment, or health care operations. Disclosures are made to others who are subject to the HIPAA Privacy Rule and who are also involved in your health care or with vendors, agents, or subcontractors with whom we have contracted to assist us in providing health care services.
Examples of Uses and Disclosures for Treatment, Payment and Health Care Operations.
Treatment, Payment, and Health Care Operations are broadly defined in the HIPAA Privacy Regulations (at 45 CFR § 164. 501). A few examples are provided below of how DOC may use your PHI for these purposes as Administration of the DOC Service:
Treatment. As a result of your submitting your PHI to the DOC Service using the Website to request delivery of care (i.e., through the Internet), Medical Providers will have the ability to access your PHI for the provision of telehealth dermatology services using the DOC Service and the Website. Your PHI will be disclosed and used by the Medical Provider who has elected to fulfill your request for such services. Your PHI will be accessed, stored, and maintained online by DOC and its designees.
Payment. When you pay for dermatology services which are delivered through the DOC Service, your PHI will be used or disclosed by the third-party payment processor in connection with the processing of your payment information. In addition, your PHI may be disclosed to or used by a Medical Provider in connection with payment related activities. DOC and its designees may use your PHI for other payment or reimbursement activities for the provision of services.
Health Care Operations. Medical Providers and other designees (such as but not limited to business associates - e.g., entities which perform functions such as e prescribing, data center hosting, managed security services, and ongoing software development and support) may use or disclose your PHI in connection with healthcare operations-related activities such as communications about your treatment, case management, care coordination, direct or alternative treatments, therapies, health care providers, or settings of care, and communications pursuant to a valid authorization by you.
DOC may also use or disclose your PHI without your authorization and without giving you an opportunity to agree or object in the following instances:
- When required by law;
- For public health activities and purposes as authorized by law to collect or receive such information (e.g., public health agency requesting statistics concerning a chronic disease);
- For cases of abuse or neglect (e.g., to a government agency, social service agency, or protective services agency);
- For health oversight activities to a public health authority (e.g., audit by an agency);
- For judicial and administrative proceedings (e.g.,subpoena or court order);
- For a law enforcement purpose to a law enforcement official;
- For workers’ compensation purposes (e.g., DOC may need to report information which is relevant to any job-related injuries that by state law are deemed to be involved in workers’ compensation coverage);
- For sharing a limited data set with third parties, subject to a data use agreement;
- For specific government requirements or emergencies (e.g., national security and intelligence activities);
- To avert serious threat or safety (e.g., in an emergency);
- To business associates who perform services on behalf of DOC;
- When required by the Secretary of the U.S. Department of Health and Human Services to investigate HIPAA compliance; and
- When contacting you about health-related benefits and services that may be of interest to you, where applicable.
Uses and Disclosures Requiring Written Authorization
Other uses and disclosures of your PHI will be made only with your written authorization, such as sharing your PHI obtained by DOC or its designees with certain third-parties. If you give DOC written authorization to use or disclose your PHI for a purpose that is not described in this Policy, then you may revoke it in writing at any time unless: (1) DOC has taken action in reliance on your authorization; or (2) the authorization was obtained as a condition of obtaining insurance coverage and other law provides the insurer with the right to contest a claim under the policy or the policy itself provides for such a right.
- Uses and Disclosures of De-Identified Information
As permitted by the HIPAA Privacy Rule, DOC may use de-identified information (which consists of information which does not identify any individual) for any use or disclosure in its sole and exclusive discretion. De-identified information is not PHI and therefore is not subject to any protections under the HIPAA Privacy Rule.
- Your Rights
Right to Receive Confidential Communications. You have the right to request that DOC communicate your PHI to you through alternate means (e.g., alternate address or mode of communication). DOC will accommodate reasonable requests from you to receive communications of PHI from DOC by alternative means or at alternative
locations. Electronic communications such as e-mail and facsimile are not completely secure. DOC is not responsible for incorrect e-mail addresses or facsimile numbers.
Right to Access Your PHI. You generally have the right of access to inspect and obtain a copy of your PHI which DOC collects or maintains in its files.
Providing access to PHI if the request is granted. DOC will provide the access requested, including inspection or obtaining a copy of your PHI. DOC will provide you with access to your PHI in the form or format requested if feasible, in a readable hardcopy form, or another form as agreed by DOC and you.
DOC may provide you with a summary of your PHI in lieu of providing access to your PHI or may provide an explanation of your PHI if you agree in advance to such summary or explanation and you agree in advance to the fees imposed, if any, by DOC for such summary or explanation.
DOC will provide you with access to your PHI within thirty (30) days after receipt of the request if your PHI is maintained on-site or within sixty (60) days if maintained off-site. DOC will arrange with you a convenient time and place to inspect or obtain a copy or otherwise mail you a copy of your PHI at your request. DOC may charge you for the cost of copying the materials and any postage involving your requested PHI. DOC may discuss with you the scope, format, and other aspects of your request as necessary to process your request.
DOC will not provide you access, however, to certain PHI, namely, information compiled for use in civil, criminal, or administrative proceedings, and health information that is covered by federal laws governing clinical laboratories.
Legal duties of DOC for denial of access to PHI. If DOC denies access to PHI, in whole or in part, then DOC will do the following:
- Make other PHI that was requested accessible to the extent possible; • Provide a timely, written denial to you within thirty (30) days after receipt of the request if your PHI is maintained on-site or within sixty (60) days if maintained off-site. But, if DOC is unable to comply with this time frame, then DOC may extend the time for thirty (30) days from the initial time period. However, in such a case, DOC will provide you with a written statement of the reasons for the delay and the date by which DOC will complete its action on the request.
- The denial will be written in plain language and will include the basis for the denial. If the denial is reviewable, then the denial will provide a statement of your rights to have the denial reviewed and include a description of how you may file a complaint with DOC either through its procedures or the procedures as designated by the Secretary of the U.S. Department of Health and Human Services. The denial will also provide the name, or title, and telephone number or office, where applicable.
Other duties of DOC regarding access to PHI. If DOC does not maintain your PHI that is the subject of your request for access and DOC knows where the requested PHI is maintained, then DOC will inform you of where to direct the request for access to your PHI.
Reviewable grounds for denial of access to PHI. DOC may deny you access for any of the following reasons; however, you will have the right to have the denial reviewed in the following instances:
- A licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of yourself or another person;
- Your PHI makes reference to another person (unless such other person is a health care provider) and a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to such other person; or
- The request for access is made by your personal representative and a licensed health care professional has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to you or another person.
Review of denial regarding access to PHI. If your request is denied and the grounds for denial are reviewable, then you have the right to have the denial reviewed by a licensed health care professional who is designated by DOC to act as a reviewing official and who did not participate in the original decision to deny access to your PHI. DOC will provide you with instructions for requesting a review of the denial (if the grounds are reviewable). DOC will either provide access or deny access in accordance with the determination of the reviewing official.
Right to Amend PHI. You have the right to request that DOC amend your PHI or a record about you so long as DOC maintains your PHI in the designated record set. Any request must be made in writing and you must provide a reason to support a requested amendment. DOC will act on your request within sixty (60) days after the receipt of such a request. If DOC cannot comply with the request within the initial sixty (60) days, then it may extend the time for an additional thirty (30) days provided that DOC has informed you in writing of the reasons for the delay and the date by which DOC will act on your request. DOC may grant or deny your request to amend your PHI.
Grant of the amendment. If DOC grants your request to amend your PHI, then it will obtain from you an identification of relevant persons (or entities) with whom the amendment needs to be shared. DOC will also make the appropriate amendment to your PHI or record that is the subject of the request for amendment by, at minimum, identifying the records in the designated record set that are affected by the amendment and appending or otherwise providing a link to the location of the amendment.
Denial of the amendment. If DOC denies your request to amend your PHI, then the denial will be written in plain language and contain the basis for the denial. The denial will include a description of your right to disagree with denial and how you may submit a statement of disagreement. DOC may prepare a written rebuttal to your statement of disagreement and provide you with a copy.
However, if you choose not to submit a statement of disagreement, then you may request that DOC provide your request for amendment and the denial with any future disclosure of your PHI that is subject to the amendment.
Right to Receive an Accounting of PHI Disclosures. You have the right to request an accounting of disclosures of PHI made by DOC in the six (6) years prior to the date of your request except in the following instances (unless otherwise required by law):
- To carry out treatment, payment and health care operations; • To you about your own PHI;
- Incident to a permitted or required use or disclosure;
- Pursuant to an authorization;
- To persons involved in your care or for other notification purposes; • For national security or intelligence purposes;
- Occurred prior to the HIPAA compliance date for DOC;
- To correctional institutions or law enforcement officials in custodial situations; or
- As part of a limited data set in accordance with 45 CFR 164.514(e).
Suspension of individual right to receive an accounting of certain disclosures which are made to a health oversight agency or law enforcement officials. DOC will suspend your individual right to receive an accounting of certain disclosures to a health oversight agency or law enforcement official if the agency or official provides DOC with a written statement that the accounting would be reasonably likely to impede the agency’s activities and specifies a time for which the suspension requires.
However, if the agency or official statement as described above is made orally, then DOC will: (1) document the statement, including the identity of the agency or official making the statement; (2) temporarily suspend your right to an accounting of disclosures subject to the statement; and (3) limit the temporary suspension to no longer than thirty (30) days from the date of the oral statement, unless a written statement as described above is submitted during that time.
When accounting will be provided. DOC generally will act on the request for an accounting no later than sixty (60) days after receipt. However, if DOC cannot act on the request within this period of time, it will send you a written explanation of why it cannot act on the request within the timeframe and also the date by which it will act on the request.
Fees that may be charged for an accounting. DOC will provide the first accounting to you in any twelve (12) month period without charge. However, DOC may impose a reasonable, cost-based fee for each subsequent request for an accounting by you within the twelve (12) month period, provided that DOC has informed you in advance of the fee and provides you with an opportunity to withdraw or modify the request for a subsequent accounting in order to avoid or otherwise reduce the fee.
Right to Copy of Policy. You have the right to obtain a copy of this Policy upon request even if you agreed to receive the Policy electronically.
Procedure for Exercising Your Rights. If you want to exercise any of the rights described in this Policy, please contact the Privacy Officer using the contact information listed below. The Privacy Officer will give you the necessary information and forms for you to complete and return. In some cases, you may be charged a cost-based fee to carry out your request.
A Note Regarding Your Personal Representative. Your rights may be exercised by a person who qualifies as your personal representative in accordance with 45 CFR 164.502(g). If under applicable law a person has authority to act on behalf of an individual who is an adult or an emancipated minor in making decisions related to health care, DOC will treat such person as a personal representative with respect to PHI relevant to such personal representation.
Exceptions may apply in certain circumstances involving minor children and in cases involving suspected domestic violence, abuse or neglect by the personal representative such as when DOC has a reasonable belief that the individual has been or may be subjected to domestic violence, abuse, or neglect by such person or treating such person as the personal representative could endanger the individual and DOC, in the exercise of professional judgment, decides that it is not in the best interest of the individual to treat the person as the individual’s personal
- Complaints and Additional Information
If you believe your privacy rights have been violated by DOC, you have the right to file a complaint with DOC’s Privacy Officer or the Secretary of the U.S. Department of Health and Human Services. You will not be retaliated against if you choose to file a complaint with DOC or with the U.S. Department of Health and Human Services. You may also contact DOC’s Privacy Officer to request additional copies of this Policy or to receive more information about the matters covered by this Policy, and to review a denial of access of PHI.
Contacting the Privacy Officer.
Dermatologist On Call Inc
Attn: Privacy Officer
400 Weldon Street
Latrobe, PA 15650
Contacting Health and Human Services. If you wish to file a complaint, you may do so by either sending the complaint to the appropriate Office of Civil Rights Regional office or Office of Civil headquarters; alternatively, you may file a complaint online at the www.hhs.gov website.
Dermatologist On Call Inc
400 Weldon Street
Latrobe, PA 15650
Receipt of Policy of Privacy Practices and HIPAA Consent
Iagnosis, Inc is registered to do business as DermatologistOnCall. This Receipt of Policy of Privacy Practices and HIPAA Consent (collectively, “Consent”) are for the following purposes: (1) your acknowledgement that you have either received or that you were provided a reasonable opportunity to electronically review the notice of the DermatologistOnCall policy of privacy practices ("Policy of Privacy Practices") and (2) your consent for DermatologistOnCall and its designees’ use and disclosure of your protected health information (“PHI”) for treatment, payment or healthcare operations as defined by the Health Insurance Privacy and Accountability Act of 1996 (the "HIPAA Privacy Rule") in connection with the telehealth dermatology services (referred to as the “DermatologistOnCall® Service” or “DOC Service”) which are provided to you by DermatologistOnCall (“DOC”). If you are a parent or guardian consenting to the treatment of a minor using the DOC Service, all references herein to “you,” “your,” “I” or similar shall include the minor, as applicable. The DOC Service comprises a network of participating dermatologists (“Medical Providers") which deliver dermatology services on a telehealth basis through the website located at https://DermatologistOnCall.com (“Website”).
By submitting your information to the DOC Service using the Website in order to request telehealth dermatology services, your PHI will be made available online through the DOC Service. Medical Providers will have access to your PHI by using the DOC Service to review your request for telehealth dermatology services. DOC will have access to your PHI as the Administration of the DOC Service. DOC’s designated payment processor will have access to your PHI for use in connection with payment related activities. Other third parties may have access to your PHI either to fulfill healthcare operations of the Medical Providers or as a result of a valid authorization, which you have granted.
Please read the following information carefully:
- I understand and consent to the use and/or disclosure of my PHI byDOC and its designees for the purposes of treatment, payment, and healthcare operations related activities which are permitted by the HIPAA Privacy Rule.
- As a result of your submitting your PHI to the DOC Service to request delivery of care (i.e., through the Internet), Medical Providers will have the ability to access your PHI for the provision of telehealth dermatology services using the DOC Service. Your PHI will be disclosed and used by the Medical Provider who has elected to fulfill your request for such services. Your PHI will be accessed, stored, and maintained online by DOC and its designees.
- When you pay for dermatology services which are delivered through the DOC Service, your PHI will be used or disclosed by the third-party payment processor in connection with the processing of your payment information. In addition, your PHI may be disclosed to or used by a Medical Provider in connection with payment related activities. DOC and its designees may use your PHI for other payment or reimbursement activities for the provision of services.
- Medical Providers and business associates (e.g., entities which perform functions such as e-prescribing, data center hosting, managed security services, and ongoing software development and support) may use or disclose your PHI in connection with healthcare operations related activities such as communications about your treatment, case management, care coordination, direct or alternative treatments, therapies, health care providers, or settings of care, and communications pursuant to a valid authorization by you.
- I am aware that DOC maintains a Policy of Privacy Practices which explains the types of uses and disclosures that DOC and its designees are permitted or required to make under the HIPAA Privacy Rule. By signing this Consent, I acknowledge that I have received a copy of the Policy of Privacy Practices.
- I understand and acknowledge that, in its Policy of Privacy Practices, DOC has reserved the right to change its Policy of Privacy Practices as permitted or required by the HIPAA Privacy Rule. I understand that I may obtain a copy of the Policy of Privacy Practices at any time by sending a written request to the following address: Dermatologist On Call Inc, Attn: Privacy Officer, 400 Weldon Street, Latrobe, PA 15650.
- I understand and acknowledge that I have the right to request restrictions on how my PHI is used or disclosed to carry out treatment, payment or healthcare operations or to restrict uses and disclosures to those who are involved in my care or payment of my care.
- I understand and acknowledge that DOC is generally not required to agree to restrictions requested by me regarding my PHI. However, DOC reserves the right to not provide care if such restrictions are requested by me; in such a case, I understand that I will not be eligible to use the DOC Service if DOC exercises that right.
- I understand and acknowledge the risks of electronic communications (e.g., via the DOC Service, text messages, and email) in that they are not secure and I consent to receiving such communications. If any PHI is communicated, then only the minimum necessary amount of PHI will be used.