Introduction
   People are justifiably concerned about their privacy. Industry after industry--including health care--is being required or is volunteering to follow guidelines in order to ensure individual privacy. As a former member of the Committee on Confidentiality of the American Psychiatric Association and, therefore, an indirect contributor to the drafting of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), I am especially concerned about doing what I can to ensure the privacy of medical information. In psychiatry, we especially care about patient privacy. The certainty that what is communicated in this office remains confidential is perhaps as important to the practice of psychiatry as a sterile operating field is to the practice of surgery.
   It is the purpose of this document to outline the policies and procedures of this office with respect to medical records and matters of privacy.
About This Office
   This office is a solo medical practice of psychiatry. I am the sole practitioner and attend to all administrative matters, including scheduling, record-keeping, and billing. This office accepts no payment for services other than from patients. That is, the responsibility for payment belongs to you. Insurance health claim forms will be completed at your request so that you may be reimbursed by your insurance carrier. I serve on no managed care panels and do not accept insurance reimbursement. I do not accept Medicaid or Medicare. I am responsible for the development and implementation of policies and procedures for the confidentiality of health information. Likewise, I am responsible for receiving complaints and providing further information to you about matters covered in this Notice of Privacy Practices.
   This office does not bill any third party by electronic means. As such, this office is not a "covered provider" and does not fall under HIPAA regulations. Nevertheless, it is the aim of this office to follow HIPAA-compliant guidelines. Certain of the guidelines that follow are independent of HIPAA and are included for completeness. These guidelines are subject to change without further notice to you. Its purpose is to indicate how this office may disclose your protected health information to carry out treatment and for other purposes that are permitted or required by law. It also describes your rights to access and control your protected health information. "Protected health information" is information about you, including demographic information that may identify you and that relates to your past, present, or future physical or mental health or condition, and related health care services.
***
Your Protected Health Information – What You Need to Know
Please appreciate that the current privacy legislation contains a loophole that may be of interest or concern to you: the pharmacies that fill your prescriptions may be remunerated by pharmaceutical companies to receive certain health-related information in order, say, to recommend that you switch from one medication to another or consider trying a related product. You do not need to be notified about this arrangement, and pharmacies do not need to obtain your consent to pass along your name to a pharmaceutical company. Insofar as this office prepares medication prescriptions, it indirectly and reluctantly participates in this marketing practice that is available to the pharmaceutical industry. (October 2002)
What you say in this office—and any record of what you say in this office—stays in this office. Rare circumstances may arise, however, where I may disclose to a member of your family, a relative, a close friend, or any other person you identify your protected health information that directly relates to that person's involvement in your health care. Here are the circumstances that may lead me to use or disclose your protected health information. Because these circumstances may occur, I want to inform you about them:
   à . I may use or disclose protected health information to notify or assist in notifying a family member, personal representative, or any other person who is responsible for your care and general condition. Finally, I may use or disclose your protected health information to an authorized public or private entity to assist in disaster relief efforts and to coordinate use and disclosure to family or other individuals involved in your health care.
   à . I may use or disclose your protected health information in an emergency treatment situation.
   à . I may use or disclose your protected health information to the extent that the use or disclosure is required by law. The use or disclosure will be made in compliance with the law. You will be notified, as required by law, of any such use or disclosure.
   à . I may disclose protected health information to a health oversight agency for activities authorized by law, such as audits, investigations, and inspections. Oversight agencies seeking this information include government agencies that oversee the health care system, government benefit programs, other government regulatory programs, and civil rights laws.
   à . I may disclose protected health information in the course of any judicial or administrative proceeding in response to an order of a court or administrative tribunal (to the extent such disclosure is expressly authorized), in certain conditions in response to a subpoena, discovery request, or other lawful process.
   à . I may also disclose protected health information, so long as applicable legal requirements are met, for law enforcement purposes. These law enforcement purposes include (1) legal processes and otherwise as required by law, (2) limited information requests for identification and location purposes, (3) matters pertaining to victims of a crime, (4) suspicion that death has occurred as a result of criminal conduct, (5) in the event that a crime occurs on the premises of the practice, and (6) medical emergency where it is likely that a crime has occurred.
   à . Consistent with applicable federal and state laws, I may disclose your protected health information if I believe that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. I may also disclose protected health information if it is necessary for law enforcement authorities to identify or apprehend an individual.
   à . I may disclose your protected health information to a public health authority that is authorized by law to receive reports of child abuse or neglect. In addition, I may disclose your protected health information if I believe that you have been a victim of abuse, neglect, or domestic violence to the governmental entity or agency authorized to receive such information. In this case, the disclosure will be made consistent with the requirements of applicable federal and state laws.
   à . In this regard, this office does not acknowledge patient status to any third party except with your explicit oral or written authorization. Even without explicit authorization, in very exceptional circumstances, it may be necessary to disclose protected health information to provide, coordinate, or manage your health care and any related services. Again, the privilege of confidentiality is suspended when there is a clear, immediate, and grave threat of harm to either you or to a third party (e.g., child abuse) or when the legal statutes or a court order require that confidentiality be overridden for the social good.
A Continuing Concern
   Beyond the host of legal requirements, I am concerned that people are often unaware of the risks to personal privacy when they authorize releases that enable third parties (most often, insurance companies) to secure the contents of private medical information. I will seek to remind you that I am uncertain how private medical information is stored, how secure it is kept, who may eventually gain access to it, and to what purpose such information may be put. This office will seek to limit the information released to what is strictly necessary for the stated purpose without compromising your right to whatever benefit accrues to informing a third party of medical diagnosis and treatment.
   Hence, 1) it is the policy of this office to decline acknowledging to third parties who are or is not a patient, who has been or who has not been a patient, and who has been seen or not seen in consultation; 2) requests for release of information may only be initiated by the patient or with the approval and authorization of the patient as transmitted to and verified by this office; 3) requests must be on the basis of what has been demonstrated to be informed, non-coerced consent and 4) must specify to whom such information is to be imparted and 5) for what purpose, defined as specifically and narrowly as possible; 6) requests must stipulate a date that limits the validity of the request, but which may not exceed six months from the date when the release was signed unless waived by the patient; 7) third parties must affirm in writing that the information received will be used for the purpose stated, for no other purpose, and will not be re-disclosed to any other party without additional one-time-only authorization by the patient; 8) this office will make a determination whether the information requested is within the scope of the stated purpose; only that information deemed to fall within the scope of purpose will bereleased, based on these criteria; 9) if you should become incapacitated or die, these criteria remain in place. If a biographer, journalist, or historian should express interest in interviewing me concerning our work, such interviews will be denied, and no records will be made available unless you have previously given explicit permission indicating the person or persons to whom such information may be made available.
Storage of Medical Records
   The medical record for a person seeking and receiving care in this office is divided and stored in 4 places: 1) a clinical notebook that contains an initial interview and perhaps notes of additional interviews, 2) a password-protected computer folder for non-psychotherapy psychiatric notes (routinely backed-up), 3) a notebook for psychotherapy notes (note that for certain patients, psychotherapy notes may not be taken or, in other instances, retained), and 4) when applicable, a paper folder to receive papers, cards, and documents related to patient care. In compliance with HIPAA, this office "maintains reasonable and appropriate administrative and physical safeguards to ensure the integrity and confidentiality of the information and [seeks] to protect against any reasonably anticipated threats or hazards to the security or integrity of the information and unauthorized uses or disclosures. . ."