Notice of Privacy Practices - Magnolia Rheumatology, P.C.

Effective Date: January 1, 2021


THIS NOTICE DESCRIBES HOW MEDICAL AND HEALTHCARE INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

If you have any questions about this notice, please contact our Privacy Officer (his/her contact information is set forth at the very end of this notice).

Terms used, but not defined, in this notice have the meanings set forth in the Federal HIPAA Law.


Who will follow this notice

In accordance with the HIPAA law, this notice describes MAGNOLIA RHEUMATOLOGY, P.C.’s privacy practices and that of:

  • Any health care professional authorized to enter information into your practice chart and review your charts, testing and other results on its behalf.

  • All employees, staff and other practice personnel (and contracted administrative service providers).

All of these follow the terms of this notice. In addition, they may share medical information with each other for treatment, payment or health care operations, and any other purposes described in this notice and/or allowed by applicable law.


Our privacy obligations regarding medical information

The practice understands that medical information about you and your health is personal, and the practice is committed to protecting medical information about you and keeping it private. The practice creates a record regarding your information as well as information regarding your diagnosis, treatment and services you receive from the practice. The practice needs this record to provide you with quality care and to comply with certain legal requirements. This notice applies to all of the medical information/“protected health information” or “PHI” which the practice creates or receives, whether made by practice personnel or received from another health care provider. Medical information includes information that can be used to identify you that is created or received about your past, present, or future health or condition, the provision of healthcare to you, or the payment for the health care. We are required by law to protect the privacy of this information. Be aware, however, that your other health care providers may have different policies or notices regarding their use and sharing of your medical information that they create or maintain.

This notice will tell you about the ways in which the practice may use and share your medical information. This notice also describes your rights and certain obligations the practice has regarding the use and sharing of medical information.

The practice is required by law to:

  • Make sure that information that identifies you is kept private (with certain exceptions) and secure;

  • Follow the duties and privacy practices described in this notice and give you a copy of it; and

  • If medical information is used or disclosed in violation of the law, notify you promptly if the use/disclosure is a “Breach of Unsecured Protected Health Information” (as such terms are defined by the Federal HIPAA Law), and also notify you pursuant to any State law that may be applicable.


How we may use and share your medical information

The following categories describe different ways that we are permitted to use and disclose/share your medical information. For the most typical uses and disclosures we make, we will explain what we mean and try to give some examples. Not every specific use or disclosure or type of use/disclosure in a category will be listed. However, all of the ways we are permitted to use and disclose information will fall within one of the categories. In many of the instances briefly described below, we will additionally have to meet conditions before we can use or share your information for the purposes described. Any other uses and disclosures not described in this notice or otherwise not permitted by law without an authorization will not be made without your authorization.

Highly sensitive information: special authorization may be required

In some circumstances, your health information may be subject to restrictions that may limit or preclude some uses or disclosures described in this notice.

Our records received from third party providers or prepared by us may contain information regarding your mental health, substance abuse, sexually transmitted diseases, psychotherapy, HIV/AIDS or other types of highly sensitive/protected information. Information of these types are typically protected by additional restrictions under state law, which we will comply with as applicable.

Government health benefit programs, such as state Medicaid programs, may also limit the sharing of beneficiary information for purposes unrelated to the program.

Disclosures that generally require HIPAA authorization (marketing and sale)

Under the HIPAA law, there are some circumstances where we can only use and share medical information if you have signed a HIPAA authorization/given us written permission.

For example, your authorization is required for most uses and sharing of your medical information for “Marketing” purposes, including subsidized treatment communications, or for disclosures that constitute the “Sale” of medical information. Please be aware, however, that HIPAA’s definitions of “Marketing” and “Sales”, and the restrictions related thereto, are technical, include exceptions, and do not apply to all situations that you may personally consider to be marketing or sales. We are permitted to use and/or share medical information for marketing or sales purposes in accordance with HIPAA and State law, which in some, but not all, situations requires your authorization or consent to do so. If your authorization is not required, and HIPAA/State law allows for a use that you may personally consider to be a use or sharing for marketing/sales purposes, we may utilize your information for such purposes without your consent (examples include, but are not limited to, face-to-face communications to you about a product or service, to provide reminders, research purposes, and the sale, transfer, merger or consolidation of all or part of the practice).

Sharing at your request

We may disclose/share information when requested by you. This disclosure at your request may require a written authorization by you. Any authorizations that you give can be revoked at any time.

For treatment

We may use and share medical information about you to provide you with medical treatment, healthcare, or other related services (including for care coordination purposes). The practice may share medical information about you to doctors, nurses, assistants, technicians, health care students, or other personnel who are involved in diagnosing or treating you. The practice also may share medical information about you with people outside of the practice who may be involved in your medical care, such as family members, facilities, and physicians or other practitioners. For example, an outside doctor treating you for an injury asks a practice practitioner about a particular test result, or we internally share medical information about you in order to coordinate the different things you need from us.

Additionally, we may share your medical information with physicians and other health care providers as a member of an Accountable Care Organization (“ACO”), Regional Health Information Organization (“RHIO”) or other Health Information Exchange (“HIE”). In some (but not all) cases, there may be an “opt out” right or other rights particular to an ACO, RHIO or HIE – please contact our Privacy Officer utilizing the information below (contact information is set forth at the very end of this notice) if you would like more information on “opt out” or other rights you may have, to the extent that we then-participate in these organizations.

For payment

We may use and share medical information about you so that the diagnosis, treatment and services you receive at or from the practice may be billed to and payment may be collected from you, an insurance company, or a third party. The practice may also share your medical information with another health care provider or payor of health care for the payment activities of that entity. For example, we may need to give your health plan information about a test or diagnosis you received from us so your health plan will pay us or reimburse you for the test. We may also tell your health plan about a treatment you are going to receive to obtain prior approval, referrals, or to determine whether your plan will cover the treatment. We may also provide basic information about you and your health plan, insurance company or other source of payment to practitioners outside the practice who are involved in your care, to assist them in obtaining payment for services they provide to you. The practice may also need to use and share your medical information in various appeals processes to defend the necessity of services offered in the past, and to pursue collections actions for services which we have rendered to you.

If you do not want us to share medical information about you with your health plan, you have the right to pay for all services and care out of pocket in full, and to inform us that you wish to restrict the information shared with your health plan. For more information on this limited restriction, see your rights listed below.

For health care operations

The practice may use and share your medical information for health care operations. These uses and disclosures are necessary to run the practice and make sure that all of our patients receive competent, quality health care, and to maintain and improve the quality of health care that the practice provides. The practice may additionally provide your medical information to various governmental or accreditation entities to maintain any license(s) and/or accreditations we may have. For example, the practice may use medical information to review our treatment and services and to evaluate the performance of our staff. The practice may also combine medical information about many practice patients to decide what additional services the practice should offer, what services are not needed, and whether certain new treatments are effective.

Incidental uses and disclosures

We may occasionally inadvertently use or share your medical information when such use or disclosure is incident to another use or disclosure that is permitted or required by law. Please be assured, however, that as much as possible, the practice has appropriate safeguards in place in an effort to avoid such situations or to otherwise limit the extent of the disclosure.

Limited data sets

We are permitted to use or share certain parts of your medical information, called a “limited data set,” for purposes of research, public health reasons or for our health care operations, subject to certain conditions.

De-identified information

The practice may use or share your medical information to create information that does not identify you in accordance with HIPAA. Once the practice has de-identified your information, it can be used or shared in any way according to law.

Certain disclosures by members of workforce

In certain circumstances, members of the practice‘s workforce are permitted or even required to share your medical information with a health oversight agency, public health authority, law enforcement official, or health care accreditation organization or attorney hired by the workforce member.

Sharing with organized health care arrangement

We may share medical information with covered entities participating in any organized health care arrangement in which we participate, as necessary to carry out treatment, payment, or health care operations relating to the organized health care arrangement.

Health-related products and services

So long as done in compliance with the HIPAA marketing/sale of PHI rules, we may use and share medical information to tell you about health-related products or services that may be of interest to you. If you do not wish us to contact you regarding health related-products and services, you must notify us in writing and state that you wish to be excluded from this activity.

To individuals involved in your care or payment for your care (and your opportunity to object)

We may release medical information about you to a friend or family member who is involved in your medical care, unless you object in whole or in part. We may also give information to someone who helps pay for your care. Unless there is a specific written request/objection from you to the contrary, we are also permitted under the HIPAA rules to tell your family or friends your condition and that you are being cared for by the practice in limited circumstances.

In addition, to the extent applicable, the practice may share certain medical information about you with an entity assisting in a disaster relief effort so that your family can be notified about your condition, status and location. If you are unconscious or otherwise unable to communicate and a third party provider so requests, we may go ahead and share your information if we believe it is in your best interests.

For research

Under certain circumstances, we are permitted to use and share medical information about you for research purposes. In some situations, your authorization is required in connection with research uses and disclosures.

To comply with the law

We will share medical information about you when required to do so by federal, state or local law, including with the U.S. Department of Health if it wants to see that we’re complying with federal privacy law.

To avert a serious threat to health or safety

We may in certain circumstances, and only if allowed by State law, use and share medical information about you when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person.

Third parties/business associates

We may share your medical information to third parties (sometimes called Business Associates) with whom the practice has contact to perform services on the practice‘s behalf. If we share your information with these entities, we will have a written agreement with them to safeguard your information.

Workers’ compensation; law enforcement; other government requests

We may use or share medical information about you in certain circumstances for: (i) workers’ compensation or similar programs; (ii) law enforcement purposes or with law enforcement officials in certain circumstances; and (iii) special government functions such as military, national security, intelligence and protective services.

Public health and safety issues

We may share medical information about you for certain public health and safety purposes, including, without limitation, the following: (i) preventing/controlling disease, injury or disability; (ii) reporting births and deaths; (iii) to report regarding the abuse or neglect of children, elders, and dependent adults; (iv) to report reactions to medications or problems with products; (v) to notify you regarding product recalls; (vi) to notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition; (vii) to notify the appropriate government authority if we believe a patient has been the victim of abuse, neglect or domestic violence; and (viii) to notify emergency response personnel regarding possible exposure to HIV/AIDS, to the extent necessary to comply with State and federal laws.

Health oversight activities

We may share medical information with a health oversight agency for activities authorized by law.

Lawsuits and administrative proceedings

In certain circumstances, we may share medical information about you in the course of judicial or administrative proceedings in response to a court or administrative order, or a subpoena, discovery request, or other lawful process.

Coroners, medical examiners and funeral directors

We may release medical information to a coroner, medical examiner, or funeral director when an individual dies.

Multidisciplinary personnel teams

The practice may share health information with a multidisciplinary personnel team relevant to the prevention, identification, management or treatment of an abused child and the child’s parents, or elder abuse and neglect.


Your rights regarding medical information

In addition to any rights that you may have under State law, you have the following HIPAA rights regarding medical information that the practice maintains about you.

Get an electronic copy or paper copy of your medical record

You have the right to inspect and copy medical information that may be used to make decisions about your care.

To inspect and copy medical information, you must submit your request in writing to our Privacy Officer or his/her designee (contact information is set forth at the very end of this notice). If the practice uses or maintains your medical information in an electronic health record (or to the extent that we maintain the information in an electronic form), you have the right to obtain an electronic copy of such information. When information is not readily producible in the electronic form and format you have requested, we will provide you the information in an alternative readable electronic format as we may mutually agree upon, only as readily possible. Furthermore, you have the right to direct the practice to transmit such electronic copy directly to another entity or person that you designate. If you request a copy of the information, the practice may charge a fee for the costs of copying and/or transmission. The practice will follow State law with regard to approved copying and other associated costs.

The practice may deny your request to inspect and copy in certain very limited circumstances. If you are denied access to medical information, you may request that the denial be reviewed. Another licensed health care professional chosen by the practice will review your request and the denial. The person conducting the review will not be the person who denied your request. The practice will comply with the outcome of the review.

We are advising you in this notice that if you request that information available in an electronic format be provided via email, that email is an unsecure medium for transmitting information and that there is some risk if medical information is emailed. Information transmitted via email is more likely to be intercepted by unauthorized third parties than more secure transmission channels. If we agree to email you information, you are accepting the risks we have notified you of, and you agree that we are not responsible for unauthorized access of such medical information while it is in transmission to you based on your request, or when the information is delivered to you.

Amend your medical information

If you feel that your medical information is incorrect or incomplete, you have the right to request an amendment of the information for as long as the information is kept by or for the practice. To request an amendment, your request must be made in writing and submitted to our Privacy Officer (contact information is set forth at the very end of this notice). We may deny your request for an amendment for a number of legally permissible reasons, but we will tell you why in writing within 60 days, and also give you the right to submit a written statement of disagreement with our decision. If you clearly indicate in writing that you want the statement of disagreement to be made part of your medical record, the practice will attach it to your records and include it whenever the practice makes a disclosure of the item or statement you believe to be incomplete or incorrect.

Receive and accounting of disclosures

You have the right to request an “accounting of disclosures.” This is a list of the disclosures the practice made of medical information about you other than our own uses for diagnosis, treatment, payment and health care operations (as those functions are described above), and certain other disclosures. If, however, the practice is using an electronic health record, the practice will also account for treatment, payment and health care operations made using the electronic health record.

To request this list or accounting of disclosures, you must submit your request in writing to our Privacy Officer (contact information is set forth at the very end of this notice). Your request must state a time period which may not be longer than six (6) years prior to the date you ask. Your request should indicate in what form you want the list (for example, on paper or electronically). The first list you request within a 12-month period will be free. For additional lists within a 12-month period, the practice may charge you a reasonable, cost-based fee for providing the list.

Request restrictions on what we use or share

You have the right to request a restriction or limitation on the use and/or disclosure of your medical information in connection with treatment, payment or heath care operations. You also have the right to request a limit on the medical information the practice shares about you to someone who is involved in your care or the payment for your care, like a family member or friend. The practice is generally NOT, however, required to agree to your restriction request.

In one narrow instance, however, we are required to agree to the request, if all of the following apply: (i) you have requested that we restrict disclosure for payment or healthcare operations purposes; (ii) the disclosure would be made to a health plan/insurer (e.g., we are not precluded from making other allowable disclosures; only disclosures to the health plan/insurer); (iii) the disclosure is not otherwise required by law; and (iv) the medical information restricted pertains solely to a healthcare item or service for which you, or someone on your behalf, have paid us in full (excluding payments made by the health plan on your behalf) (i.e., you may not restrict the entirety of your medical record from being shared with a health plan/insurer – you may only restrict the portions of your record for those items or services which have been paid in full). You are hereby advised that, even if you utilize this required restriction request and meet the criteria set forth above, the required restriction is narrow. In particular, even if you have requested and received a required restriction, we may still share your information with others for other allowable purposes. In the event that we make such allowable disclosures, the party to which we have permissibly shared the information with is not bound by the required restriction request that you made to us, and we are not obligated to relay your request to such party. The only way for you to guarantee that such 3rd parties do not then share said information with your insurer/health plan is for you to make a required restriction request with the 3rd party that meets all of the required restriction elements set forth above. We hereby advise you to do so if you desire. Note also that to the extent that you seek follow-up or other treatment from us, and it is necessary for us to include previously restricted PHI when billing your insurer/ health plan for the follow-up treatment (e.g., you have not fully paid out-of-pocket for the service and requested a required restriction), we may share such previously restricted information, but only to the extent that including such PHI is required to support medical necessity of the follow-up care and you do not request a new required restriction/pay out-of-pocket in full for the follow-up care.

If the practice does agree to comply with non-required requests, the practice will comply with your request unless (a) the information is needed to provide you emergency treatment, or (b) other legal exceptions apply.

To request restrictions, you must make your request in writing to our Privacy Officer (contact information is set forth at the very end of this notice). the practice will not ask you the reason for your request. The practice will attempt to accommodate all reasonable requests.

Request confidential communications

You have the right to request that the practice communicate with you about medical matters in a certain way or at a certain location. For example, you can ask that the practice only contact you at work or by mail. The practice will not ask you the reason for your request. We will say “yes” to all reasonable requests. To request confidential communications, you must make your request in writing to our Privacy Officer (contact information is set forth at the very end of this notice).

Paper copy of this notice

You have the right to a paper copy of this notice at any time, even if you have agreed to receive this notice electronically.

You may also obtain a copy of this notice at our website: https://magnoliarheum.com/privacy-policy

To obtain a paper copy of this notice, ask our front desk staff, or our Privacy Officer (contact information is set forth at the very end of this notice).

Be notified in the event of a “Breach of Unsecured PHI”

If, in any case, medical information is used or disclosed in violation of the law, we are required to notify you if the use/disclosure is a “Breach of Unsecured Protected Health Information” (as such terms are defined by the Federal HIPAA Law). We may also be required to notify you pursuant to any State law that may be applicable.

File a complaint if you feel your rights are violated

If you believe your privacy rights have been violated, you may file a complaint with the practice or with the Secretary of the U.S. Department of Health and Human Services. To file a complaint with the practice, contact our Privacy Officer in writing (contact information is set forth at the very end of this notice). We respectfully request that complaints be submitted in writing. You will not be penalized or retaliated against for filing a complaint.


Changes to the terms of this notice

The practice reserves the right to change this notice and our privacy or security policies at any time, and the changes will apply to all information we already have about you. The practice will post a copy of the current/changed notice on our website. The notice will contain the effective date and will be available upon request.


Other uses of medical information/permissions/authorizations

Other uses and disclosures of medical information not covered by this notice or the laws that apply to the practice will be made only with your written permission/authorization. If you provide us permission to use or share medical information about you, you may revoke that permission, in writing, at any time. If you revoke your permission, this will stop any further use or disclosure of your medical information for the purposes covered by your written authorization, except if the practice has already acted in reliance on your permission. You understand that the practice is unable to take back any disclosures the practice has already made with your permission, and that the practice is required to retain the practice’s records of the care that the practice provided to you.


Privacy officer contact information

If you have any questions about this notice, please contact our Privacy Officer utilizing the contact information set forth below.

Certain provisions of this notice and our related policies and procedures require that notice or other requests be in writing. Please follow our instructions for any such issue.

Privacy officer contact information:

Ruchi Jain, MD
privacy@magnoliarheum.com