THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

WE HAVE A LEGAL DUTY TO SAFEGUARD YOUR PROTECTED HEALTH INFORMATION (PHI).

Pursuant to the Privacy Rule regulations established by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended and supplemented, we are legally required to protect the privacy of your health information. We call this information “protected health information,” or “PHI” for short. It includes information that can be used to identify you and that we have created or received about your past, present, or future health condition, the provision of health care to you, or the payment for this health care. We are required to provide you with this notice about our privacy practices. It explains how, when, and why we use and disclose your PHI. With some exceptions, we may not use or disclose any more of your PHI than is necessary to accomplish the purpose of the use or disclosure. We are legally required to follow the privacy practices that are described in this notice.

HOW WE MAY USE AND DISCLOSE YOUR PROTECTED HEALTH INFORMATION.

We use and disclose your health information for many different reasons. For some of these uses and disclosures, we need your specific authorization. Below, we describe the different categories of uses and disclosures of your PHI.

1. Uses and Disclosures That Do Not Require Your Authorization.

We may use and disclose your PHI without your authorization for the reasons set forth below. In the event other applicable law, such as the regulations at 42 CFR Part 2, require your authorization prior to our use or disclosure of certain types or portions of your information, we will first obtain your authorization.

1.    For treatment.  We may use and disclose your PHI for the provision, coordination, or management of your health care, including consultations between doctors, nurses, and other health care personnel regarding your care, and referrals for care from one provider to another. For example, if you are being treated by a specialist or are referred for a test, we may communicate with such other providers to coordinate your care.

• To obtain payment. We may use and disclose your PHI in order to bill and collect payment for the treatment and services provided to you. For example, we may provide your PHI to our billing staff and your health plan to get paid for the health care services we provided to you. We also may disclose PHI to another provider involved in your care for the other provider’s payment activities. Note that certain state or federal laws governing specialized or highly sensitive health information may require your written authorization prior to our disclosure of PHI for payment purposes. In this event, we will ask you to sign an authorization form so that we may disclose your PHI to obtain payment. 

3.    For health care operations. We may use and disclose your PHI as necessary to operate our business. For example, we may use your PHI in order to evaluate the quality of health care services that you received or to evaluate the performance of the health care professionals who provided health care services to you. We may provide your PHI to our accountants, attorneys, consultants, and others as needed for their services. We also may use your PHI for data aggregation purposes or to de-identify your PHI (that is, remove your personal identifiers) in accordance with applicable law, including through our business associates. We and others may use such de-identified data for legally-permitted purposes. We may use your PHI to create a “limited data set” by removing certain identifying information. We may use and disclose the limited data set for research, public health, or health care operations purposes, and any third party who receives a limited data set must sign an agreement to protect your health information.

4.    When a disclosure is required by federal, state or local law, judicial or administrative proceedings, or law enforcement.  We may use or disclose your PHI for such purposes. For example, we may disclose your PHI when a law requires that we report certain information to government agencies or to law enforcement personnel about victims of abuse, neglect, or domestic violence (for adults, we will make the disclosure of adult abuse only if the person agrees or when required by law); when dealing with gunshot or other wounds; for the purpose of identifying or locating a suspect, fugitive, material witness or missing person; or when subpoenaed or ordered in a judicial or administrative proceeding.

5.    For public health activities. We may use or disclose your PHI for public health activities. For example, we may disclose PHI to report information about births, deaths, various diseases, adverse events, and product defects to government officials in charge of collecting that information; to prevent, control, or report disease, injury or disability as permitted or required by law; to conduct public health surveillance, investigations and interventions as permitted or required by law; or to notify a person who has been exposed to a communicable disease or who may be at risk of contracting or spreading a disease as authorized by law. 

6.    For health oversight activities. We may use or disclose your PHI for health oversight activities. For example, we may disclose PHI to assist the government or other health oversight agency with activities including audits; civil, administrative, or criminal investigations, proceedings or actions; or other activities necessary for appropriate oversight as authorized by law.  

7.    To coroners, funeral directors, and for organ donation.  We may disclose to coroners, medical examiners, and funeral directors necessary PHI relating to an individual’s death. We may disclose PHI to organ procurement organizations to assist them in organ, eye, or tissue donations and transplants.

8.    For research purposes.  We may disclose PHI in order to conduct medical research where permitted by applicable law. When required by applicable law, we will obtain your written authorization prior to disclosure of your PHI for such purposes.

9.    To avoid harm.  In order to avoid a serious threat to the health or safety of you, another person, or the public, we may provide PHI to law enforcement personnel or persons able to prevent or lessen such harm.

10. For specific government functions. We may disclose PHI of military personnel and veterans in certain situations.  We may also disclose PHI for national security and intelligence activities.

11. For workers’ compensation purposes.  We may disclose PHI in order to comply with workers’ compensation laws.

12.  Inmates. If you are an inmate of a correctional institution or in the custody of a law enforcement official, we may disclose PHI to the correctional institution or law enforcement official, provided that such disclosure is necessary for the provision of health care to you, to protect your health and safety or the health and safety of other inmates, or for the safety and security of the correctional institution.

13.  Lawsuits and disputes. If you are involved in a lawsuit or dispute, we may disclose your PHI subject to certain limitations.  

14.  Appointment reminders and health-related benefits or services. We may use your PHI to provide appointment reminders or give you information about treatment alternatives or other health care services or benefits we offer. We may disclose your PHI to our business associates so that they may perform these functions on our behalf. Please let us know if you do not wish to have us contact you for these purposes, or if you would rather we contact you at a different telephone number or address.

15.  Health Information Exchanges. We and other health care providers may participate in certain Health Information Exchanges (HIEs) as we and they may determine from time to time. These HIEs allow patient information to be shared electronically through a secured connected network. HIEs give your health care providers who participate in the HIE networks immediate electronic access to your pertinent medical information for treatment, payment and certain health care operations. If you do not opt out of a HIE, your information will be available through such HIE network to your authorized participating providers in accordance with this notice and applicable law. If you opt out of a HIE, this will prevent your information from being shared electronically through the HIE network; however, it will not impact how your information is otherwise typically accessed, used, and disclosed in accordance with this notice and applicable law. Any exception that denies an individual from opting out of having their information transmitted through an HIE will be in accordance with applicable federal and state law. In the event we participate in a HIE, you may opt out by contacting our Privacy Officer as provided in Section VI.

16.  Use of unsecure electronic communications. If you choose to communicate with us, including our providers and staff, via unsecure electronic communications, such as regular email or text messages that are not encrypted, we may respond to you in the same manner in which the communication was received and to the same email address or phone number from which you sent your original communication. In addition, if you provide your email address or cell phone number to us, we may send you emails or text messages related to appointment reminders, surveys, or other general informational communications. For your convenience, these messages may be sent unencrypted.

      Before using or agreeing to use any such unsecure electronic communication technology, note that there are certain risks, such as, but not limited to, interception by others who are not authorized to have your information, shared accounts, misdirected/misaddressed messages, or messages stored on unsecured devices. By choosing to correspond with us via unsecure electronic communications, you are agreeing to accept these risks.

      You should understand that the use of email, text message or other electronic communication methods is not intended to be a substitute for professional medical diagnosis, advice, or treatment. Emails, text messages, and other electronic communications should never be used in urgent situations.

      B.   Uses and Disclosures Where You May Have the Opportunity to Object.

1. Disclosures to family, friends, or others. We may disclose your PHI to a family member, friend, or other person that you indicate is involved in your health care or the payment for your health care, to the extent related to their involvement in your care or payment for your care. We may use or disclose your PHI to notify others of your general condition and location at our premises. We may allow friends and family to act for you and pick up prescriptions and other documents when we determine, in our judgment, that it is in your best interests to do so. If you are available, we will give you the opportunity to object to these types of disclosures, and then we will not make the disclosures for which you have objected.

• Disaster relief. When permitted by applicable law, we may coordinate our uses and disclosures of PHI with other organizations authorized by law or charter to assist in disaster relief efforts. For example, a disclosure may be made to the American Red Cross or similar organization in an emergency.

C.   Uses and Disclosures That Require Your Authorization.  Other than as stated otherwise in this notice, we will not disclose your PHI without your written authorization. You can later revoke your authorization in writing except to the extent that we have taken action in reliance on the authorization.

      1.    Psychotherapy notes. In the event we maintain psychotherapy notes relating to you, in most circumstances we must obtain your written authorization prior to disclosing such psychotherapy notes outside our organization. You do not have a right under HIPAA to receive copies of psychotherapy notes relating to you.

      2.    Genetic information. Except under certain circumstances permitted or required by law, we may use or disclose your genetic information (for example, your DNA sample or DNA test results) only with your written authorization.

      3.    HIV, AIDS, and certain sexually transmitted diseases. Except under certain circumstances permitted or required by law, we may use or disclose diagnosis and treatment information about HIV, AIDS or sexually transmitted diseases only with your written authorization.

      4.    Substance use disorder treatment information. Records received from federally-funded substance use disorder (SUD) treatment facilities are protected by federal regulations at 42 CFR Part 2, which provides certain protections to such records in addition to HIPAA. In the event we receive information or records about you from a federally-funded SUD treatment facility, we will not disclose such information or records to outside third parties for purposes of other than treatment, payment and health care operations unless (i) we have received your written authorization, (ii) we have received a court order accompanied by a subpoena or other legal mandate compelling disclosure that was issued after you and we were given written notice and an opportunity to be heard, as required under federal regulations at 42 CFR Part 2, (iii) the disclosure is made to medical personnel in a medical emergency and we were not able to obtain your prior written authorization, (iv) the disclosure is to qualified medical personnel of the Food and Drug Administration who assert a reason to believe that the health of any individual may be threatened by an error in the manufacture, labeling, or sale of a product under FDA jurisdiction, and that the information will be used for the exclusive purpose of notifying patients or their physicians of potential dangers; or (v) the disclosure is to qualified personnel for research purposes. 42 CFR Part 2 strictly limits use of SUD records in legal proceedings, and the content of such records may not be used or disclosed in civil, criminal, administrative, or legislative proceedings against the individual unless based on written consent, or under a court order after notice and an opportunity is provided to the individual or the holder of the SUD records. A court order authorizing use or disclosure must be accompanied by a subpoena or other legal requirement compelling disclosure before the requested record is used or disclosed.

D.   Marketing Communications. We may contact you as part of our marketing activities without obtaining your written authorization, for the following purposes: to provide you with marketing materials in a face-to-face encounter; to give you a promotional gift of nominal value, if we so choose; and, as long as we are not paid to do so, to communicate with you about products or services relating to your treatment, case management, or care coordination, or alternative treatments, therapies, providers, or care settings. We may use or disclose PHI to identify health-related services and products that may be beneficial to your health and then contact you about the services and products. We will obtain your written authorization for certain other marketing activities when we are legally required to do so.

E.   Sale of PHI. We will disclose your PHI in a manner that constitutes a sale of PHI only upon receiving your prior authorization. Sale of PHI does not include a disclosure of PHI for public health purposes; for research; for treatment and payment purposes; relating to the sale, transfer, merger or consolidation of all or part of our business and for related due diligence activities; to the individual; required by law; for any other purpose permitted by and in accordance with applicable law.    

F.   Fundraising Activities. We may use certain information (name, address, telephone number, dates of service, age, and gender) to contact you for the purpose of various fundraising activities we may undertake. You may opt out of such communications by providing notice to us of your opt-out. In the event we create or maintain records subject to 42 CFR Part 2, we will first provide you with a clear and conspicuous opportunity not to receive any fundraising communications. Send written requests to: OrthoNJ, 2 Worlds Fair Drive, Somerset, NJ 08873, Attn: HIPAA Privacy Officer.

G.   Incidental Uses and Disclosures. We may disclose your PHI incident to a use or disclosure that is otherwise permitted as described in this notice. For example, discussions about you within our offices might be overheard by persons not involved in your care. We have implemented reasonable safeguards as well as policies and procedures regarding minimum necessary uses and disclosures of PHI in an effort to minimize such incidental uses and disclosures and to protect your PHI.

H.   Business Associates. We may engage certain individuals or entities (business associates) to provide services to us or perform certain functions on our behalf, and we may disclose your PHI to these business associates for such purposes. For example, we may share PHI with our computer consultant or our billing company to facilitate our health care operations or payment for services provided in connection with your care. We will require our business associates to enter into a written agreement to keep your PHI confidential and to abide by certain terms and conditions.

I.    Data Breach Notification. We may use or disclose your PHI to provide legally-required notices of unauthorized access to or disclosure of your PHI.