The following is the Notice of Privacy Practices of Stairway to Health (“Covered “Entity”) as described in the Health Insurance Portability and Accountability Act of 1996 and regulations promulgated thereunder, commonly known as HIPAA. HIPAA requires Covered Entity by law to maintain the privacy of your protected health information and to provide you with notice of Covered Entity’s legal duties and privacy policies with respect to your protected health information. We are required by law to abide by the terms of this Privacy Notice.
How We May Use & Disclose Your PHI
Except where prohibited by state or federal laws, we may use and disclose your PHI for treatment, payment, and health care operations without your prior authorization. We may communicate your information using various methods, orally, written, facsimile, and electronic communications. The following describes examples of the way we may use and disclose medical information.
- Notification To A Family Member Family member
We may use or disclose your PHI regarding your location and general condition to notify or assist in notifying a family member, personal representative, or another person responsible for your care.
- Payment
Under federal law, we may use or disclose PHI so that the services you receive are appropriately billed to, and payment is collected from, your health plan. By way of example, we may disclose PHI to permit your health plan to take certain actions before it approves or pays for treatment services. We may contact the Guarantor for your visit in order to obtain payment.
- For Treatment
We may use and disclose your PHI to provide, coordinate, and manage your treatment or services. We may disclose medical information about you to other healthcare professionals, such as physicians, nurses, technicians, clinical laboratories, imaging centers, medical students, or other personnel who are involved in your care. We may also provide other healthcare professionals who contribute to your care with copies of various reports and information to assist and ensure that they have appropriate information regarding your condition, treatment plan, and diagnosis.
- Workers’ Compensation
When necessary to comply with law, we may disclose your PHI to workers’ compensation or other similar programs established by law.
- FDA
We may disclose PHI relative to adverse events with respect to drugs, foods, supplements, products and product defects, or post-marketing surveillance information to persons under the jurisdiction of the FDA to enable product recalls, repairs, or replacement.
- To Avoid Serious A Serious Threat To Public Health or Safety
We may use and disclose your PHI when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person.
- Law Enforcement
We may disclose your PHI for law enforcement purposes, as required or permitted by law. For example, in response to a subpoena or court order, in response to a request from law enforcement, and to report limited information in certain circumstances.
- Disaster Relief
We may use and disclose your PHI to organizations for purposes of disaster relief efforts.
- Coroners, Medical Examiners, and Funeral Directors
We may disclose PHI to coroners, medical examiners, or funeral directors consistent with applicable law to enable them to carry out their duties. For example, this may be necessary to identify a deceased person or determine the cause of death.
- Correctional Institutions
If you are or become an inmate of a correctional institution, we may disclose to the institution, or its agents, PHI necessary for your health and the health and safety of other individuals.
- Military Command Authority
If you are a member of the armed forces, we may release PHI about you as required by military command authorities. We may also release PHI about foreign military personnel to the appropriate foreign military authority.
- National Security or Intelligence Activities
We may release PHI about you to federal officials for intelligence, counterintelligence, protection of the President, and other national security activities authorized by law.
- As Required By Law
We will disclose your PHI when required to do so by federal, state, or local law.
- Judicial & Administrative Proceedings
If you are involved in a lawsuit or a dispute, we may disclose your PHI in response to a court or administrative order. We may disclose your PHI in response to a subpoena, discovery request, or other lawful process instituted by someone involved in the dispute. Efforts will be made, either by the requesting party or us, to first tell you about the request or to obtain an order protecting the information requested. We may also use or disclose your PHI to defend ourselves in the event of a lawsuit.
- Communication With Individuals Involved In Care or Payment For Care
We may disclose to a family member, personal representative, relative, or another person you identify, PHI directly relevant to that person’s involvement in your care or payment related to your care. If you cannot agree or object to such a disclosure, we may disclose such information as necessary if we determine that it is in your best interest based on our professional judgment. We also may disclose the PHI of minor children to their parents or guardians, unless such disclosure is otherwise prohibited by law.
- Health Updates: We may use your information to send email and/or SMS updates that are relevant to your overall health, such as seasonal health concerns, health reminders, new Stairway to Health locations, and announcements about new services. You may unsubscribe from receiving these updates at any time, but your email will remain in use related to your health care visit and ensure access to your patient portal.
- Organ or Tissue Procurement Organizations
Consistent with applicable law, we may disclose your PHI to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of organs for the purpose of tissue donation and transplant.
- Business Associates
We may use and disclose PHI to our Business Associates who perform certain services for us, such as billing services, copy services, or consulting services. These third-party service providers may need to access your PHI to perform services for us. They are required by contract and law to protect your PHI and only use and disclose it as necessary to perform the required service(s).
- Abuse, Neglect, or Domestic Violence
We may disclose PHI about you to a government authority if we have a reasonable belief that you are a victim of abuse or neglect. We will only disclose this type of information to the extent required by law, if you agree to the disclosure, or if the disclosure is allowed by law and we believe it is necessary to prevent serious harm to you or another individual.
Uses & Disclosures of PHI that Require Prior Authorization
Generally, we may not use or disclose your protected health information without your permission. Further, once your permission has been obtained, we must use or disclose your protected health information in accordance with the specific terms that permission. The following uses and disclosures require an authorization:
- Most uses and disclosures of psychotherapy notes;
- Uses and Disclosures of protected health information for marketing purposes other than Health Updates directly from Stairway to Health, unless (i) is regarding a prescription refill reminder that is for a prescription currently prescribed or a generic equivalent; (ii) is for treatment pertaining to existing condition(s) and Stairway to Health does not receive any financial remuneration in either case or cash equivalent; and/or (iii) communication from a healthcare provider to recommend or direct alternative treatments, therapies, healthcare providers, or settings of care when Stairway to Health does not receive any financial remuneration for making the communication; and
- Disclosures that constitute a sale of protected health information
Other Uses & Disclosures of PHI Not Covered by This Notice
We will obtain your written authorization before using or disclosing your PHI for purposes other than those described in this notice or as otherwise permitted by law. You may revoke an authorization in writing at any time. Upon receipt of the written revocation, we will no longer use or disclose PHI under the authorization, except to the extent that we have already taken action in reliance on the authorization.
Health Information Rights
Under HIPAA, you have certain rights with respect to your protected health information. The following is a brief overview of your rights and our duties with respect to enforcing those rights.
- Obtain a Paper Copy of This Notice
You can request a copy of our current Notice at any time. If agreed to receive the Notice electronically, you are still entitled to a paper copy. You may obtain a copy at our facilities and on our website.
- Notification of a Breach
You have the right to be notified following a breach of your unsecured PHI, and we will notify you in accordance with applicable law.
- Inspect & Obtain a Copy of PHI
You have the right to access and obtain a copy of your PHI that we maintain. If we maintain your PHI in an electronic health record, you have the right to request to obtain the PHI in an electronic format. To inspect or obtain a copy of your PHI, submit a written request. You may ask us to send a copy of your PHI to other individuals or entities. We may charge you a reasonable fee for the costs of copying, mailing, or other supplies associated with the request. We may deny your request to inspect and copy in certain circumstances. If you are denied access to your PHI, you may request that the denial be reviewed.
- Request a Restriction on Uses & Disclosures of PHI
You have the right to request additional restrictions on our use or disclosure of your PHI by submitting a written request to the Privacy Officer. We are not required to agree to the restrictions, except in the case where the disclosure is a health plan for purposes of carrying out payment or healthcare operations, is not otherwise required by law, and the PHI pertains solely to a healthcare item or service for which you, or a person on your behalf, has paid in full.
- Request an Amendment of PHI
If you feel that PHI we maintain about you is incomplete or incorrect, you may request that we amend it. To request an amendment, you must send a written request to the Privacy Officer and include a reason that supports your request. If we deny your request for an amendment, we will provide you with a written explanation. You have the right to file a statement of disagreement with us, and we may prepare a rebuttal to your statement and will provide you with a copy of any such rebuttal.
- Receive an Accounting of Disclosures of PHI
With the exception of certain disclosures, restrictions, and limitations, you have a right to receive a list of the disclosures we have made of your PHI, in the six years prior to the date of your request, to entities or individuals other than you, to individuals involved in your care, or for notification purposes. Limitations may differ for electronic health records. To request an accounting, you must submit a request in writing to the Privacy Officer, and specify a time period. The first accounting you request within any 12-month period will be provided free of charge. For additional requests within the same period, we may charge you for reasonable costs. We will inform you of the costs, and you may choose to withdraw your request before the costs are incurred.
- Request Confidential Communications of PHI by Alternative Means or At Alternative Locations.
You have the right to request that we communicate with you about health matters in a certain way or location to preserve your privacy. For instance, you may request that we contact you at a different address, via email, or other means. Please note if you choose to receive communications from us via email or other electronic means, those may not be secure. This means there is a risk that your PHI in the emails may be intercepted and read by or disclosed to unauthorized parties. To request confidential communication of your PHI, you must submit a written request to the Privacy Officer. Your request must specify how you would like to be contacted. We will accommodate reasonable requests. However, if we are unable to contact you using the ways or locations you have requested, we may contact you using the information we have.
- Grievances.
If you believe your privacy rights have been violated, you can file a grievance in person, or by mail or email with:
Stairway to Health
Attn: Compliance Department
301 Station Road, Suite 103
Dublin, PA 18917
Tel: 267-490-7123| Email: compliance@stairwaytohealth.care
You can also file a grievance with the Security electronically through the Office for Civil Rights Complaint Portal, available at https://ocrportal.hhs.gov/ocr/portal/lobby.jsf, or by mail or email with:
U.S. Department of Health & Human Services
200 Independence Avenue SW, Room 509F HHH Bldg.
Washington, D.C. 20201
Email: OCRComplaint@hhs.gov
Grievances must be made in writing and submitted within 180 days of when you knew of, or should have known of, the suspected violation. There will be no retaliation against you for filing a grievance.
Effective Date and Changes to This Notice
This Notice is effective on October 20, 2023. We may change the terms of this Notice at any time. If we change this Notice, we may make the new notice terms effective for all PHI that we maintain, including any information created or received prior to issuing the new notice. If we change this Notice, we will post the revised notice in the waiting area of our office and on our website. You may also obtain any revised notice by contacting the center’s Compliance Officer.