The United States Department of Health and Human Services (HHS) has promulgated regulations pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) designed to protect the confidentiality and integrity of Protected Health Information (PHI). PHI is defined by HIPAA as the individually identifiable health information that is:
- Transmitted by electronic media
- Maintained in any medium
- Transmitted or maintained in any other form or medium
As a healthcare provide who provides laboratory testing to ordering authorized healthcare providers, Genetics Associates, Inc. (GAI) is committed to protecting the privacy of patient personal information, laboratory test results, and other protected health information.
GAI has established a special web Outreach portal for physicians to use to obtain laboratory test results for their patients. Information accessed through this portal, including Protected Health Information (as defined below), is secured using administrative, physical, and technical safeguards. Access is password protected and each individual user has a unique user name and password. All access is tracked at GAI for security purposes. PHI that is available on the Outreach Portal may only be used or disclosed for treatment and other authorized purposes.
GAI is a clinical cytogenetic laboratory performing specialized diagnostic testing services for other healthcare providers throughout the United States, including, physicians, hospitals, and other laboratories. The ordering of tests and reporting of test results are communications permitted under HIPAA for purposed of treatment, payment and healthcare operations.
Although classified as an “indirect healthcare provider,” GAI is considered a “covered entity” for purposes of compliance with the HIPAA section on Standards for Privacy of Individually Identifiable Health Information (Privacy Rule). In the course of providing its diagnostic services, GAI obtains, uses, and discloses PHI. PHI also includes the following, but is not limited to:
- Patient name, address, date of birth, social security number, and phone numbers
- Health insurance and other payment information (not necessary if your physician or laboratory pays us directly)
- Your physician’s reason for referral, including diagnosis
- Your physician’s name and address
- Other physical and medical information relating to your condition that we may need to complete your study.
To ensure the protection of PHI, GAI has implemented policies and procedures:
- To comply with federal, state and local laws, and regulations regarding the use and disclosure of such PHI;
- To protect confidentiality and integrity of PHI we collect, create or exchange as part of diagnostic testing services; and
- To prevent inappropriate access to or disclosure of such information.
GAI intends for its security and privacy policies and procedures to comply with HIPAA including, the Health Information Technology for Economic and Clinical Act (HITECH Act), the Security Standards and other applicable federal and state laws and regulations. In the event there is a change in the Security Standards, other applicable federal and state laws or regulations, GAI will amend its privacy program as necessary to comply with applicable law.
Uses and Disclosure of PHI
PHI will be used or disclosed for treatment, payment or healthcare operation purposes and for other purposed permitted or required by law. While we cannot list every possible use or disclosure, most of the ways we use or disclose PHI will fall into one of the categories listed below. If we want to use or disclose PHI for purposes that do not fall into these categories, we must first obtain written authorization. According to law, GAI does not need authorization or permission to use or disclose a patient’s PHI for the following purposes, even after your death:
- Treatment – As a healthcare provider that provides laboratory testing for patients and requested by physicians, GAI uses PHI as part of our testing processes, and GAI discloses PHI to physicians and other healthcare professionals who need access to the results in order to treat the patient. We may also disclose a patient’s PHI to another testing laboratory if we are unable to perform the testing ourselves and need to refer the specimen to a laboratory that perform the needed test.
- Payment – Our billing department will use and disclose PHI to certain insurance companies, hospitals, physicians, and health plans for payment purposes or to a third party to assist us in creating bills, claim forms, or getting paid for our services, such as a collection agency. There may instances when we may have to contact the patient to obtain billing information or for other billing purposes.
- Healthcare Operations – We may use or disclose PHI in the course of activities required to support our healthcare operations, such as quality checks on our testing or for developing normal reference ranges for tests that we perform. This information will be used in an effort to improve the quality and effectiveness of the healthcare services we provide. We may also disclose health information to other healthcare providers or payers for their healthcare operations, but only if they already have a relationship with the patient and the purpose is for quality assurance activities, peer review activities, detecting fraud or for other limited purposes.
- Disclosures to Business Associates – GAI may disclose a patient’s PHI to other companies or individuals who on behalf of GAI, need PHI to provide specific services to us. These other entities, known as “business associates”, generally must comply with the terms of a contract designed to ensure that they will maintain the privacy and security of PHI in the same manner that we do (i.e., for designated treatment, payment, or healthcare operations purposes that they perform for us). For example, PHI may be disclosed to couriers we use to transport specimens to us or to private accrediting organizations that inspect and certify the quality of our laboratories.
- By Law – In order to comply with international, federal or state laws, court orders, subpoenas, or governmental agency orders.
- Public Health – to public health authorities for preventing or controlling disease or reporting vital information (for example, reporting certain sexually transmitted diseases). We may disclose PHI to the Food and Drug Association for purposes related to quality safety or effectiveness of FDA regulated products; to prevent or control diseases; to report child abuse or neglect; drug reactions to medications; product recalls that we may be using.
- Law Enforcement – to law enforcement officials relating to crimes and other law enforcement purposes.
- Specialized Government Functions – to military command authorities, veteran’s administration, and national security and intelligence officials for activities deemed necessary to carry out their respective missions or to law enforcement officials having custody of an inmate.
- Worker’s Compensation – to the extent authorized by and to the extent necessary to comply with laws relating to worker’s compensation or similar programs established by law.
- Minors – We may disclose minor children’s PHI to the parents or legal guardians unless prohibited by law.
- Data Breach – to provide legally required notices in the event of a data breach.
- Coroners, Medical Examiners, Funeral Directors – in order for them to perform their duties.
GAI’s information technology system uses modern encryption, authorization/authentication technology to guard against unauthorized access to PHI across the GAI network as well as the open networks such as the internet. As per HIPAA guidelines, GAI continually monitors external communications and maintains strict security standards for both hardware and software to protest PHI.
Uses and Disclosures That Require Us to Give You opportunity To Object and Opt Out
Unless you object in writing, we may disclose to a member of your family, a relative, a close friend or any other person you identify, your Phi that directly relates to that person’s involvement in your health care. If you are unable to agree or object, we may disclose such information as necessary if we determine it is in your best interest based on our professional judgment.
You may also object in writing under your HIPAA rights that your healthcare providers not disclose information about services received when you pay in full or out-of-pocket for the service and refuse to file a claim with your health plan.
Your Rights Regarding Your PHI
Patient Access to Protected Health Information €164.524 Access of individuals to protected health information, a patient or personal representative (family member, power of attorney or legal guardian) may request access to their protected health information (PHI). Genetics Associates, Inc. (GAI) will require written documentation of the request. The patient or their legal representative shall complete the following document and submit it to GAI by fax or mail along with a copy of their photo ID. No verbal requests will be accommodated. Genetics Associates will charge a nominal fee of $25.00 for the retrieval of information. Should the patient or legal representative request an interpretation, GAI will refer the patient back to the requesting physician. Required Patient Information:
- Social Security Number
- Date of Birth
- Specimen Type
- Date of Service
- Patient’s Address
- Ordering Physician
- Valid photo ID, included with request
o Driver’s License
o Other Government-Issued ID
Right to Amend – If you feel that there is a mistake or missing information in our records of your PHI, you may ask us to make the corrections. The request must be in writing and you must provide a reason that supports your request. We reserve the right to deny the request. Any denial will state the reason for the denial.
Right to Request Restrictions – You have the right to ask us to limit how your PHI is used or disclosed. The request must be made in writing, describe the restrictions, and to whom those restrictions apply. You have the right to restrict disclosures to health plans for services which you paid for out of pocket.
Right to Confidential Communication – You have the right to ask us to communicate with you in a certain way or at a certain address. For example, you may want your information sent to your workplace instead of home.
Updated: April 28, 2017