THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

PLEASE REVIEW IT CAREFULLY.

This notice will tell you about the ways in which The Multiple Sclerosis Center of Atlanta ("MSCA") may use and disclose medical information about you. We will also describe your rights and certain obligations we have regarding the use and disclosure of medical information. The terms "information, "health information" or "medical information" in this notice include any information that we maintain that reasonably can be used to identify you and that relates to your physical or mental health condition, the provision of health care to you, or the payment for your health care.

We are required by law to:

  • Make sure medical information that identifies you is kept private;

  • Give you this notice of our legal duties and privacy practices with respect to medical information about you; and

  • Follow the terms of the notice that is currently in effect.

We have the right to change our privacy practices and the terms of this notice. If we make a material change to our privacy practices, we will provide you with a revised notice at your first visit after the revision or electronically as permitted by applicable law. In all cases, we will post the revised notice on our website www.mscatl.org. We reserve the right to make any revised or changed notice effective for information we already have and for information that we receive in the future.

How we may use and disclose your medical information:

Each time you visit MSCA, a record of your visit is made. Typically, this record contains your symptoms, examination and test results, diagnoses, treatment, and a plan for future care or treatment. This information, often referred to as your health or medical record and containing your health information, may be used and disclosed in different ways. For each category of uses or disclosures, we will explain what we mean and try to give some examples. Not every use or disclosure in a category will be listed. However, all of the ways we are permitted to use and disclose information will fall within one of these categories.

  1. Treatment. We may use and disclose medical information in the course of providing, coordinating or managing your medical treatment, including the disclosure of medical information for treatment activities of another health care provider. We may use your medical information to treat you. For example, we may ask you to have laboratory tests (such as blood or urine tests), and we may use the results to help us reach a diagnosis. We might use your medical information in order to write a prescription for you, or we might disclose your medical information to a pharmacy when we order a prescription for you. Many of the people who work at MSCA - including, but not limited to, doctors, nurses, technicians, students and trainees (both health professional and administrative) - may use or disclose your medical information in order to treat you or to assist others who may assist in your care, such as your spouse, children or parents. Finally, we may also disclose your medical information to other health care providers for purposes related to your treatment.
  2. Payment. We may use and disclose your medical information so that the treatment and services you receive at MSCA may be billed and payment may be collected from you, an insurance company or a third party. For example, we may need to give your health plan information about a procedure you received at MSCA so your health plan will pay MSCA or reimburse you. We also may tell your health plan about a treatment you are going to receive to obtain prior approval or to determine whether your plan will cover the treatment.
  3. Health Care Operations. We may use and disclose your medical information as part of our operations. These operations include, but are not limited to, quality assessment and improvement of our services and treatment, provider training, underwriting activities, compliance and risk management activities, planning and development, management and administration, and disclosures to doctors, nurses, technicians, students, trainees, attorneys, consultants, accountants and others for review and learning purpose. We may also disclose your medical information to other health providers and health plans for certain of their health care operations, provided that those other plans or providers have, or had in the past, a relationship with you.
  4. Appointment Reminders. We may use and disclose your medical information to contact you and remind you of an appointment. For example, we may contact the home telephone number or business telephone number you provide to us on your patient information form and leave a message on your answering machine reminding you of an upcoming appointment in our office.
  5. Treatment Options. We may use and disclose your medical information to tell you about or recommend possible treatment options or alternatives that our staff have determined to possibly be of benefit to you.
  6. Health-Related Benefits and Services. We may use and disclose your medical information to inform you of health-related benefits or services that may be of interest to you.
  7. Individuals Involved in Your Care. We may release your medical information to a friend or family member who is actively involved in your medical care. We also may release medical information to someone who helps pay for your care. This would be the minimum information necessary to facilitate payment.
  8. Participation in an Organized Health Care Arrangement. To the extent MSCA participates in an organized health care arrangement pertaining to you, we may disclose your medical information to other covered entities that participate in such arrangement.
  9. Business associates. During the course of providing treatment to you, obtaining payment for your care and conducting normal practice operations, MSCA works with business partners. For example, MSCA works with computer software and hardware companies. Though every reasonable attempt will be made by MSCA to limit access by business associates to patient information, it is impossible to prevent all such access. Therefore, MSCA requires all business associates to enter into contractual agreements that require these business associates to limit their access to patient information to that which is necessary or unavoidable. Furthermore, our contracts with business associates require that all access to patient information that does occur will be managed according to strict principles of confidentiality and privacy. These business associates are required to follow the same privacy laws as MSCA, including protecting your information and taking appropriate measures in the event of a breach of your medical information.
  10. Marketing activities. We must also obtain your written permission (authorization) prior to using your PHI to send you any marketing materials. We may not sell your PHI without your written authorization. However, we may communicate with you about some products or services related to your treatment, case management, care coordination, alternative treatments, therapies, healthcare providers or care settings without your permission. Marketing activities do not include a communication made to you to provide refill reminders or otherwise communicate with you about a drug or biologic that is currently being prescribed for you. Communications for activities such as providing information about a generic equivalent of a drug being prescribed to you, as well as adherence communications encouraging you to take your prescribed medication as directed are excluded from marketing activities.

    In situations where marketing communications involve financial compensation, MSCA will obtain a valid authorization from you before using or disclosing PHI for such purposes. The disclosure will indicate that we are receiving financial compensation from a third party. Additionally, where we have an arrangement with a business associate (including a subcontractor) who receives financial compensation from a third party in exchange for making a communication about a product or service, such communication also requires your prior authorization.

  11. Fundraising activities. We may use your demographic information, the dates on which you were treated at MSCA, the outcome of your treatment, your treating physician and your insurance status to contact you in an effort to raise money for MSCA and its operations. If you do not want MSCA to contact you for fundraising efforts, you have the right to opt- out of these communications by notifying the MSCA Privacy Officer in writing at 3200 Downwood Circle, Suite 550, Atlanta, GA 30327.
  12. Research. Under certain circumstances, we may use and disclose your medical information for research purposes. For example, a research project may involve comparing the health and recovery of all patients who received one medicine to those who received another, for the same condition. All research projects, however, are subject to a special approval process. This process evaluates a proposed research project and its use of medical information and tries to balance the research needs with patients' needs for privacy of their medical information. We may disclose your medical information to people preparing to conduct a research project. For example, we may allow researchers to review patient records to help them determine if a particular research project will be successful. We always require that researchers honor the confidential nature of your medical information. Finally, it is a requirement of all approved research studies that any publication of results contain full de- identification of the medical information; that is, in no way will a reader of the publication be able to identify you with the medical information disclosed in the publication. Where research involves the use or disclosure of psychotherapy notes, an authorization for a use or disclosure of psychotherapy notes may only be combined with another authorization for psychotherapy notes.
  13. As Required by Law. We will disclose your medical information when required to do so by federal, state or local law.
  14. To Avert a Serious Threat to Health or Safety. We may use and disclose your medical information when necessary to prevent a serious threat to your health and safety or to the health and safety of others. Any disclosure, however, would only be to someone able to help prevent the threat.
  15. Special situations:
    Military and Veterans. If you are a member of the armed forces, we may release your medical information as required by military command authorities. We also may release medical information about foreign military personnel to the appropriate foreign military authorities.
  16. Workers' Compensation. We may release your medical information for workers' compensation or similar programs. These programs provide benefits for work-related injuries or illness.
  17. Public Health Activities. We may disclose your medical information for public health activities. These activities generally include the following:
    • To prevent or control disease, injury or disability
    • To report births and deaths
    • To report reactions to medicines or problems with products
    • To notify people of recalls of products they may be using
    • To notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition
    • To notify the appropriate government authority if we believe a patient has been the victim of abuse, neglect or domestic violence. We will only make this disclosure when required or authorized by law.
  18. Health Oversight Activities. We may disclose medical information to a health oversight agency for activities authorized by law. These oversight activities include, for example, audits, investigations, inspections and licensure. These activities are necessary for the government to monitor the healthcare system, government programs and compliance with civil rights laws.
  19. Lawsuits and Disputes. If you are involved in a lawsuit or a dispute, we may disclose your information in response to a court or administrative order. We also may disclose your medical information in response to a subpoena, search warrant, discovery request or other lawful process by someone else involved in the dispute, but only if we have made an effort to inform you of the request or to obtain an order protecting the information the party has requested.
  20. Law Enforcement. We may release medical information if asked to do so by a law enforcement official:
    • In response to a court order, subpoena, warrant, summons or similar process

    • To identify or locate a suspect, fugitive, material witness or missing person

    • About the victim of a crime if, under certain limited circumstances, we are unable to obtain the person's agreement

    • About a death we believe may be the result of criminal conduct

    • About criminal conduct at MSCA

    • In emergency circumstances to report a crime; the location of the crime or victims; or the identity, description or location of the person who committed the crime

  21. National Security and Intelligence Activities. We may release your medical information to authorized federal officials for intelligence, counterintelligence and other national security activities authorized by law.
  22. Protective Services for the President and Others. We may disclose your medical information to authorized federal officials so they may provide protection to the President, other authorized persons or foreign heads of state or to conduct special investigations.
  23. Inmates. If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may release your medical information to the correctional institution or law enforcement official. This release would be necessary: (1) for the institution to provide you with healthcare; (2) to protect your health and safety or the health and safety of others; or (3) for the safety and security of the individuals housed in the correctional institution.
  24. Coroners, Medical Examiners or Funeral Directors. We may disclose medical information to coroners, medical examiners or funeral directors as necessary to enable these parties to carry out their duties.
  25. Breaches. In the event of a known or suspected violation of your privacy, we may disclose facts including some patient information to you, investigating authorities, and/or the U.S. Department of Health and Human Services. We may also share information regarding the breach with the news media, but would not provide them with any identifiable information about you.
  26. Psychotherapy Notes. Psychotherapy notes may not be disclosed without your authorization except in limited circumstances.
  27. Organ and Tissue Donation. If you are an organ donor, MSCA may use or release your health information to organizations that handle organ procurement or other entities engaged in procurement, banking or transportation of organs, eyes or tissues to facilitate organ, eye or tissue donation and transplantation.

OTHER USES AND DISCLOSURES OF HEALTH INFORMATION FOR WHICH AUTHORIZATION IS REQUIRED.

Other types and uses of your medical information described above or otherwise permitted by law will be made only with your written authorization, which you have the limited right to revoke in writing.

YOUR RIGHTS REGARDING YOUR MEDICAL INFORMATION

Although your health record is the physical property of MSCA, the information belongs to you. You have the following rights regarding your medical information that we maintain:

  1. Right to inspect and copy. You have the right to inspect and obtain a copy of medical information that may be used to make decisions about your care. This includes medical and billing records in physical form or electronic copy. To inspect and/or copy medical information that may be used to make decisions about you, you must submit your request in writing to the manager of Medical Records at MSCA (or his/her designee). If you request a copy of the information, we may charge a fee for the costs of copying, mailing or other supplies associated with your request. We may deny your request to inspect and copy in certain, very limited circumstances. If you are denied access to medical information, you may request that the denial be reviewed. Another licensed healthcare professional chosen by MSCA will review your request and the denial. The person conducting the review will not be the person who denied your original request. We will comply with the outcome of the review.
  2. Right to request third-party disclosure. You have the right to request that information regarding your care be sent to a third party. Your request must be signed, in writing and must clearly designate the third party to whom MSCA should send the requested information. We may charge a fee for the costs of copying, mailing or other supplies associated with your request.
  3. Right to amend. You may ask us to amend your health information if you believe it is incorrect or incomplete and you may request an amendment for as long as the information is kept by or for our practice. To request an amendment, your request must be made in writing and submitted to the MSCA Privacy Officer, 3200 Downwood Circle, Suite 550, Atlanta, GA 30327. You must provide us with a reason that supports your request for amendment. MSCA will deny your request if you fail to submit your request (and the reason supporting your request) in writing. Also, we may deny your request if you ask us to amend information that is in our opinion: (a) accurate and complete; (b) not part of the medical information

    kept by or for MSCA; (c) not part of the medical information which you would be permitted to inspect and copy; or (d) not created by MSCA, unless the individual or entity that created the information is not available to amend the information.

  4. Right to an accounting of disclosures. You have the right to request an "accounting of disclosures." This is a list of the disclosures we made of your medical information. Exceptions: Disclosures as a result of a valid authorization and disclosure to individuals made as part of activities 1 to 14, 18, 20 and 25 above may not be available (every therapist, nurse, etc. involved in your care, every audit of care provided, etc.) and may not, therefore, be included in the accounting of disclosures provided to you. To request this list or accounting of disclosures, you must submit your request in writing to the MSCA. Your request must state a time period, which may not be longer than six years and may not include dates before November 1, 2003. The first list you request within a 12-month period will be free of charge. For additional lists, we may charge you for the costs of providing the list. We will notify you of the cost prior to providing the list, and you may choose to withdraw or modify your request at that time before any costs are incurred.
  5. Right to request restrictions. You have the right to request a restriction or limitation on the medical information we use or disclose about you. You also have the right to request a limit on the medical information we disclose about you to someone who is involved in your care or who pays for your care, such as a family member or friend. For example, you could ask that we not use or disclose information about a surgery you had to a specific family member who is not a legal guardian. We are not required to agree to all of your requests. In particular, we will not agree if we have any concern that this could compromise our ability to provide appropriate care to you. Also, we cannot agree to deny access to your records by a parent or legal guardian. You do have the right to restrict disclosures of medical information to a health plan if the disclosure is for payment or healthcare operations and pertains to a healthcare item or service for which you have paid out-of-pocket in full. To request restrictions, you must make your request in writing to the MSCA Privacy Officer. In your request, you must tell us: (1) what information you want to limit; (2) whether you want to limit our use, disclosure or both; (3) to whom you want the limits to apply.
  6. Right to request confidential communications.

    You have the right to request that we communicate

    with you about your medical matters in a certain way or at a certain location. For example, you can ask that we only contact you at work or by mail. We will make reasonable efforts to comply. We reserve the right to take back our agreement should we feel this is necessary to protect you. To request confidential communications, you must make your request in writing to the MSCA Privacy Officer. We will not ask you the reason for your request. We will make reasonable efforts to accommodate all reasonable requests. Your request must specify how or where you wish to be contacted.

  7. Right to a paper copy of this notice. You have the right to a paper copy of this notice. You may ask us to give you a copy of this notice at any time. Even if you have agreed to receive this notice electronically, you are still entitled to a paper copy of this notice. You may obtain a copy of this notice at our website, www.mscatl.org, or to obtain a paper copy of this notice, contact the MSCA Privacy Officer at 404-351- 0205.
  8. Right to be notified following a breach of unsecured medical information. You have a right to and will receive notifications of breaches affecting your medical information. A breach means the access, use or disclosure of your unsecured protected health information in a manner not permitted under HIPAA. If this occurs, you will be provided information about the breach, information about the steps MSCA has taken to minimize harm as a result of the breach and how you can lessen any harm as a result of the breach.

Complaints:

If you believe your privacy rights have been violated, contact the MSCA Privacy Officer.

All complaints must be in writing.

You may also send a written complaint to the U.S. Department of Health and Human Services at:

Region IV, Office for Civil Rights, DHHS

61 Forsyth Street, SW, Suite 16T70 Atlanta, GA 30303

FAX 404-562-7881

Complaints filed directly with DHHS must: (1) be in writing; (2) contain the name of the entity against which the complaint is lodged; (3) describe the relevant problems; and (4) be filed within 180 days of the time you became or should have become aware of the problem.

You will not be penalized in any way for filing a complaint.

Other uses of medical information:

Other uses and disclosures of medical information not covered by this notice or state or federal laws that apply to MSCA will be made only with your written permission. If you provide us permission to use or disclose your medical information, you may revoke that permission, in writing, at any time. If you revoke your permission, we will no longer use or disclose your medical information for the reasons covered by your written authorization. MSCA is unable to take back any disclosures we have already made prior to your revocation of permission to disclose.

Notice of Privacy Policies Revision Number: 3. Adopted as of November 1, 2003; Revised effective September 23, 2013