NOTICE OF ELECTRONIC DISCLOSURE OF PROTECTED HEALTH INFORMATION
THIS NOTICE DESCRIBES HOW HEALTH INFORMATION CONCERNING AN INDIVIDUAL MAY BE USED AND DISCLOSED ELECTRONICALLY BY CUBHUB SYSTEMS, AND THE EXTENT OF AN INDIVIDUAL’S RIGHTS WITH RESPECT TO SUCH INFORMATION. PLEASE REVIEW IT CAREFULLY.
As a business associate of home health agencies and other health care providers (our “clients”), we (CUBHUB) obtain, maintain, use, and transmit electronic Protected Health Information (“PHI”) when providing services to our clients and acting on our clients’ behalf. This privacy notice describes the types of information that are typically used and disclosed electronically by us, and an individual’s rights regarding how that information can be used and disclosed.
PHI is individually identifiable health information relating to past, present, or future physical or mental health of an individual; health care provided to an individual; or payment for the health care provided to an individual. PHI does not include summary health information or information that has been de-identified according to the standards for de-identification provided for in the HIPAA Privacy Rule.
Permitted/Required Uses and Disclosures of PHI
We will only use or disclose your PHI to the extent allowed under business associate agreements entered into with our clients and as allowable under federal and state law. Thus, the uses and disclosures discussed below may be further limited than as described herein under certain circumstances, including when a more restrictive business associate agreement has been entered into with a client or pursuant to specific limitations in a client’s notice of privacy practices that we have notice of and have agreed to abide by.
Our business associate agreements generally authorize us to use your PHI to perform the services we provide to our clients. We provide practice management solutions to our clients through a software-as-a-service model, through which we provide a platform for communication and care coordination, billing support, maintenance of patient records, and other related functions. In performing these activities, PHI is used and disclosed for the purpose of routine treatment, payment, and health care operations.
Use and Disclosure for Treatment
Your PHI may be used by, and disclosed to, health care providers, including, but not limited to, doctors, nurses, laboratory technicians, medical students, and other health care personnel involved in your treatment.
Use and Disclosure for Payment
Your PHI may be used by, and disclosed to, individuals involved in the payment for your health care, your benefits, claim submission, and other claims administration.
Use and Disclosure for Health Care Operations
Your PHI may be used and disclosed for health care operation purposes including, but not limited to: submitting claims; quality review assessments; audits, including fraud and abuse detection and compliance programs; business management and planning; the sale, transfer, merger, or consolidation of a covered entity; legal or administrative services; complaint review; regulatory review; and other legal compliance. In addition, your PHI may be used and disclosed for case management and care coordination, contacting health care providers and patients with information about treatment, drug and disease management alternatives, and other related functions that do not include treatment. Further, we may share your PHI with third-party subcontractors or other business associates who perform various activities related to health care activities. We require such third parties to sign “downstream” business agreements specifying their compliance with applicable law, the “upstream” business associate agreements we have agreed to with our clients, and our own privacy and security policies.
We have developed policies and procedures in order to ensure the privacy and security of your PHI. These policies and procedures are based on appropriate administrative, technical, and physical safeguards necessary to maintain confidentiality. Access to your PHI is limited to those individuals that have a legitimate business need for that information. This protection extends to the use of your PHI by our subcontractors through our agreements with them.
Other Permitted/Required Uses and Disclosures of PHI
Your PHI received or created in our capacity as a business associate may be used or disclosed as necessary for the proper management and administration of our business or to carry out our legal responsibilities. We may use or disclose PHI to provide data aggregation services relating to the health care operations of clients. We may also de-identify your PHI under certain circumstances and use such de-identified information for various purposes. We may use and disclose your PHI for other permitted reasons, including but not limited to the following reasons: as required by law; in response to a court order or other legal proceeding; in judicial and administrative proceedings; for law enforcement purposes; to comply with worker’s compensation or other similar laws; for public health activities; for health oversight activities; to report abuse, neglect, or domestic violence; to the military if you are a member of the armed services; to correctional institutions if you are an inmate; to coroners, medical examiners, and funeral directors for decedent’s information purposes; for organ, eye, or tissue donation purposes; and for national security and intelligence purposes as authorized by law. We will only use or disclose the minimum amount necessary to perform these functions.
Other Uses and Disclosures of PHI
Uses and disclosures of PHI for purposes other than those described above will be made only with your written authorization. If you provide us authorization to use or disclose your PHI, you may revoke that authorization, in writing, at any time. If you revoke your authorization, we will no longer use or disclose information following the specific purpose contained in the authorization. You understand that we are unable to take back any disclosures already made with your authorization, and that we are required to retain any records we may have containing your PHI.
Also, certain disclosures of PHI may occur incidentally as a result of otherwise authorized uses or disclosures of PHI. We will use our best efforts to limit these disclosures, but from a practical standpoint, incidental disclosures are not likely to be completely avoided.
Your Individual Rights With Respect to PHI
Upon written request, you have the right to:
- request restrictions on certain uses and disclosures of your PHI, though we are not always required to agree to a requested restriction;
- request communications of PHI by alternative means or at alternative locations; access or inspect our records containing your PHI;
- request an amendment to your PHI, though we are not always required to agree to a requested amendment; and
- receive an accounting of certain disclosures of your PHI.
Except as otherwise authorized under applicable law, we do not use or disclose PHI when specifically protected by more stringent state law. Examples of more stringent state laws include those protecting HIV status, results of genetic testing, and indications of domestic abuse.
We will follow state privacy laws that are more stringent than this federal law.
You may also receive a paper copy of this notice from us upon your request.
Our Duties Regarding the Use and Disclosure of PHI
We are committed to maintaining your privacy and abiding by this notice, and we are required by state law to provide this notice to all individuals for whom we create or receive PHI.
We reserve the right to change the terms of this privacy notice.
How to File a Complaint Regarding the Use and Disclosure of PHI
If you believe your privacy rights have been violated, you may file a complaint with us, the United States Secretary of Health and Human Services. All complaints should be in writing. Please be assured that you will not be retaliated against for filing a complaint.
How to Contact Us