We are required by law to give you this notice. It will tell you about the ways in which we may use and disclose health information about you and describes your rights and our obligations regarding the use and disclosure of that information.
If you have any questions about this notice, please contact the Pathways, Inc. Privacy Officer at (607) 937-4557 or in writing to 33 Denison Parkway West, Corning, New York 14830.
Who Will Follow This Notice
This notice describes the information privacy practices followed by our employees, staff and other office personnel. This includes staff members, volunteers, and people Pathways, Inc. contracts with who we authorized to access your information to provide services to you.
Your Health Information
This notice applies to the information and records we have about your health, health status, and the health care and services you receive at Pathways, Inc. including photographs and other images.
How We May Use and Disclose Health Information About You
We may use health information about you to provide you with treatment or services. We may disclose health information about you to doctors, nurses, technicians, office staff, contractors or other personnel who are involved in taking care of you and your health.
Different personnel at Pathways, Inc. may share information about you and disclose information to people who do not work at Pathways, Inc. in order to coordinate your care, such as phoning in prescriptions to your pharmacy, scheduling lab work, ordering X-rays, and scheduling other assessments. Family members and other health care providers may be part of your medical care outside Pathways, Inc. and may require information about you that we have.
We may use and disclose health information about you so that the treatment and services you receive at Pathways, Inc. may be billed to and payment may be collected from you, an insurance company or a third party. For example, we may need to give your health plan information about a service you received here so your health plan will pay us or reimburse you for the service. We may also tell your health plan about a treatment you are going to receive to obtain prior approval or to determine whether your plan will cover the treatment.
For Health Care Operations
We may use and disclose health information about you in order to operate Pathways, Inc. and make sure that you and our other consumers receive quality care.
For example, we may use your health information to evaluate the performance of our staff in caring for you. We may also use health information about all or many of our consumers to help us decide what additional services we should offer, how we can become more efficient, or whether certain new services are effective.
You may revoke your Consent at any time by giving us written notice. Your revocation will be effective when we receive it, but it will not apply to any uses and disclosures, which occurred before that time.
If you do revoke your Consent, we will not be permitted to use or disclose information for purposes of treatment, payment or health care operations, and we will therefore not be able to provide you with healthcare treatment and services.
We may use or disclose health information about you without your permission for the following purposes, subject to all applicable legal requirements and limitations:
To Avert a Serious Threat to Health or Safety
We may use and disclose health information about you when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person.
Required By Law
We will disclose health information about you when required to do so by federal, state or local law.
Organ and Tissue Donation
If you are an organ donor, we may release health information to organizations that handle organ procurement or organ, eye or tissue transplantation or to an organ donation bank, as necessary to facilitate such donation and transplantation.
We may release health information about you for workers' compensation or similar programs. These programs provide benefits for work-related injuries or illness.
Public Health Risks
We may disclose health information about you for public health reasons in order to prevent or control disease, injury or disability; or report births, deaths, suspected abuse or neglect, non-accidental physical injuries, reactions to medications or problems with products.
Health Oversight Activities
We may disclose health information to a health oversight agency for audits, investigations, inspections, or licensing purposes. These disclosures may be necessary for certain state and federal agencies to monitor the health care system, government programs, and compliance with civil rights laws.
Lawsuits and Disputes
If you are involved in a lawsuit or a dispute, we may disclose health information about you in response to a court or administrative order. Subject to all applicable legal requirements, we may also disclose health information about you in response to a subpoena.
We may release health information if asked to do so by a law enforcement official in response to a court order, subpoena, warrant, summons or similar process, subject to all applicable legal requirements.
Coroners, Medical Examiners, and Funeral Directors
We may release health information to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death.
Information Not Personally Identifiable
We may use or disclose health information about you in a way that does not personally identify you or reveal who you are.
Family and Friends
We may disclose health information about you to your family members or friends if we obtain your verbal agreement to do so or if we give you an opportunity to object to such a disclosure and you do not raise an objection. We may also disclose health information to your family or friends if we can infer from the circumstances, based on our professional judgment that you would not object.
In situations where you are not capable of giving consent (because you are not present or due to your incapacity or medical emergency), we may, using our professional judgment, determine that a disclosure to your family member or friend is in your best interest. In that situation, we will disclose only health information relevant to the person's involvement in your care. We may also use our professional judgment and experience to make reasonable inferences that it is in your best interest to allow another person to act on your behalf to pick up, for example, filled prescriptions, medical supplies, or X-rays.
Other Uses and Disclosures of Health Information
We will not use or disclose your health information for any purpose other than those identified in the previous sections without your specific, written Authorization. We must obtain your Authorization separate from any Consent we may have obtained from you. If you give us Authorization to use or disclose health information about you, you may revoke that Authorization, in writing, at any time. If you revoke your Authorization, we will no longer use or disclose information about you for the reasons covered by your written Authorization, but we cannot take back any uses or disclosures already made with your permission.
If we have HIV or substance abuse information about you, we cannot release that information without a special signed, written authorization (different than the Authorization and Consent mentioned above) from you. In order to disclose these types of records for purposes of treatment, payment or health care operations, we will have to have both your signed Consent and a special written Authorization that complies with the law governing HIV or substance abuse records.
Your Rights Regarding Health Information About You
You have the following rights regarding health information we maintain about you:
Right to Inspect and Copy
You have the right to inspect and copy your health information, such as medical and billing records, that we use to make decisions about your care. You must submit a written request to the Pathways, Inc. Privacy Officer in order to inspect and/or copy your health information. If you request a copy of the information, we may charge a fee for the costs of copying, mailing or other associated supplies. We may deny your request to inspect and/or copy in certain limited circumstances. If you are denied access to your health information, you may ask that the denial be reviewed. If such a review is required by law, we will select a licensed health care professional to review your request and our denial. The person conducting the review will not be the person who denied your request, and we will comply with the outcome of the review.
Right to Amend
If you believe health information we have about you is incorrect or incomplete; you may ask us to amend the information. You have the right to request an amendment as long as the information is kept by this office.
To request an amendment, complete and submit a Medical Record Amendment/Correction Form to the Pathways, Inc. Privacy Officer. We may deny your request for an amendment if it is not in writing or does not include a reason to support the request. In addition, we may deny your request if you ask us to amend information that:
a.) We did not create, unless the person or entity that created the information is no longer available to make the amendment.
b.) Is not part of the health information that we keep.
c.) You would not be permitted to inspect and copy.
d.) Is accurate and complete.
Right to an Accounting of Disclosures
You have the right to request an "accounting of disclosures." This is a list of the disclosures we made of medical information about you for purposes other than treatment, payment and health care operations. To obtain this list, you must submit your request in writing to the Pathways, Inc. Privacy Officer. It must state a time period, which may not be longer than six years and may not include dates before April 14, 2003. Your request should indicate in what form you want the list (for example, on paper, electronically). We may charge you for the costs of providing the list. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time before any costs are incurred.
Right to Request Restrictions
You have the right to request a restriction or limitation on the health information we use or disclose about you for treatment, payment or health care operations. You also have the right to request a limit on the health information we disclose about you to someone who is involved in your care or the payment for it, like a family member or friend. Additionally, Pathways, Inc. must agree to an individual’s request to restrict disclosure of PHI to a health plan if the PHI relates to a health care item or service that has been paid in full to Pathways, Inc. by someone other than the health plan.
We are Not Required to Agree to Your Request
If we do agree; we will comply with your request unless the information is needed to provide you emergency treatment.
To request restrictions, you may complete and submit the Request For Restriction On Use/Disclosure Of Medical Information to the Pathways, Inc. Privacy Officer.
Right to a Copy of This Notice
You have the right to a paper copy of this notice. You also have the right to access PHI in electronic form if requested by the individual. You may ask us to give you a copy of this notice at any time. Even if you have agreed to receive it electronically, you are still entitled to a paper copy. To obtain such a copy, contact the Pathways, Inc. Privacy Officer.
Right to Notice in the Event of a Breach
A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health information was actually acquired or viewed; and
- The extent to which the risk to the protected health information has been mitigated.
Covered entities and business associates, where applicable, have the discretion to provide the required breach notifications following an impermissible use or disclosure without performing a risk assessment to determine the probability that the protected health information has been compromised.
There are three exceptions to the definition of “breach.” The first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority. The second exception applies to the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule. The final exception applies if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.
Pathways, Inc. must notify affected individuals following the discovery of a breach of unsecured protected health information. Covered entities must provide this individual notice in written form by first-class mail, or alternatively, by e-mail if the affected individual has agreed to receive such notices electronically. If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, the covered entity must provide substitute individual notice by either posting the notice on the home page of its website or by providing the notice in major print or broadcast media where the affected individuals likely reside. If the covered entity has insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written, telephone, or other means.
These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information of the covered entity. Additionally, for substitute notice provided via web posting or major print or broadcast media, the notification must include a toll-free number for individuals to contact the covered entity to determine if their protected health information was involved in the breach.
Changes to This Notice
We reserve the right to change this notice and to make the revised or changed notice effective for medical information we already have about you as well as any information we receive in the future. We will post a summary of the current notice at all program sites with its effective date in the top right-hand corner. You are entitled to a copy of the notice currently in effect.
If you believe your privacy rights have been violated, you may file a complaint with our office or with the Secretary of the Department of Health and Human Services or the Office for Civil Rights. To file a complaint with our office, contact the Pathways, Inc. Privacy Officer at (607) 937-4557 or in writing to 33 Denison Parkway West, Corning, New York 14830. You will not be penalized for filing a complaint.