NOTICE OF PRIVACY PRACTICES (HIPAA) FOR MILAN EYE CENTER

Effective January 1, 2010/ Revised October 24, 2019

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY

Introduction

At Milan Eye Center, we are committed to treating and using protected health information about you responsibly. This Notice of Health Information Practices describes the personal information we collect, and how and when we use or disclose that information. It also describes your rights as they relate to your Protected Health Information (PHI). Protected Health Information” is information that individually identifies you and that we create or get from you or from another health care provider, health plan, your employer, or a healthcare clearing house and that relates to (1) your past present, or future physical or mental health or conditions, (2) the provision of health care to you, or (3) the past, present, or future payment for your health care. This revised notice is effective September 1, 2013, and applies to all PHI as defined by federal regulations.

Understanding Your Health Record/Information

Each time you visit Milan Eye Center, a record of your visit is made. Typically, this record contains your symptoms, examination and test results, diagnoses, treatment, and a plan for future care or treatment. This information often referred to as your health or medical record serves as a:

• Basis for planning your care and treatment,

• Means of communication among the many health professionals who contribute to your care,

• Legal document describing the care you received,

• Means by which you or a third-party payer can certify that services billed were actually provided,

• A tool in educating health professionals,

• A source of data for medical research,

• A source of information for public health officials charged with improving the health of this state and the nation,

• A source of data for our planning and marketing,

• A tool with which we assess and continually work to improve the care we render and the outcomes we achieve.

Understanding what is in your record and how your PHI is used helps you to: ensure its accuracy, better understand who, what, when, where, and why others may access your health information, and make more informed decisions when authorizing disclosure to others.

Our Responsibilities:

Milan Eye Center is required to:

• Maintain the privacy of your health information,

• Provide you with this notice as to our legal duties and privacy practices with respect to information we collect and maintain about you,

• Abide by the terms of this notice,

• Notify you if we are unable to agree to a requested restriction, and

• Accommodate reasonable requests – you may have to communicate health information by alternative means or at alternative locations. We reserve the right to change our practices and to make the new provisions effective for all protected health information we maintain. We will not use or disclose your PHI without your authorization, except as described in this notice. We will also discontinue using or disclosing your health information after we have received a phone call or emailed revocation (opt out) of the authorization according to the procedures included in the authorization.

For More Information or to Report a Problem:

If you have questions and would like additional information you may contact the practice’s Privacy Officer:

Janak Pandya

1300 Peachtree Industrial Blvd, Suite 1201, Suwanee, GA 30024

678-381-2020 (o)

678-381-2015 (f)

jpandya@milaneyecenter.com

If you believe your privacy rights have been violated you can file a complaint with the practice’s Privacy Officer or with the Office for Civil Rights, U.S. Department of Health and Human Services. There will be no retaliation for filing a complaint with either the Privacy Officer of the Office for Civil Rights. All complaints must be submitted in writing. The address for the OCR is listed below:

Office for Civil Rights

U.S. Department of Health and Human Services

200 Independence Avenue, S. W.

Room 509F, HHH Building

Washington, D. C. 20201

Examples of Disclosures for Treatment, Payment and Health Operations: The following categories describe different ways that we use and disclose PHI. For each category of uses or disclosures we will explain what we mean and try to give some examples. Not every use or disclosure in a category will be listed. However, all of the ways we are permitted to use and disclose information will fall within one of thecategories.

For Treatment.  We may use and disclose PHI about you to provide you with medical treatment or services. We may disclose medical information about you to doctors, nurses, technicians, medical students, or other personnel who are involved in taking care of you. For instance, we may need to share information about your condition with another doctor if you have complications and need additional tests.

For Payment.  We may use and disclose PHI about you so that the treatment and services you receive at our practice may be billed, and that payment may be collected from you, an insurance company or another third party. For example, we may need to give your health plan information about services that you received at our practice so your health plan will pay us or reimburse you for the services.

Out-of Pocket-Payments.  If you paid out-of-pocket (or in other words, you have requested that we not bill your health plan) in full for a specific item or service, you have the right to ask that your PHI with respect to that item or service not be disclosed to a health plan for purposes of payment or healthcare operations, and we will honor that request.

For Health Care Operations.  We may use and disclose medical information about you for the practice’s health care operations. These uses and disclosures are necessary to run our practice and to make sure that all patients receive quality care. For example, we may use medical information to review our treatment and services and evaluate the performance of our staff in caring for you. This information can then be used in an effort to continually improve the quality and effectiveness of the health care services we provide. We may also combine medical information about many of our patients to decide what additional services our practice should offer, what services are not needed, and whether certain new treatments are effective. We may also disclose information to doctors, nurses, technicians, medical students, residents, and other practice personnel for review and training purposes. We may also disclose your information, in conducting or arranging other business activities of the practice such as attorneys, accountants or other business associates or service providers. We may disclose information as part of a sale, transfer, merger or consolidation of our practice to another entity covered by the Privacy Rule. We may remove information that identifies you from this set of medical information so others may use it to study health care and health care delivery without learning who specific patients are.

Appointment Reminders/Treatment Alternatives/Health-Related Benefits and Services.  We may use and disclose PHI to contact you to remind you that you have an appointment for medical care,or to contact you to tell you about possible treatment options or alternatives or health related benefits and services that may be of interest to you.

Minors. We may disclose the PHI of minor children to their parents or guardians unless such disclosure is otherwise prohibited by law. Individual Involved in Your Care or Payment for Your Care.  Unless you object,we may release medical information about you to a friend or family member who is involved in your medical care. We may also give information to someone who helps pay for your care. We may also use our professional judgment and experience to make reasonable decisions in allowing a person to act on your behalf to pick up your prescriptions and your medical records. In addition, we may disclose medical information about you to an entity assisting in a disaster relief effort so that your family can be informed about your condition and location.

As Required By Law.  We will disclose medical information about you when required to do so by federal, state or local law.

To Avert a Serious Threat to Health or Safety.  We may use and disclose medical information about you when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person, any disclosure, however, would only be to someone able to help prevent the threat.

Special Situations:

Research.  We may also do certain kinds of research using your records, but only if a legally authorized review board gives us permission to use your information and provided that the researcher says he/she will use safeguards to protect your information. You have the right to be notified of possible research involving your PHI and the right to opt out by calling our office or emailing us.

Organ and Tissue Donation.  If you are an organ donor, we may release medical information to organizations that handle organ procurement or organ, eye or tissue.

Military and Veterans. If you are a member of the armed forces, we may release medical information about you as required by military command authorities. We may also release medical information about foreign military personnel to the appropriate foreign military authority. We may use and disclose information to the Department of Veteran Affairs to determine whether you are eligible for certain benefits.

Workers’ Compensation. If applicable, we may release medical information about you for workers’ compensation or similar programs. These programs provide benefits for work-related injuries or illness.

Public Health Risks. We may disclose medical information about you for public health activities.These activities generally include the following:

• to prevent or control disease, injury, or disability;

• to report death;

• to report reactions to medications or problems with products;

• to notify people of recalls of products they may be using;

• to notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition;

• to notify the appropriate government authority if we believe you have been the victim of abuse, neglect or domestic violence. We will only make this disclosure if you agree or when required or authorized by law.

Health Oversight Activities. We may disclose medical information to a health oversight agency for activities authorized by law. These oversight activities include, for example, audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system, government programs, and compliance with applicable civil rights laws, including the HIPPA Privacy Rule.

Lawsuits and Disputes. If you are involved in a lawsuit or a dispute, we may disclose medical information about you in response to a court or administrative order. We may disclose medical information about you in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if we receive satisfactory assurances that the party seeking the information has made efforts to tell you about the request or to obtain an order protecting the information requested or as otherwise required by Georgia law as it may be amended.

Data Breach Notification Purposes. We may use or disclose your PHI to provide legally required notices of unauthorized access to or disclosure of your health information.

Law Enforcement. We may release medical information if asked to do so by a law enforcement official:

• in response to a court order, subpoena (after we attempt to notify you), warrant, summons, or similar process;

• to identify or locate a suspect, fugitive, material witness, or missing person;

• about the victim of a crime if, under certain limited circumstances, we are unable to obtain your agreement;

• about a death we believe may be the result of criminal conduct;

• about criminal conduct at our offices; and

• in emergency circumstances to report a crime; the location of a crime or victims; or the identity, description or location of the person who committed the crime. Coroners, Medical Examiners and Funeral Directors. We may release medical information to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or determine cause of death. We may also release medical information about patients of our practice to funeral directors as necessary to carry out their duties.

National Security and Intelligence Activities.  We may release medical information about you to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law.

Protective Services for the President and Others.  We may disclose medical information about you to authorized federal officials so they may provide protection to the President, other authorized persons or foreign heads of state or conduct special investigations.

Inmates. In you are an inmate of a correctional institution or under the custody of a law enforcement official; we may disclose PHI to the correctional institution or law enforcement official if the disclosure is necessary (1) for the institution to provide you with health care; (2) to protect your health and safety or the health and safety of others; or (3) the safety and security of the correctional institution.

Business Associates. There are some services provided in our organization through contacts with business associates. Examples include physician services in the emergency department and radiology, certain laboratory tests, electronic medical record services. When these services are contracted, we may disclose your health information to our business associate so that they can perform the job we have asked them to do and bill you or your third-party payer for services rendered. To protect your health information, however, we require the business associate to appropriately safE guard your information.

YOUR RIGHTS REGARDING MEDICAL INFORMATION ABOUT YOU.  You have the following right regarding medical information we maintain about you:

Your Health Information Rights

Although your health record is the physical property of Milan Eye Center, the information belongs to you. You have the right to:

• Obtain a paper copy of this notice of information practices upon request,

• Inspect and copy your health record as provided in 45 CFR 164.524,

• Amend your health record as provided in 45 CFR 164.528,

• Obtain an accounting of disclosures of your health information as provided in 45 CFR 164.528,

• Request communications of your health information by alternative means or at alternative locations,

• Request a restriction (opt-out) on certain uses and disclosure of your information, purposes such as marketing, fundraising, sales and research, as proved by 45 CFR 164.522., 501, 508(a), 508(b)(3). You may opt-out by calling or emailing our office with your request,

• Revoke your authorization to use or disclose health information except to the extent that action has already been taken,

• A right to be notified of a breach of unsecured PHI.

Right to Inspect and Copy.  You have the right to inspect and copy medical information that may be used to make decisions about your care. To inspect and copy medical information that may be used to make decisions about you, you must submit your request in writing to our Privacy Officer or designee. If you request a copy of the information, we may charge a fee for the costs of copying, mailing, or other supplies associated with your request. We may deny your request to inspect and copy in certain very limited circumstances. If you are denied access to medical information, you may request that the denial be reviewed if the denial is made for certain reasons. Another licensed health care professional chosen by our practice will review your request and the denial. The person conducting the review will not be the person who denied your request. We will comply with the outcome of the review.

Right on an Electronic Copy of Electronic Medical Records.  If your PHI is maintained in an electronic format (known as an electronic medical record or an electronic health record), you have the right to request that an electronic copy of your record be given to you or transmitted to another individual or entity. We will make every effort to provide access to our PHI in the form or format you request, if it is readily producible in such form or format. If the PHI is not readily producible in the form or format you request your record will be provided in either our standard electronic format or if you do not want this form or format, readable hard copy form. We may charge you a reasonable, cost-based fee for the labor associated with transmitting the electronic medical record.

Right to a Summary or Explanation.  We can also provide you with a summary of your PHI, rather than the entire record, or we can provide you with an explanation of the PHI which has been provided to you, so long as you agree to this alternative form and pay the associated fees.

Right to Amend.  If you feel that the medical information we have about you is incorrect of incomplete, you may ask us to amend the information. You have the right to request an amendment for as long as the information is kept by us for our practice. To request an amendment, your request must be made in writing or by email and submitted to our Privacy Officer or designee. In addition, you must provide a reason that supports your request. We may deny your request for an amendment if it is not in writing or does not include a reason to support the request. In addition, we may deny your request if you ask us to amend information that:

•was not created by us, unless the person or entity that created the information is no longer available to make the amendment;

• is not part of the medical information kept by or for our practice;

• is not part of the information which you would be permitted to inspect and copy or;

• is accurate and complete

Right to Request Restrictions.  You have the right to request a restriction or limitation on the medical information we use or disclose about you for treatment, payment or health care operations purposes. You may also request a limit on the medical information we disclose about you to someone who is involved in your care or the payment for your care, like a family member or friend. For example, you could ask that we not use or disclose information to your spouse. We are not required to agree to your request, unless you are asking us to restrict the use and disclosure of your PHI to a health plan for payment or health care operation purposes and such information you wish to restrict pertains solely to a health care item or service for which you have paid us out-of-pocket in full. If we do agree, we will comply with your request unless the information is needed to provide you emergency treatment.

To request restrictions, you make your request in writing or by email to the Privacy Officer. In your request, you must tell us (1) what information you want to limit; (2) whether you want to limit our use, disclosure or both; and (3) to whom you want the limits to apply, for example, disclosure to your spouse.

Right to Request Confidential Communications. You have the right to request that we communicate with you about medical matters in a certain way or at a certain location. For example, you can ask that we only contact at work, by mail or by email.

To request confidential communication, you must make your request in writing or by email to our Privacy Officer. We will not ask you the reason for your request. We will accommodate your request if it is reasonable. Your request must specify how, when or where you wish to be contacted.

Uses and Disclosures That Require Us to Give You an Opportunity to Object and Opt-Out

  Individuals Involved in Your Care or Payment for Your Care. Unless you object, we may disclose to a member of your family, a relative, a close friend or any other person you identify, your PHI that directly relates to that person’s involvement in your health care. If you are unable to agree or object to such a disclosure, we may disclose such information as necessary if we determine that it is in your best interest based on our professional judgment.

  Disaster Relief. We may disclose your PHI to disaster relief organizations that seek your PHI to coordinate your care or notify family and friends of your location or condition in a disaster. We will provide you with an opportunity to agree or object to such a disclosure whenever we practically can do so.

  Fundraising Activities. We may disclose your PHI, as necessary, in order to contact you for fundraising activities. You have the right to opt out of receiving fundraising communications.

  Marketing and Sales of PHI. The use of PHI for marketing purposes requires your authorization. Any sales of PHI must be authorized by you and information regarding remuneration will be disclosed.

CHANGES TO THIS NOTICE We reserve the right to change this notice. We reserve the right to make the revised or changed notice effective for the medical information we already have about you as well as any information we receive in the future. We will post a copy of the current notice on our website and in our practice. This notice will contain the effective date on the first page.

OTHER USES OF MEDICAL INFORMATION. Other uses and disclosures of medical information not covered by this notice or the laws that apply to us will be made only with your written permission. If you provide us permission to use or disclose medical information about you, you may revoke that permission, in writing or by email, at any time. If you revoke your permission, we will no longer use or disclose medical information about you for the reason covered by your written authorization. You understand that we are unable to take back any disclosures we have already made with your permission, and that we are required to retain our record of the care we provided to you.