GOBHI Notice of Privacy Practices

Policy Statement and Purpose

  1. GOBHI Members who are not inmates have a right to adequate notice of the uses and disclosures of their protected health information by GOBHI and its Contractors, of the Member's rights, and the legal duties of GOBHI with respect to protected health information.
  2. If GOBHI or Contractor has a direct treatment relationship with an individual, it must:
    1. Provide the notice:
      1. No later than the date of the first service delivery, including service delivered electronically, to such individual after the compliance date for the covered health care provider; or
      2. In an emergency treatment situation, as soon as reasonably practicable after the emergency treatment situation.
  3. Except in an emergency treatment situation, make a good faith effort to obtain a written acknowledgment of receipt of the notice, and if not obtained, document its good faith efforts to obtain such acknowledgment and the reason why the acknowledgment was not obtained;
  4. If GOBHI or Contractor maintains a physical service delivery site, it will:
    1. Have the notice available at the service delivery site for individuals to request to take with them; and
    2. Post the notice in a clear and prominent location where it is reasonable to expect individuals seeking service from the covered health care provider to be able to read the notice; and
    3. Whenever the notice is revised, make the notice available upon request on or after the effective date of the revision.
  5. GOBHI and Contractor may provide its notice to a Member by e-mail, if the individual agrees to electronic notice and such agreement has not been withdrawn.
    1. If GOBHI or Contractor knows that the e-mail transmission has failed, a paper copy of the notice must be provided to the individual
    2. If the first service delivery to an individual is delivered electronically, GOBHI and Contractor will provide electronic notice automatically and contemporaneously in response to the Member's first request for service.
    3. The Member who is the recipient of electronic notice retains the right to obtain a paper copy of the notice from GOBHI or Contractor upon request.
  6. To implement a change in its notice, GOBHI and Contractor will:
    1. Ensure that a policy or procedure, as revised to reflect a change in GOBHI's or Contractor's privacy practice as stated in its notice, complies with the standards, requirements, and implementation specifications of the Privacy Rule;
    2. Document the policy or procedure; and
    3. Revise the notice to state the changed practice and make the revised notice available. GOBHI and Contractor may not implement a change to a policy or procedure prior to the effective date of the revised notice.

Procedures

  1. The Notices of Privacy Practices (NPP) will be written in plain language and will contain the elements required by 45 CFR 164.520. (See Exhibit A)
  2. GOBHI and Contractors will prominently post its NPP on its website and make it available electronically.
  3. The NPP will be distributed to GOBHI Members at enrollment and annually thereafter.
  4. Effectiveness Criteria
    1. The Notices of Privacy Practices for GOBHI and its Contractors is current and are posted on its website.

Exhibit A.

Required Content of Notice [45 C.F.R 164.520(b)]

  1. Required elements. The covered entity must provide a notice that is written in plain language and that contains the elements required by this paragraph.
    1. Header. The notice must contain the following statement as a header or otherwise prominently displayed: "This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully."
    2. Uses and disclosure. This notice must contain:
      1. A description, including at least one example, of the types of uses and disclosures that the covered entity is permitted to make for each of the following purposes: treatment, payment, and health care operations.
      2. A description of each of the other purposes for which the covered entity is permitted or required to use or disclose protected health information without the individual's written authorization.
      3. If a use or disclosure for any purpose described in paragraphs (b)(1)(ii)(A) or (B) of this section is prohibited or materially limited by other applicable law, the description of such use or disclosure must reflect the more stringent law as defined in 45 CFR 160.202.
      4. For each purpose described in paragraph (b)(1)(ii)(A) or (B) of this section, the description must include sufficient detail to place the individual on notice of the uses and disclosures that are permitted or required by other applicable law.
      5. A statement that other uses and disclosures will be made only with the individual's written authorization and that the individual may revoke such authorization as provided by 45 CFR 164.508(b)(5).
      6. A statement that if an individual has paid for services out-of-pocket, in full, and the individual requests that the healthcare provider not disclose PHI related solely to those services to a health plan, the healthcare provider must accommodate the individual's request, except where the healthcare provider must accommodate the individual's request, except where the healthcare provider is required by law to make a disclosure (45 C.F.R 164520(b)(1)(iv)(A)).
      7. A statement that uses and disclosures of PHI for marketing purposes and the sale of PHI require an individual's written authorization.
    3. Separate statements for certain uses or disclosures. If the covered entity intends to engage in any of the following activities, the description required by paragraph (b)(1)(ii)(A) of this section must include a separate statement, as applicable, that:
      1. The covered entity may contact the individual to provide appointment reminders or information about treatment alternatives or other health-related benefits and services that may be of interest to the individual;
      2. B. The covered entity may contact the individual to raise funds for the covered entity; or
    4. Individual rights. The notice must contain a statement of the individual's rights with respect to protected health information and a brief description of how the individual may exercise these rights, as follows:
      1. The right to request restrictions on certain uses and disclosures of protected health information as provided by 45 CFR 164.522(a), including a statement that the covered entity is not required to agree to a requested restriction;
      2. The right to receive confidential communications of protected health information as provided by 45 CFR 164.522(b), as applicable;
      3. The right to inspect and copy protected health information as provided by 45 CFR 164.524;
      4. The right to amend protected health information as provided by 45 CFR 164.526;
      5. The right to receive an accounting of disclosures of protected health information as provided by 45 CFR 164.528; and
      6. The right of an individual, including an individual who has agreed to receive the notice electronically, to obtain a paper copy of the notice from the covered entity upon request.
    5. Covered entity's duties. The notice must contain:
      1. A statement that the covered entity is required by law to maintain the privacy of protected health information and to provide individuals with notice of its legal duties and privacy practices with respect to protected health information;
      2. A statement that the covered entity is required to abide by the terms of the notice currently in effect; and
      3. For the covered entity to apply a change in a privacy practice that is described in the notice to protected health information that the covered entity created or received prior to issuing a revised notice, in accordance with 45 CFR 164.530(i)(2)(ii), a statement that it reserves the right to change the terms of its notice and to make the new notice provisions effective for all protected health information that it maintains. The statement must also describe how it will provide individuals with a revised notice.
      4. A statement that the covered entity is required to notify the patient of any breach of his or her unsecured PHI.
    6. Complaints. The notice must contain a statement that individuals may complain to the covered entity and to the Secretary if they believe their privacy rights have been violated, a brief description of how the individual may file a complaint with the covered entity, and a statement that the individual will not be rtaliated against for filing a complaint.
    7. Contact. The notice must contain the name, or title, and telephone number of a person or office to contact for further information as required by 45 CFR 164.530(a)(1)(ii).
    8. Effective date. The notice must contain the date on which the notice is first in effect, which may not be earlier than the date on which the notice is printed or otherwise published.
View PDF
send a message
teardrop-inline