HIPAA Policy

Palo Alto Dermatology Institute
Privacy Official: Darien Whang 650-969-5600
Effective Date: February 25, 2025

THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY AND ASK ANY QUESTIONS YOU MAY HAVE.

We, at Palo Alto Dermatology Institute, understand and acknowledge the importance of privacy and are committed to maintaining the confidentiality of your Protected Health Information (PHI). We produce a record of the medical care we provide to you and may receive such records from others involved with your care. We use these records to provide or enable other health care providers to provide quality medical care, to obtain payment for services provided to you as allowed by your health plan and to enable us to meet our professional and legal obligations to operate this medical practice properly.

We are required by law to maintain the privacy of PHI, to provide individuals with notice of our legal duties and privacy practices with respect to PHI, and to notify affected individuals following a breach of unsecured PHI. We must follow the privacy practices that are described in this Notice while it is in effect. This Notice takes effect 02/25/2025, and will remain in effect until we replace it.

We reserve the right to change our privacy practices and the terms of this Notice at any time, provided such changes are permitted by applicable law, and to make new Notice provisions effective for all PHI that we maintain. When we make a significant change in our privacy practices, we will change this Notice and post the new Notice clearly and prominently at our practice location, and we will provide copies of the new Notice upon request.

You may request a copy of our Notice at any time. For more information about our privacy practices, or for additional copies of this Notice, or any questions you may have, please contact us using the information listed at the end of this Notice.

HOW WE MAY USE AND DISCLOSE HEALTH INFORMATION ABOUT YOU

We may use and disclose your PHI for different purposes, including treatment, payment, and health care operations. For each of these categories, we have provided a description and an example. Your original medical chart/record is the property of this practice, however the information contained in the chart belongs to you. The HIPAA regulation gives us legal permission to use and disclose your information for specific purposes. Some information, such as HIV-related information, genetic information, alcohol and/or substance abuse records, and mental health records may be entitled to special confidentiality protections under applicable state or federal law. We will abide by these special protections as they pertain to applicable cases involving these types of records.

Treatment. We may use and disclose your PHI for your treatment. For example, we may disclose your PHI to a specialist providing treatment to you.

Payment. We may use and disclose your PHI to obtain reimbursement for the treatment and services you receive from us, or another entity involved with your care. Payment activities include billing, collections, claims management, and determinations of eligibility and coverage to obtain payment from you, an insurance company, or another third party. For example, we may send claims to your dental health plan containing certain PHI.

Healthcare Operations. We may use and disclose your PHI in connection with our healthcare operations. For example, healthcare operations include quality assessment and improvement activities, conducting training programs, and licensing activities.

Individuals Involved in Your Care or Payment for Your Care. We may disclose your PHI to your family or friends, or any other individual identified by you when they are involved in your care or in the payment for your care. Additionally, we may disclose information about you to a patient representative. If a person has the authority by law to make health care decisions for you, we will treat that patient representative the same way we would treat you with respect to your PHI.

Appointment Reminders. We may use and disclose your medical information to contact and remind you about appointments. If you are not home, we may email you, leave this information on your voice mail, or in a message left with the person answering the phone.

Sign-in Sheet. We may use and disclose medical information about you by having you sign in when you arrive at our office. We may also call out your name when we are ready to see you. 

Notification and Communication with Family. We may disclose your health information to notify or assist in notifying a family member, your personal representative, or another person responsible for your care about your location, your general condition or, unless you had instructed us otherwise, in the event of your death. In the event of a disaster, we may disclose information to a relief organization so that they may coordinate these notification efforts. We may also disclose information to someone who is involved with your care or helps pay for your care. If you are able and available to agree or object, we will give you the opportunity to object prior to making these disclosures, although we may disclose this information in a disaster even over your objection if we believe it is necessary to respond to the emergency circumstances. If you are unable or unavailable to agree or object, our health professionals will use their best judgment in communication with your family and others.

Marketing. Provided we do not receive any payment for making these communications, we may contact you to encourage you to purchase or use products or services related to your treatment, case management or care coordination, or to direct or recommend other treatments, therapies, health care providers or settings of care that may be of interest to you. We may similarly describe products or services provided by this practice and tell you which health plans we participate in., We may receive financial compensation to talk with you face-to-face, to provide you with small promotional gifts, or to cover our cost of reminding you to take and refill your medication or otherwise communicate about a drug or biologic that is currently prescribed for you, but only if you either: (1) have a chronic and seriously debilitating or life-threatening condition and the communication is made to educate or advise you about treatment options and otherwise maintain adherence to a prescribed course of treatment, or (2) you are a current health plan enrollee and the communication is limited to the availability of more cost-effective pharmaceuticals. If we make these communications while you have a chronic and seriously debilitating or life-threatening condition, we will provide notice of the following in at least 14-point type: (1) the fact and source of the remuneration; and (2) your right to opt-out of future remunerated communications by calling the communicator’s toll-free number. We will not otherwise use or disclose your medical information for marketing purposes or accept any payment for other marketing communications without your prior written authorization. The authorization will disclose whether we receive any financial compensation for any marketing activity you authorize, and we will stop any future marketing activity to the extent you revoke that authorization.

Sale of Health Information. We will not sell your health information without your prior written authorization. The authorization will disclose that we will receive compensation for your health information if you authorize us to sell it, and we will stop any future sales of your information to the extent that you revoke that authorization.

Disaster Relief. We may use or disclose your PHI to assist in disaster relief efforts.

Required by Law. We may use or disclose your PHI when we are required to do so by law. 

Public Health Activities. We may disclose your PHI for public health activities, including disclosures to:

• Prevent or control disease, injury, or disability;
• Report child abuse or neglect;
• Report reactions to medications or problems with products or devices;
• Notify a person of a recall, repair, or replacement of products or devices;
• Notify a person who may have been exposed to a disease or condition; or
• Notify the appropriate government authority if we believe a patient has been the victim of abuse, neglect, or domestic violence.

Public Safety. We may, and are sometimes required by law, to disclose your health information to appropriate persons in order to prevent or lessen a serious and imminent threat to the health or safety of a particular person or the general public. We may disclose your health information for military or national security purposes or to correctional institutions or law enforcement officers that have you in their lawful custody. 

National Security. We may disclose to military authorities the PHI of Armed Forces personnel under certain circumstances. We may disclose to authorized federal officials PHI required for lawful intelligence, counterintelligence, and other national security activities. We may disclose to correctional institution or law enforcement official having lawful custody the PHI of an inmate or patient.

Law Enforcement. We may, and are sometimes required by law, to disclose your health information to a law enforcement official for purposes such as identifying of locating a suspect, fugitive, material witness or missing person, complying with a court order, warrant, grand jury subpoena and other law enforcement purposes.

Secretary of HHS. We will disclose your PHI to the Secretary of the U.S. Department of Health and Human Services when required to investigate or determine compliance with HIPAA.

Organ or Tissue Donation. We may disclose your health information to organizations involved in procuring, banking or transplanting organs and tissues. 

Worker’s Compensation. We may disclose your PHI to the extent authorized by and to the extent necessary to comply with laws relating to worker’s compensation or other similar programs established by law.

Breach Notification. In the case of a breach of unsecured protected health information, we will notify you as required by law. If you have provided us with a current email address, we may use email to communicate information related to the breach. In some circumstances our business associate may provide the notification. We may also provide notification by other methods as appropriate. [Note: Only use email notification if you are certain it will not contain PHI and it will not disclose inappropriate information. For example, if your email address is “maryjones@gmail.com” an email sent with this address could, if intercepted, identify the patient and their condition.

Change of Ownership. In the event that this medical practice is sold or merged with another organization, your health information/record will become the property of the new owner, although you will maintain the right to request that copies of your health information be transferred to another physician or medical group.

Law Enforcement. We may disclose your PHI for law enforcement purposes as permitted by HIPAA, as required by law, or in response to a subpoena or court order.

Health Oversight Activities. We may disclose your PHI to an oversight agency for activities authorized by law. These oversight activities include audits, investigations, inspections, and credentialing, as necessary for licensure and for the government to monitor the health care system, government programs, and compliance with civil rights laws.

Judicial and Administrative Proceedings. If you are involved in a lawsuit or a dispute, we may disclose your PHI in response to a court or administrative order. We may also disclose PHI about you in response to a subpoena, discovery request, or other lawful process instituted by someone else involved in the dispute, but only if efforts have been made, either by the requesting party or us, to tell you about the request or to obtain an order protecting the information requested. 

Research. We may disclose your PHI to researchers when their research has been approved by an institutional review board or privacy board that has reviewed the research proposal and established protocols to ensure the privacy of your information.

Coroners, Medical Examiners, and Funeral Directors. We may release your PHI to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death. We may also disclose PHI to funeral directors consistent with applicable law to enable them to carry out their duties.

Fundraising. We may contact you to provide you with information about our sponsored activities, including fundraising programs, as permitted by applicable law. If you do not wish to receive such information from us, you may opt out of receiving the communications.

Other Uses and Disclosures of PHI

Your authorization is required, with a few exceptions, for disclosure of psychotherapy notes, use or disclosure of PHI for marketing, and for the sale of PHI. We will also obtain your written authorization before using or disclosing your PHI for purposes other than those provided for in this Notice (or as otherwise permitted or required by law). You may revoke authorization in writing at any time. Upon receipt of the written revocation, we will stop using or disclosing your PHI, except to the extent that we have already acted in reliance on the authorization.

Where We May Not Use or Disclose Your PHI

Except as described in this Notice of Privacy Practices, this medical practice will, consistent with its legal obligations, not use or disclose health information which identifies you without your written authorization. If you do authorize this medical practice to use or disclose your health information for another purpose, you may revoke your authorization in writing at any time.

Changes to this Notice of Privacy Practices

We reserve the right to amend our privacy practices and the terms of this Notice of Privacy Practices at any time in the future. Until such amendment is made, we are required by law to comply with this Notice. After an amendment is made, the revised Notice of Privacy Protections will apply to all protected health information that we maintain, regardless of when it was created or received. We will keep a copy of the current notice posted in our reception area, and a copy will be available at each appointment. We will also post the current notice on our website.

Your Health Information Rights

Access. You have the right to look at or get copies of your PHI, with limited exceptions. You must make the request in writing. You may obtain a form to request access by using the contact information listed at the end of this Notice. You may also request access by sending us a letter to the address at the end of this Notice. If you request information that we maintain on paper, we may provide photocopies. If you request information that we maintain electronically, you have the right to an electronic copy. We will use the form and format you request if readily producible. We will charge you a reasonable cost-based fee for the cost of supplies and labor of copying, and for postage if you want copies mailed to you. Contact us using the information listed at the end of this Notice for an explanation of our fee structure.

If you are denied a request for access, you have the right to have the denial reviewed in accordance with the requirements of applicable law.

Disclosure Accounting. With the exception of certain disclosures, you have the right to receive an accounting of disclosures of your PHI in accordance with applicable laws and regulations. To request an accounting of disclosures of your PHI, you must submit your request in writing to the Privacy Official. If you request this accounting more than once in a 12-month period, we may charge you a reasonable, cost-based fee for responding to the additional requests.

Right to Request a Restriction. You have the right to request additional restrictions on our use or disclosure of your PHI by submitting a written request to the Privacy Official. Your written request must include (1) what information you want to limit, (2) whether you want to limit our use, disclosure, or both, and (3) to whom you want the limits to apply. We are not required to agree to your request except in the case where the disclosure is to a health plan for purposes of carrying out payment or health care operations, and the information pertains solely to a health care item or service for which you, or a person on your behalf (other than the health plan), has paid our practice in full.

Alternative Communication. You have the right to request that we communicate with you about your PHI by alternative means or at alternative locations. You must make your request in writing. Your request must specify the alternative means or location, and provide satisfactory explanation of how payments will be handled under the alternative means or location you request. We will accommodate all reasonable requests. However, if we are unable to contact you using the ways or locations you have requested we may contact you using the information we have.

Amendment. You have the right to request that we amend your PHI. Your request must be in writing, and it must explain why the information should be amended. We may deny your request under certain circumstances. If we agree to your request, we will amend your record(s) and notify you of such. If we deny your request for an amendment, we will provide you with a written explanation of why we denied it and explain your rights.

Right to Notification of a Breach. You will receive notifications of breaches of your unsecured PHI as required by law.

Electronic Notice. You may receive a paper copy of this Notice upon request, even if you have agreed to receive this Notice electronically on our Web site or by electronic mail (e-mail).

Questions and Complaints

If you want more information about our privacy practices or have questions or concerns, please contact us.

If you are concerned that we may have violated your privacy rights, or if you disagree with a decision we made about access to your PHI or in response to a request you made to amend or restrict the use or disclosure of your PHI or to have us communicate with you by alternative means or at alternative locations, you may complain to us using the contact information listed at the end of this Notice. You also may submit a written complaint to the U.S. Department of Health and Human Services. We will provide you with the address to file your complaint with the U.S. Department of Health and Human Services upon request.

Region IX

Office of Civil Rights

U.S. Department of Health & Human Services 90 7th Street, Suite 4-100

San Francisco, CA 94103

(415) 437-8310; (415) 437-8311 (TDD)

(415) 437-8329 (fax)

OCRMail@hhs.gov

The complaint form may be found at:

www.hhs.gov/ocr/privacy/hipaa/complaints/hipcomplaint.pdf. You will not be penalized in any way for filing a complaint.

We support your right to the privacy of your PHI. We will not retaliate in any way if you choose to file a complaint with us or with the U.S. Department of Health and Human Services.

By the Authority of: Darien Whang

Title: Privacy Officer

Email address: darien@paloaltoderm.com