4. How We May Use and Disclose Protected Health Information About You
This section of our Notice tells how we may use PHI about you. We will protect PHI as much as we can under the law. Sometimes state law gives more protection to PHI than federal law. Sometimes federal law gives more protection than state law. In each case, we will apply the laws that protect PHI the most.
We are required to maintain the confidentiality of your PHI, and we have policies and procedures and other safeguards to help protect your PHI from improper use and disclosure. The following categories describe different ways that we use your PHI within Joint Academy and disclose your PHI to persons and entities outside of Joint Academy. We have not listed every use or disclosure within the categories below, but all of the ways that we are permitted to use and disclose PHI will fall within one of the following categories. In addition, there are some uses and disclosures that will require your specific authorization, which are described below as well.
How much PHI may legally be used or disclosed without your written permission will vary depending, for example, on the intended purpose of the use or disclosure. Sometimes we may only need to use or disclose a limited amount of PHI, such as to send you a reminder or to confirm your health insurance coverage. At other times, we may need to use or disclose more PHI such as when a doctor is providing medical treatment.
Below are examples of ways that we may disclose PHI about you without a written authorization from you.
- Disclosure at Your Request. If you ask us to send PHI about you to a third party such as a friend, family member, or healthcare provider, we will do so if we believe that your request is authentic. We may ask you to prove your identity before we honor this request. We may need up to 60 days to honor a request like this, depending on the data you want us to disclose, but in most cases we can honor this request in 30 or fewer days.
- Treatment. This is an important use and disclosure of your PHI. We may use and disclose your PHI to a physician or other health care provider to provide treatment and other services to you. For example, we may disclose your pain and physical function results to your physician so that she can monitor your results in our program.
- Payment. We may use and disclose your PHI to obtain payment for services that we provide to you. For example, we may make disclosures to claim and obtain payment from your health insurer, HMO, or other company that arranges or pays the cost of some or all of your health care (“Your Payor”) or to verify that Your Payor will pay for health care.
- Our Health Care Operations. We may use and disclose your PHI for our health care operations. Examples of our health care operations include improving the operation of our program, training clinical personnel, and legal, audit and other internal management functions. When we use your PHI for our health care operations, we are required to use only that which is necessary.
- Health Care Operations of Other Covered Entities. We are also permitted to share PHI about you with other covered entities for their health care operations (including, for example, your employer, health plan and certain service providers serving as the business associates of such entities). For example, we might share PHI about you with your health insurer when they are evaluating whether they have made the right types of arthritis programs available to you. Or, we might share PHI about you with your physician’s office so that she can demonstrate to the federal government that she has referred you to a arthritis program and how it is working for you. Any other covered entity in this example must have or have had a relationship with you. And, like our health care operations, any other covered entity may only seek from us PHI about you that is the minimum necessary for its purposes. Other examples include of another’s health care operations include, but are not limited to, using information about you to improve quality of care, quality assessment activities, disease management programs, patient satisfaction surveys, compiling health information, training, de-identifying PHI and benchmarking.
- Business Associates. Some services in our organization are provided through our contracts with business associates. Examples of business associates include accreditation agencies, management consultants, quality assurance reviewers, and billing and collection services, and secure cloud hosting of data, including PHI, that we are legally responsible for. We may disclose your PHI to our business associates so that they can perform the job we have asked them to do. To protect your PHI, we require our business associates to sign a contract or written agreement stating that they will appropriately safeguard your PHI and will use it only as we permit them to under that contract.
- Health-Related Products and Services. We may use and disclose your PHI to tell you about our health-related products or services that may be of interest to you. Communications with Family and Others When You Are Present. Sometimes a family member or other person involved in your care will be present when we are discussing your PHI with you. We may use or disclose your PHI to a family member, other relative, a close personal friend or any other person identified by you when you are present for, or otherwise available prior to, the disclosure, if we (1) obtain your agreement; (2) provide you with the opportunity to object to the disclosure and you do not object; or (3) reasonably infer that you do not object to the disclosure.
- Communications with Family and Others When You Are Not Present or Are Incapacitated. If you are not present, or the opportunity to agree or object to a use or disclosure cannot practicably be provided because of your incapacity or an emergency, we may exercise our professional judgment to determine whether a disclosure is in your best interest. If we disclose information to a family member, other relative, or a close personal friend, we would disclose only information that we believe is directly relevant to the person’s involvement with your health care or payment related to your health care. We may also disclose your PHI in order to notify (or assist in notifying) such persons of your location, general condition or death.
- Threat to Health or Safety. We may use and disclose your PHI when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat as determined by us in good faith.