18555 N 79TH Avenue
Suite B-108
Glendale, AZ  85308

Click Here for Directions

Tel:  623-773-2848
Fax: 623-773-0370


Policies

Notice of Privacy Practices

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

Arizona Family Care respects your privacy. We understand that your personal health information is very sensitive. The law protects the privacy of the health information we create and obtain in providing care and services to you. Your protected health information includes your symptoms, test results, diagnoses, treatment, health information from other providers,and billing and payment information relating to these services.

We will not use or disclose your health information to others without your authorization, except as described in this Notice, or as required by law.

  1. Your health information rights.

    The health and billing records we create and store are the property of Arizona Family Care .The protected health information in it, however,generally belongs to you. You have a right to:

    • Receive, read, and ask questions about this Notice.
    • Request a restriction or limitation on the Protected Health Information we use or disclose for treatment, payment, or health care operations. You must deliver this request in writing to us. We are not required to grant the request unless the request is to restrict disclosure of your protected health information to a health plan for payment or health care operations regarding an item or service that you paid “out of pocket” in full. If we agree to this request, we may not disclose this Protected Health Information in violation of the agreed upon restriction except as needed to provide emergency services or as required by law.
    • Request and receive from us a paper copy of the most current Notice of Privacy Practices (“Notice”)
    • Request that you be allowed to see and get a copy of your protected health information. You may make this request in writing. We have a form available for this type of request.
    • Have us review a denial of access to your health information-except in certain circumstances.
    • Ask us to change your health information that is inaccurate or incomplete. You may give us this request in writing. You may write a statement of disagreement if your request is denied. It will be stored in your medical record,and included with any release of your records.
    • When you request, we will give you a list of certain disclosures of your health information. The list will not include disclosures for treatment, payment, or health care operations. You may receive this information without charge once every 12 months. We will notify you of the cost involved if you request this Information more than once in 12 months.
    • Ask that your health information be given to you by another confidential means of communication or at another location. Please sign, date, and give us your request in writing.
    • Cancel prior authorizations to use or disclose health information by giving us a written revocation. Your revocation does not affect information that has already been released. It also does not affect any action taken before we receive the revocation. Sometimes,you cannot cancel an authorization if its purpose was to obtain insurance.
    • If you pay for services out of pocket you can request your information not be disclosed to your insurance company.
  2. Our responsibilities.

    We are required to:

    • Keep your protected health information private.
    • Give you this Notice.
    • Follow the terms of this Notice for as long as it is in effect.
    • Notify you if we become aware of a breach of your unsecured protected health information.

    We reserve the right to change our privacy practices and the terms of this Notice, and to make the new privacy practices and notice provisions effective for all of the protected health information we maintain. If we make material changes, we will update and make available to you the revised Notice upon request. You may receive the most recent copy of this notice by calling and asking for it, by visiting our office to pick one up, or by visiting our Web site, if we maintain one.

  3. To ask for help or complain

    If you have questions, want more information, or want to report a problem about the handling of your protected health information, you may contact:

    Practice Manager
    623-773-2848

    If you believe your privacy rights have been violated, you may discuss your concerns with any staff member. You may also deliver a written complaint to the Practice Manager at Arizona Family Care. You may also file a complaint with the Department of Health and Human Services Office for Civil Rights (OCR).

    We respect your right to file a complaint with us or with the OCR. If you complain, we will not retaliate against you.

  4. How we may use and disclose your protected health information.

    Under the law, we may use or disclose your protected health information under certain circumstances without your permission. The following categories describe the different ways we may use and disclose your protected health information without your permission. For each category, we will explain what we mean and give some examples. Not every use or disclosure in a category will be listed. However, all of the ways we are permitted to use and disclose health information will fall within one of the categories.

    Below are examples of uses and disclosures of protected health information for treatment, payment, and health care operations.

    For treatment:

    • We may contact you to remind you about appointments.
    • We may use and disclose your health information to give you information about treatment alternatives or other health-related benefits and services.
    • Information obtained by a medical asistant, physician, or other member of our health care team will be recorded in your medical record and used by members of our health care team to help decide what care may be right for you.
    • We may also provide information to health care providers outside our practice who are providing you care or for a referral. This will help them stay informed about your care.

    For payment:

    • We request payment from your health insurance plan. Health plans need information from us about your medical care. Information provided to health plans may include your diagnoses, procedures performed, or recommended care.
    • We bill you or the person you tell us is responsible for paying for your care if it is not covered by your health insurance plan.

    For health care operations:

    • We may use and disclose medical records to review the qualifications and performance of our health care providers and to train our staff.
    • We may use and disclose your information to conduct or arrange for services, including:
      • Medical quality review by your health plan,
      • Accounting, legal, risk management, and insurance services; and
      • Audit functions, including fraud and abuse detection and compliance programs

    For fund-raising communications:

    • We may use certain demographic information and other health care service and health insurance status information about you to contact you to raise funds. If we contact you for fund-raising, we will also provide you with a way to opt out of receiving fund-raising requests in the future.

    Some of the other ways that we may use or disclose your protected health information without your authorization are as follows.

    • Required by law: We must make any disclosure required by state, federal,or local law.
    • Business Associates: We contract with individuals and entities to perform jobs for us or to provide certain types of services that may require them to create, maintain, use, and/or disclose your health Information. We may disclose your health information to a business associate, but only after they agree in writing to safeguard your health information. Examples include billing services, accountants, and others who perform health care operations for us.
    • Notification of family and others: Unless you object, we may release health information about you to a friend or family member who is involved in your medical care. We may also give information to someone who helps pay for your care. We may tell your family or friends your condition and that you are in a hospital.
    • Public health and safety purposes: As permitted or required by law, we may disclose protected health information:
    • To prevent or reduce a serious, immediate threat to the health or safety of a person or the public.
    • To public health or legal authorities:
      • To protect public health and safety.
      • To prevent or control disease,injury,or.disability.
      • To report vital statistics such as births or deaths.
      • To report suspected abuse or neglect to public authorities.
    • Research: We may disclose protected health information to researchers if the research has been approved by an institutional review board or a privacy board and there are policies to protect the privacy of your health information. We may also share information with medical researchers preparing to conduct a research project.
    • Coroners, medical examiners, and funeral directors: We may disclose protected health information to funeral directors and coroners consistent with applicable law to allow them to carry out their duties.
    • Organ-procurement organizations: Consistent with applicable law, we may disclose protected health information to organ-procurement organizations (tissue donation and transplant) or persons who obtain, store,or transplant organs.
    • Food and Drug Administration (FDA): For problems with food, supplements, and products, we may disclose protected health information to the FDA or entities subject to the jurisdiction of the FDA.
    • Workplace injury or illness: Arizona State law requires the disclosure of protected health information to the Department of Labor and Industries,the employer, and the payer (including a self­ insured payer) for workers' compensation and for crime victims' claims. We also may disclose protected health information for work-related conditions that could affect employee health; for example, an employer may ask us to assess health risks on a job site.
    • Correctional institutions: If you are in jail or prison, we may disclose your protected health information as necessary for your health and the health and safety of others.
    • Law enforcement: We may disclose protected health information to law enforcement officials as required by law, such as reports of certain types of injuries or victims of a crime, or when we receive a warrant,subpoena, court order, or other legal process.
    • Government health and safety oversight activities: We may disclose protected health information to an oversight agency that may be conducting an investigation. For example, we may share health Information with the Department of Health.
    • Disaster relief: We may share protected health information with disaster relief agencies to assist in notification of your condition to family or others.
    • Military, Veteran, and Department of State: We may disclose protected health information to the military authorities of U.S. and foreign military personnel; for example, the law may require us to provide information necessary to a military mission.
    • Lawsuits and disputes: We are permitted to disclose protected health information in the course of judicial/administrative proceedings at your request, or as directed by a subpoena or court order.
    • National Security: We are permitted to release protected health information to federal officials for national security purposes authorized by law.
    • De-identifying information: We may use your protected health information by removing any information that could be used to identify you.
  5. Uses and disclosures that require your authorization.
    Certain uses and disclosures of your health information require your written authorization. The following list contains the types of uses and disclosures that require your written authorization:

    • Psychotherapy Notes: If we record or maintain psychotherapy notes,we must obtain your authorization for most uses and disclosures of psychotherapy notes.
    • Marketing Communications: We must obtain your authorization to use or disclose your health Information for marketing purposes other than for face to face communications with you, promotional gifts of nominal value, and communications with you related to currently prescribed drugs, such as refill reminders.
    • Sale of Health Information: Disclosures that constitute a sale of your health information require your authorization.

    In addition, other uses and disclosures of your health information that are not described in this Notice will be made only with your written authorization. You have the right to cancel prior authorizations for these uses and disclosures of your health information by giving us a written revocation. Your revocation does not affect information that has already been released. It also does not affect any action taken before we receive the revocation. Sometimes, you cannot cancel an authorization if its purpose was to obtain insurance.

  6. Web site

    We have a Web site that provides information about us. For your benefit, this Notice is on the Web site at the following www.azfamilycare.com

  7. Effective date

    This Notice is effective as of July 10, 2015


Terms and Conditions

Arizona Family Care, PLLC, disclaims all responsibilities, whether implied or expressed, for the information contained in this website. We have made every effort to provide you with the most accurate content in this website. However, any use of this information is at your own discretion and should not substitute a visit with your family physician.


.

Notification of Breach of Unsecured Protected Health Information-Policy & Procedures

Purpose: To provide a process for notifying individuals,the media, and the Secretary of Health & Human Services (HHS) of a breach of unsecured Protected Health Information (PHI) as required by law.

Policy:

  1. Individuals must be notified when their unsecured PHI is acquired, accessed, used, or disclosed in a manner not permitted under the Privacy Rule unless an objective risk assessment demonstrates a low probability that the privacy or security of PHI was compromised ("breach").
  2. Notice will be provided without unreasonable delay, but in any case not later than 60 calendar days from the date of discovery of the breach.
  3. Direct written notice will be sent to the last known address of each individual whose PHI was breached by first class mail unless the individual agrees to electronic notice, in which case notice may be provided by e-mail. If it is known that the individual is deceased, the notice shall be sent to the next of kin or personal representative if that person's address Is known.
  4. If the contact information for one or more individuals is insufficient or out of date and the direct written notice is not possible or is unsuccessful, either update the contact information and provide direct written notice or provide substitute notice as described below. Alternative forms of substitute notice will be provided depending on the number of individuals to be notified and whether the unsecured PHI includes "personal information" as defined by Arizona law.
    • If the unsecured PHI does not include the first name or initial and last name of the individual and one of the following-the individual's social security number, the driver's license number or Arizona identification card number, or account number or credit or debit card number in combination with any required security code, access code,or password ("personal information")-then if there is insufficient or out-of-date contact information preventing written notice by first class mail to 10 or fewer individuals, notice will be provided by an alternative form of notice such as telephone. If there is insufficient or out-of-date contact information for more than 10 individuals, substitute notice will be provided by either posting notice on Arizona Family Care Web site for 90 days or by notice in a major print or broadcast media, with a toll-free number active for at least 90 days for a person to call to learn whether his or her unsecured PHI was included in the breach.
    • If the unsecured PHI includes personal information, then if there is insufficient or out-of-date contact information, notice will be provided by doing all of the following: e-mailing the notice if an e-mail address is available,posting the notice on Arizona Family Care’s Web site for 90 days, and notification to major statewide media, with a toll-free number active for at least 90 days.
  5. If the breach involves more than 500 individuals, notice must be provided directly to prominent media outlets in Arizona and to the Secretary of HHS. If the breach involves fewer than 500 individuals,the breach must be recorded in a log that is maintained to account for all other breaches,and notice must be provided to the Secretary of HHS annually.
  6. Business Associates of Arizona Family Care are required to notify Arizona Family Care of any breach without unreasonable delay and to the extent possible to identify the individuals whose unsecured PHI is involved.
  7. Notification may be delayed if a law enforcement official states to Arizona Family Care that notification would impede a criminal investigation.

Responsible Party:
Practice Manager and Members

Other Responsible Party:
All staff must have sufficient understanding of the Privacy Rule, "unsecured PHI” and "breach" to report potential situations in which unsecured PHI is acquired, accessed, used, or disclosed in a manner not permitted under the Privacy Rule.

Procedure

  1. Identify an acquisition, access, use, or disclosure of PHI not permitted by the Privacy Rule.
  2. Promptly report to Arizona Family Care’s Privacy and/or Security Official if PHI is acquired, accessed used or disclosed in a manner not permitted under the Privacy Rule.
    • HIPAA Privacy and Security Training will include this policy and training regarding timely reporting of breaches of unsecured PHI.
  3. Investigate the reported incident to determine whether there has been a breach of unsecured PHI that requires notification under HIPAA.1
    • Violation of the Security Rule does not in itself constitute a potential breach.
    • A breach does not include:
    • Any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of Arizona Family Care made in good faith and within the person's scope of authority and does not result in further use or disclosure in a manner not permitted under the Privacy Rule.
    • Any inadvertent disclosure by a person who is authorized to access PHI at Arizona Family Care or another person authorized to access PHI at Arizona Family Care, or organized health care arrangement (OHCA) in which Arizona Family Care participates, and the PHI received is not further used or disclosed in a manner not permitted under the Privacy Rule.
    • A disclosure of PHI where Arizona Family Care has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
    • If the incident falls within any of the 3 exceptions listed above, document the determination. No further action is required. If the incident does not fall within any of these 3 exceptions, continue this procedure.
    • Conduct an objective risk assessment to determine if there is a low probability that the privacy or security of PHI has been compromised using at least the following 4 factors:
    • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re- identification;
    • The unauthorized person who used the PHI or to whom the disclosure was made;
    • Whether the PHI was actually acquired or viewed and
    • The extent to which the risk to the PHI has been

    Based upon the circumstances of the impermissible acquisition, access,use, or disclosure, additional factors may need to be considered to appropriately assess the risk that PHI has been compromised.

  4. Document the risk assessment and whether it demonstrates a low probability that the privacy or security of PHI was compromised. If a low probability of compromise is demonstrated,no further action is required. If a low probability of compromise is not demonstrated,a breach of PHI has occurred; continue this procedure to determine whether a breach of unsecured PHI has occurred and make the required notifications.
  5. Assess whether the PHI was "unsecured PHI." "Unsecured PHI" is PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary of HHS.2 Encrypted PHI is not unsecured PHI. However, unsecured PHI may be in any form or medium, including paper or oral, neither of which may be encrypted. The remaining steps in the procedure apply only to "unsecured PHI."
  6. If there has been a breach of unsecured PHI, prepare a notice in plain language that includes:
    • A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.
    • A description of the types of unsecured PHI that were involved in the breach (such as whether full name, social security number, date of birth, etc., were involved), but do not include the actual PHI.
    • Any steps the individuals should take to protect themselves from potential harm resulting from the breach.3
    • A brief description of what Arizona Family Care is doing to investigate the breach, mitigate the harm to individuals, and protect against further breaches.
    • Contact information if the individuals have questions or want to learn more-either a toll-free telephone number, an e-mail address, Web site, or postal address.
  7. Send the notice via first class mail to the last known address of individuals whose unsecured PHI was accessed, acquired, used, or disclosed in a manner not permissible under the Privacy Rule without unreasonable delay,but no later than 60 days following its discovery. The notice may be sent by electronic mail if the individual agrees to electronic notice and such agreement has not been withdrawn. If an individual is deceased, mail the notice to the individual's next of kin or personal representative, if that person's address is known.
  8. If the contact information for one or more individuals is insufficient or out-of-date and the direct written notice is not possible or is unsuccessful, either update the contact information and provide direct written notice, or provide substitute notice as follows. Determine whether the PHI includes the first name or initial and last name of the individual and one of the following: the individual's social security number, driver's license number or Arizona identification card number, or account number or credit or debit card number in combination with any required security code, access code, or password.
    • If the PHI does not include such information:
    • For fewer than 10 individuals involved, provide the notice by telephone or other means.
    • For 10 or more Individuals provide the notice by either:
    • Conspicuously posting the notice for 90 days on the home page of Arizona Family Care’s Web site; or
    • Provide notice in major print or broadcast media where the individuals reside and include a toll-free phone number that remains active for at least 90 days,so individuals can call to learn whether their unsecured PHI was involved in the breach.
    • If the PHI includes the first name or initial and last name of the individual and one of the following-the individual's social security number, driver's license number or Arizona identification card number, or account number or credit or debit card number in combination with any required security code, access code, or password-then:
    • E-mail notice if an e-mail address is available,
    • Conspicuously post the notice on the home page of Arizona Family Care’s Web site for 90 days, and
    • Post the notice in major print or broadcast media where the individuals reside and include a toll-free phone number that remains active for at least 90 days.
  9. If the breach involves more than 500 individuals, provide the notice to prominent media outlets and to the Secretary of HHS in the manner specified on the HHS Web site. The HHS Office for Civil Rights has posted a form for covered entities to use to provide notice to the Secretary of HHS of a breach of unsecured PHI, which can be found at http://ocrnotifications.hhs.gov/.
  10. For breaches that involve fewer than 500 individuals, record the breach in the Accounting Log for Breaches of Unsecured Protected Health Information, attach a copy of the notice given to the individual, and provide notification annually to the Secretary of HHS within 60 days after the end of the calendar year for breaches discovered during the immediately preceding calendar year, in the manner specified and using the form posted on the HHS Web site.

References:

45 CFR Section 164, subpart D RCW 19.255.010

  1. Arizona law requires businesses to promptly notify individuals whose computerized personal information (an Individual's first name or Initial, last name and SSN, driver's license number, state ID card number, or account or bank card number) Is reasonably believed to have been obtained by an unauthorized person (RCW 19.255.010).
  2. "Unsecured PHI" means PHI that is not secured through the use of a technology or methodology specified by the Secretary of HHS.In guidance Issued by the Department of HHS on April17, 2009,unsecured PH/Is defined as PHI that Is not encrypted or destroyed according to National institute of Standards and Technology ("NIST") standards (74 Fed. Reg. 19006 [published April 27, 2009]). The guidance Is available at the HHS Web site at http://www.hhs.gov/ocr/prlvacy/. The specific description (at http://www.hhs.gov/ocr/prlvacy/hipaajadmlnlstratlve/breachnotlflcatlonrule/brguidance.html) Is: "Protected health Information (PHI) is rendered unusable, unreadable, or Indecipherable to unauthorized individuals only If one or more ofthe following applies:
    (a) Electronic PHI has been encrypted as specified in the HIPAA Security Rule by 'the use of an algorithmic process to transform data Into a form in which there is a low probability of assigning meaning without use of a confidential process or key and such confidential process or key that might enable decryption has not been breached.' To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. The encryption processes identified below have been tested by the National institute of Standards and Technology (NIST) and judged to meet this standard.
    (i) Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.
    (ii) Valid encryption processes for data In motion are those which comply, as appropriate, with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations;800-77,Guide to IPsec VPNs;or 800-113, Guide to SSLVPNs, or others which are Federal information Processing Standards (FIPS) 140-2 validated.
    (b) The media on which the PHI Is stored or recorded has been destroyed In one of the following ways:
    (I) Paper,film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed.
    (II) Electronic media have been cleared,purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization,such that the PHI cannot be retrieved.''
  3. The Federal Trade Commission Web site provides Information on how to protect against identity theft and can be found at: www.consumer.ftc.govIf eatures/feature-0015-1 dentity-theft-resources.

Policy Effective Date: September

Website Builder