Alverno Notice of Privacy Practices

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

OUR PLEDGE REGARDING PHI

Alverno Laboratories (“Alverno,” “we” or “us”) understand that medical information about you and your health is personal. We are committed to protecting your protected health information (“PHI”). We create a record of the care and services you receive from us. We need this record to provide you with quality care and to comply with certain legal requirements. This notice applies to all of the records of your care created, received or maintained by us. Other health care providers may have different policies or notices regarding use and disclosure of your PHI.

This notice will tell you about the ways in which we protect, use and disclose your PHI. This notice also describes your rights and certain obligations we have regarding the use and disclosure of PHI.

“PHI” means any information, transmitted or maintained in any form or medium, which we create or receive that relates to your physical or mental health, the delivery of health care services to you, or payment for health care services, and that identifies you or could be used to identify you.

We are required by law to:
■ Make sure that PHI is kept private;
■ Give you this notice of our legal duties and privacy practices with respect to PHI about you; and
■ Follow the terms of the notice that are currently in effect.

The following paragraphs describe examples of ways we may use and disclose PHI:

USE FOR TREATMENT, PAYMENT OR HEALTH CARE OPERATIONS

■ For Treatment. We may use PHI about you to provide, coordinate or manage your medical treatment and related services. We may disclose PHI about you to doctors, nurses, hospitals, clinics and other health care providers who are involved in taking care of you. Our various departments also may share PHI about you in order to coordinate your medical treatment and related services. For example, we may disclose PHI about you to people outside Alverno, such as other health care providers involved in providing medical treatment to ensure that the health care provider has appropriate information regarding your previous treatments and diagnoses.

■ For Payment. We may use and disclose PHI about you so that the services and items you receive from us, or other health care providers from whom you receive treatment, may be billed to, and payment may be collected from, you, an insurance company, or a third party payor. For example, we may need to give your insurance company information about the services or items you received fromus so your insurance company will pay us or reimburse you for your services or items. We may also tell your insurance company about a service or item you are going to receive to obtain prior approval or to determine whether your plan will cover the service or item. We will not share treatment information with your insurance company or another third party payor when you pay out of pocket for the treatment.

■ For Health Care Operations. We may use and disclose PHI about you to carry out health care operations. These are activities that are necessary to operate our facilities and for administrative and quality assurance purposes. They include, for example: conducting quality assessment and improvement activities; reviewing the qualifications and performance of health care providers; training and performing accreditation, certification, or licensing activities; and managing our business and performing general administrative activities.

OTHER USES AND DISCLOSURES OF PHI

Listed below are a number of other ways that PHI can be used or disclosed. This list is not exhaustive. Therefore, not every use or disclosure in a category is listed.

■ Business Associates. We obtain some services provided through contracts with business associates in which PHI is disclosed. For example, we may use a third party for billing and collections, document destruction, software support and quality assurance. At times, we may disclose your PHI to our business associates so that the business associates can provide services to, or on behalf of, us. We will require that any business associate who receives your PHI appropriately safeguards your PHI through a written business associate agreement. If our business associate discloses the PHI to its own subcontractor, it must enter into a similar agreement with the subcontractor regarding your PHI as we have with it.

■ Individuals Involved in Your Care or Payment for Your Care. We may release PHI about you to a friend or family member who is involved in your medical care or who helps pay for your care. In addition, we may disclose PHI about you to an entity assisting in a disaster relief effort so that your family can be notified about your condition, status and location. You have the right to object to such disclosure, unless you are unable to function or there is an emergency.

■ As Required By Law. We may use and disclose PHI about you when required to do so by federal, state, or local law.

■ Law Enforcement / Legal Proceedings. We may release PHI if asked to do so by a law enforcement official as required by law or in response to a court or administrative order. We may disclose PHI about you in response to a subpoena, discovery request or other lawful process by someone else involved in a dispute, but only if efforts have been made to tell you about the request or to obtain an order protecting the information requested.

■ Public Health Risks. We may disclose PHI about you for public health activities required by federal and state law. These activities generally include the following:

• Prevent or control disease, injury, or disability
• Report births and deaths
• Report abuse, neglect or domestic violence
• Report reactions to medications or problems with products
• Help with recalls of products

■ Coroners, Medical Examiners, and Funeral Directors. We may release PHI to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death. We may also release PHI to funeral directors as necessary to carry out their duties.

■ Research. Under certain circumstances, we may use and disclose PHI about you for research purposes. For example, a research project may involve comparing the laboratory test results of all patients who received one medication to those who received another for the same condition. All research projects, however, are subject to a special approval process. This process evaluates a proposed research project and its use of PHI, balancing the research needs with patients’ need for privacy of their PHI. Before we use or disclose PHI for research, the project will have been approved through this research approval process.

■ To Avert a Serious Threat to Health or Safety. We may use and disclose PHI about you when necessary to prevent a serious threat to your health or safety or the health or safety of the public or another person.

■ Military. If you are a member of the armed forces, we may release PHI about you as required by military command authorities.

■ About a Decedent. In the event of your death, disclosures about you (the decedent) can be made to family members or others involved in your care or payment for your care prior to your death unless inconsistent with your prior expressed preferences that are known to us. Disclosures may also be made to your personal representative.

■ Health-Related Benefits and Services. We may use and disclose PHI to tell you about health-related benefits or services that may be of interest to you.

Additional State and Federal Requirements: Some state and federal laws provide additional privacy protection of your health information. These include:

■ Sensitive Information. Some types of health information are particularly sensitive, and the law, with limited exceptions, may require that we obtain your written permission or in some instances, a court order, to use or disclose that information. Sensitive health information includes information dealing with genetics, HIV/AIDS, mental health, sexual assault and alcohol and substance abuse.

■ Information Used in Certain Disciplinary Proceedings. State law may require your written permission if certain health information is to be used in various review and disciplinary proceedings by state health oversight boards.

■ Information Used in Certain Litigation Proceedings. State law may require your written permission for us to disclose information in certain legal proceedings.

■ Disclosures to Certain Registries. Some laws require your written permission if we disclose your health information to certain state-sponsored registries.

YOUR RIGHTS REGARDING YOUR PHI AND HOW TO EXERCISE THEM

You have the following rights regarding PHI we maintain about you:

■ Right to Inspect and Copy. You have the right to inspect and copy PHI maintained by us. Copies may be made available either in paper or electronic format. Usually, this includes medical and billing records, but does not include psychotherapy notes or information prepared in anticipation of or for use in a civil, criminal or administrative action. Under certain circumstances, you also do not have a right of access to information created or obtained in the course of research involving treatment or received from someone other than a health care provider under a promise of confidentiality.

To inspect and/or obtain copies of your PHI maintained by us, you must submit your request in writing to our Privacy Officer, at the address listed below. If you request a copy of the information, we may charge a fee for the costs of copying, mailing, or other expenses associated with your request, consistent with federal and state law.

We may deny your request to inspect and copy your PHI for the reasons set forth above or under certain other limited circumstances. If you are denied access to PHI other than for a reason stated above, you will receive a written denial. You may request that the denial be reviewed. Thereafter, a licensed health care professional chosen by us will review your request and the denial. The person conducting the review will not be the person who originally denied your request. We will comply with the outcome of the review.

You may request that we transmit a copy of your PHI to another person. To do so you must request this in writing, you must sign the request, and it must clearly identify the designated person and where to send the copy of the PHI.

■ Right to Amend. If you feel that PHI we have about you is incorrect or incomplete, you may ask us to amend the PHI we have about you. You have the right to request an amendment for as long as the information is kept by or for us.

To request an amendment, your request must be made in writing and submitted to our Privacy Officer. In addition, you must provide a reason that supports your request. We will generally make a decision regarding your request for amendment no later than sixty (60) days after receipt of your request. However, if we are unable to act on the request within this time, we may extend the time for thirty (30) more days but we will provide you with a written notice of the reason for the delay and the approximate time for completion. If we deny your requested amendment, we will provide you with a written denial.

We may deny your request for an amendment if it is not in writing or does not include a reason to support the request.

In addition, we may deny your request if you ask us to amend PHI that:

• Was not created by us, unless the person or entity that created the information is no longer available to make the amendment;

• Is not part of the PHI kept by or for us;

• Is not part of the PHI which you would be permitted to inspect and copy; or

• Is already accurate and complete.

■ Right to an Accounting of Disclosures. You have the right to request an “Accounting of Disclosures.” This is a list of the disclosures we made of PHI about you. Your “Accounting of Disclosures” will not, however, list certain uses and disclosures that are exempted from the accounting requirement by federal or state law, such as those made pursuant to a prior authorization by you or for certain law enforcement purposes. To request this list or accounting of disclosures, you must submit your request in writing to our Privacy Officer. Your request must state a time period that may not be longer than six years and may not include dates before April 14, 2003. Your request should indicate in what form you want the list (for example, on paper or electronically). The first list you request within a 12-month period will be free. For additional lists, we may charge you for the costs of providing the list. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time before any costs are incurred.

■ Right to Receive Notice of Breach. We will notify you in the event we become aware of a breach of your unsecured PHI. An acquisition, access, use or disclosure of your PHI in a manner not permitted is presumed to be a breach unless we are able to demonstrate that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:

(1) The nature and extent of the PHI involved, including the types of identifiers and the likelihood of identification.
(2) The unauthorized person who used the PHI or to whom the disclosure was made.
(3) Whether the PHI was actually acquired or viewed.
(4) The extent to which the risk to the PHI has been mitigated.

■ Right to Request Restrictions. You have the right to request restrictions on how we use and/or disclose your PHI to carry out treatment, payment or health care operations. You also have the right to request restrictions on the PHI we disclose about you to someone who is involved in your care or the payment for your care, like a family member or friend.

With the exception of disclosures to health plans for purposes of payment or health care operations that are not otherwise required by law for items or services paid in full, we are not required to agree to your request. If we do agree, we will comply with your request unless the information is needed to provide you emergency treatment.

We may terminate a restriction if you agree to or request a termination in writing, if you orally agree to the termination and the oral agreement is documented, or if we inform you that we are terminating the agreement to a restriction, except that such termination is not effective for PHI restricted as provided in the above paragraph, and is only effective with respect to PHI created or received after we have so informed you.

To request restrictions, you must make your request in writing to our Privacy Officer. In your request, you must tell us (1) what PHI you want to limit; (2) whether you want to limit our use, disclosure or both; and (3) to whom you want the limits to apply, for example, disclosures to your spouse.

We may terminate our agreement to the restriction if you orally agree to the termination and it is documented, you request the termination in writing or we inform you that we are terminating our agreement with respect to any information created or received after receipt of our notice.

We will document the restriction and maintain it in written or electronic form for a period of at least 6 years from the date of its creation of the day when it was last in effect, whichever is later.

■ Right to Request Confidential Communications. You have the right to request that we communicate with you about medical matters in a certain way or at a certain location. For example, you can ask that we only contact you at work or by mail. To request confidential communications, you must make your request in writing to our Privacy Officer. We will accommodate all reasonable requests. Your request must specify how or where you wish to be contacted.

■ Right to a Paper Copy of This Notice. You have the right to a paper copy of this notice. You may ask us to give you a copy of this notice at any time. Even if you have agreed to receive this notice electronically, you are still entitled to a paper copy of this notice.

You may obtain another copy of this notice at our website, http://www.alvernoclinicallabs.com

To obtain a paper copy of this notice, you may request a copy of the Notice of Privacy Practices from our registration clerk or our Privacy Officer.

CHANGES TO THIS NOTICE
We reserve the right to change our privacy practices that are described in this notice. We reserve the right to make the revised or changed privacy practices effective for PHI we already have about you as well as any information we receive in the future. Prior to a material change to the uses or disclosures, your rights, our legal duties or other privacy practices stated in this notice, we will promptly revise this notice. The notice will contain the effective date.

COMPLAINTS
If you believe your privacy rights have been violated, you may file a complaint with us or with the Secretary of the Department of Health and Human Services. To file a complaint with us, write to our Privacy Officer. All complaints must be submitted in writing. Complaints to the Secretary of the Department of Health and Human Services may be filed either in paper or electronically. You will not be penalized or retaliated against for filing a complaint.

OTHER USES AND DISCLOSURES OF PHI
Other uses and disclosures of PHI not covered by this notice or the laws that apply to us will be made only with your written permission. Use and disclosures that require your written permission include, but are not necessarily limited to, most uses and disclosures of psychotherapy notes, marketing, and sale of your PHI. If you provide us permission to use or disclose PHI about you, you may revoke that permission, in writing, at any time. If you revoke your permission, we will no longer use or disclose PHI about you for the reasons covered by your written authorization. You understand that we are unable to take back any uses and disclosures we have already made with your permission.

We may engage in fundraising activities, and may contact you in connection with those activities. If we do, you have the right to opt out of receiving such communications by notifying our Privacy Officer in writing.

OUR ADDRESS AND OTHER CONTACT INFORMATION
Alverno Laboratories
2434 Interstate Plaza Drive
Hammond, Indiana 46324
Attention: Jack Strzempka,