Statement of Privacy Practices

Covered Entity’s Duties

USFHP is a Covered Entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Privacy Act. As such, we are legally required to safeguard the privacy of our members Protected Health Information (PHI). This Notice provides an overview of our legal obligations and privacy practices related to your PHI. We are dedicated to upholding the terms outlined in this Notice and will promptly inform you of any breach that may compromise the security of your unsecured PHI.

Internal Protections of Oral, Written, and Electronic PHI

USFHP is committed to safeguarding our members Protected Health Information (PHI). We have implemented comprehensive privacy and security measures to ensure the protection of your PHI:

We provide comprehensive training to all staff on our privacy and security protocols to ensure full compliance with federal and state regulations, including HIPAA and other applicable privacy laws.
Our business associates are contractually obligated to adhere to the same stringent privacy and security requirements to protect personal health information (PHI).
We maintain secure physical and electronic environments in our offices, safeguarding access to PHI in accordance with best practices and regulatory standards.
PHI is strictly handled on a need-to-know basis, accessible only to authorized personnel for legitimate business or treatment purposes.
When transmitting or storing PHI electronically, we implement advanced encryption and security measures to ensure its protection and confidentiality.
We leverage robust technological controls to prevent unauthorized access to PHI, continually updating our systems to address emerging risks and threats.

Permissible Uses and Disclosures of Your Protected Health Information (PHI)

Treatment – We may use or disclose your PHI to healthcare providers involved in your treatment, facilitating the coordination of your care among various providers, or assisting in making prior authorization decisions related to your healthcare benefits.

Payment – We may use and disclose your PHI to process benefit payments for the healthcare services you received. Additionally, we may share your PHI with another health plan, healthcare provider or entity covered by the federal Privacy Rules for their payment activities.

Payment-related activities may include:

Processing and adjudicating claims
Determining eligibility or coverage for claims
Issuing premium billings
Reviewing services for medical necessity
Performing utilization reviews of claims

Healthcare Operations – We may use and disclose your PHI to support our healthcare operations.

These activities may include:

Providing customer service
Responding to complaints and appeals
Providing case management and care coordination services
Conducting medical reviews of claims and other quality assessments
Improvement activities

Permissible Uses and Disclosures of Your PHI Without Your Authorization

We may use or disclose your Protected Health Information (PHI) without your explicit permission or authorization under certain circumstances related to our healthcare operations. Specifically, we may disclose your PHI to our business associates who perform services on our behalf. These associates are contractually obligated to protect the privacy and security of your PHI through written agreements.

We may also disclose your PHI to other entities that are subject to federal Privacy Rules, provided they have a direct relationship with you and require the information for their own healthcare operations. Such operations may include:

Quality assessment and improvement activities
Evaluating the competence or qualifications of healthcare professionals
Case management and care coordination

Fraud, Waste, and Abuse

In our efforts to maintain the integrity and efficiency of healthcare services, we may use or disclose your PHI to identify and address fraud, waste, and abuse. These activities may involve:

Fraud: Detecting and preventing intentional deception or misrepresentation related to the provision of healthcare services
Waste: Identifying and addressing unnecessary or inefficient use of resources that do not compromise the quality of care
Abuse: Preventing and addressing practices that result in improper payments or excessive charges for services

We are committed to adhering to all applicable regulations and ensuring that any disclosures related to fraud, waste, and abuse are made in compliance with federal Privacy Rules and other relevant standards.

Other Permitted or Required Disclosures of Your PHI

Appointment Reminders and Treatment Alternatives – We may use and disclose your PHI to remind you of upcoming appointments for treatment and medical care with us. Additionally, we may use your PHI to provide you with information regarding treatment alternatives, health-related benefits, and services, such as resources for smoking cessation or weight management.

As Required by Law – When required by federal, state, and/or local laws; such disclosures will be made only to the extent necessary to comply with the specific legal requirements. In case of conflicting laws or regulations, we will adhere to the more restrictive requirements to ensure your PHI is protected according to applicable legal standards.

Public Health Activities – We may disclose your PHI to public health authorities to prevent or control disease, injury, or disability. Additionally, we may disclose your PHI to the Food and Drug Administration (FDA) to ensure the safety, efficacy, or quality of FDA-regulated products and services.

Victims of Abuse and Neglect – If we have reasonable grounds to believe that abuse, neglect, or domestic violence has occurred, we may disclose your PHI to appropriate local, state, or federal authorities, including social services or protective services agencies authorized to receive such reports.

Judicial and Administrative Proceedings – We may disclose your PHI in response to legal processes such as:

Court orders
Administrative tribunal orders
Subpoenas
Summonses
Warrants
Discovery requests
Other similar legal requests

Law Enforcement – We may disclose your PHI to law enforcement officials when required by law, including in response to:

Court orders
Court-ordered warrants
Subpoenas
Summonses issued by a judicial officer
Grand jury subpoenas

We may also disclose your PHI to assist in identifying or locating a suspect, fugitive, material witness, or missing person.

Coroners, Medical Examiners, and Funeral Directors – We may disclose your PHI to coroners or medical examiners for purposes such as determining the cause of death. We may also disclose your PHI to funeral directors as necessary to carry out their duties.

Organ, Eye, and Tissue Donation – We may disclose your PHI to organ procurement organizations and entities involved in the procurement, banking, or transplantation of organs, eyes, or tissues.

Threats to Health and Safety – We may use or disclose your PHI if we believe, in good faith, that such use or disclosure is necessary to prevent or lessen a serious and imminent threat to health or safety.

Specialized Government Functions – For members of the U.S. Armed Forces, we may disclose your PHI as required by military command authorities. We may also disclose your PHI:

To authorized federal officials for national security purposes
For intelligence activities
To the Department of State for medical suitability determinations
For protective services for the President or other authorized persons

Emergency Situations – In emergency situations or if you are incapacitated, we may disclose your PHI to a family member, close personal friend, authorized disaster relief agency, or any other individual previously identified by you. We will use professional judgment to determine if the disclosure is in your best interests, and will only disclose PHI that is directly relevant to the person’s involvement in your care.

Your Rights Regarding Your PHI

Right to Request Restrictions – You have the right to request restrictions on the use and disclosure of your PHI for treatment, payment, or healthcare operations, and disclosures to individuals involved in your care. Please specify the restrictions you are requesting and the individuals to whom they apply. While we are not obligated to agree to these requests, if we do, we will comply unless the information is needed for emergency treatment. We will also honor restrictions on PHI disclosures for payment or healthcare operations when you have paid out of pocket in full.

Right to Request Confidential Communications – You have the right to request that we communicate with you about your PHI through alternative means or at alternative locations if you believe that standard communication methods could endanger you. You do not need to explain the reason for your request, but you must specify the alternative method or location. We will accommodate reasonable requests.

Right to Access and Receive a Copy of Your PHI – You have the right to access and obtain copies of your PHI contained in a designated record set, with limited exceptions. You may request copies in a specific format, and we will accommodate your request unless it is feasible. Requests must be made in writing. If we deny your request, we will provide a written explanation and information on how to request a review if applicable.

Right to Amend Your PHI – You have the right to request an amendment to your PHI if you believe it is inaccurate or incomplete. Your request must be written and include reasons for the amendment. We may deny the request for specific reasons, and if so, we will provide a clear explanation. You may submit a statement of disagreement, which will be attached to your PHI. If we accept your amendment request, we will make reasonable efforts to notify others of the change and incorporate it into future disclosures.

Right to Receive an Accounting of Disclosures – You have the right to request a list of disclosures of your PHI made within the past six years, excluding those made for treatment, payment, healthcare operations, or those you authorized. If you request this accounting more than once in a 12-month period, we may charge a reasonable, cost-based fee. We will provide information on the fees at the time of your request.

Right to File a Complaint – If you believe your privacy rights have been violated or that we have not complied with our privacy practices, you may file a complaint with us using the contact information provided at the end of this Notice. You may also file a complaint with the Secretary of the U.S. Department of Health and Human Services Office for Civil Rights by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-800-368-1019 (TTY: 1-866-788-4989), or visiting www.hhs.gov/ocr/privacy/hipaa/complaints/.

We will not retaliate against you for filing a complaint.

Right to Receive a Copy of This Notice – You may request a copy of this Notice at any time using the contact information provided at the end of this notification. If you received this Notice electronically, you are also entitled to request a paper copy.

Contact Information

If you have any questions about this Notice, our privacy practices to your PHI or how to exercise your rights; you may contact us in writing or by phone.

Megan McGill
Director, Compliance, Risk & Privacy
mmcgill@svcmcny.org
212-356-4928
or USFHPCompliance@svcmcny.org
Compliance Hotline – 212-356-4402