CARDIOLOGY ASSOCIATES, PC

Listening to your heart!

Notice of Privacy Practices

As Required by the Privacy Regulations Created as a Result of the Health Insurance Portability and Accountability Act of 1996 (HIPAA)

This notice describes how health information about you (as a patient of this practice) may be used and disclosed, and how you can get access to your individually identifiable health information. Please review this notice carefully.

A. OUR COMMITMENT TO YOUR PRIVACY - Our practice is dedicated to maintaining the privacy of your individually identifiable health information (IIHI). In conducting our business, we will create records regarding you and the treatment and services we provide to you. We are required by law to maintain the confidentiality of hea1th information that identifies you. We also are required by law to provide you with this notice of our legal duties and the privacy practices that we maintain in our practice concerning your IIHI. By federal and state law, we must follow the terms of the notice of privacy practices that we have in effect at the time.

We realize that these laws are complicated, but we must provide you with (the following important information:
• how we may use and disclose your IIHI;
• your privacy rights in your IIHI;
• our obligations concerning the use and disclosure of your IIHI.

The terms of this notice apply to all records containing your IIHI that are created or retained by our practice. We reserve the right to revise or amend this Notice of Privacy Practices. Any revision or amendment to this notice will be effective for all of your records that our practice has created or maintained in the past, and if for any of your records that we may create or maintain in the future. Our Practice will post a copy of our current Notice in our offices in a visible location at all times, and you may request a copy of our most current Notice at any time.

B. IF YOU HAVE QUESTIONS ABOUT THIS NOTICE, PLEASE CONTACT:

PRACTICE MANAGER – CARDIOLOGY ASSOCIATES, P.C.
1030 HILLPOINT BLVD., SUFFOLK, VA. 23434
(757) 539-0444

C. WE MAY USE AND DISCLOSE YOUR INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION (IIHI) IN THE FOLLOWING WAYS:

The following categories describe the different ways in which we may use and disclose your IIHI:

1. Treatment. Our Practice may use your IIHI to treat you. For example, we may ask you to have laboratory tests (such as blood or urine tests), and we may use the results to help us reach a diagnosis. We might use your IIHHI in order to write a prescription for you, or we might disclose your IIHI to a pharmacy when we order a prescription for you. Many of the people who work for our practice-including, but not limited to, our doctors and nurses-may use or disclose your IIHI in order to treat you or to assist others in your treatment. Additionally, we may disclose your IIHI to others who may assist in your care, such as your spouse, children, or parents. Finally. we may also disclose your IIHI to ocher health care providers for purposes related to your treatment.

2. Payment. Our Practice may use and disclose your IIHI in order to bill and collect payment for the services and items you may receive from us. For example, we may contact your health insurer to certify that you are eligible for benefits (and for what range of benefits), and we may provide your insurer with details regarding your treatment to determine if your insurer will cover, or pay for, your treatment. We also may use and disclose your IIHI obtain payment from third parties that may be responsible for such costs, such as family members. Also, we may use your IIHI to bill you directly for services and items. We may disclose your IIHI to other health care providers and entities to assist in their billing and collection efforts.

3. Health Care Operations. Our Practice may use and disclose your IIHI to operate our business. As examples of the ways in which we may use and disclose your information for our operations, our Practice may use your IIHI to evaluate the quality of care you received from us, or to conduct cost-management and business planning activities for our Practice. We may disclose your IIHI to other health care providers and entities to assist in their health care operations.

4. Appointment Reminders. Our Practice may use and disclose your IIHI to contact you and remind you of an appointment.

5. Treatment Options. Our Practice may use and disclose your IIHI to inform you of potential treatment options or alternatives.

6. Health-Related Benefits and Services. Our Practice may use and disclose your IIHI to inform you of health-related benefits or services that may be of interest to you.

7. Release of information to Family/Friends. Our Practice may release your IIHI to a friend or family member that is involved in your care, or who assists in taking care of you. For example, a patient may ask a friend or family member to take them to his or her doctor’s office for treatment. In this example, the friend or family member may have access to this patient’s medical information.

8. Disclosures Required By Law. Our Practice will use and disclose your IIHI when we are required to do so by federal, state, or local law.

D. USE AND DISCLOSURE OF YOUR IIHI IN CERTAIN SPECIAL CIRCUMSTANCES - The following categories describe unique scenarios in which we may use or disclose your identifiable health information:

1. Public Health Risks. Our practice may disclose your IIHI to public health authorities that are authorized by law to collect information for the purpose of:
• maintaining vital records, such as births and deaths;
• reporting child abuse or neglect;
• preventing or controlling disease, injury, or disability;
• notifying a person regarding potential exposure to a communicable disease;
• notifying a person regarding a potential risk for spreading or contracting a disease or condition;
• reporting reactions to drugs or problems with products or devices;
• notifying individuals if a product or device they may be using has been recalled;
• notifying appropriate governmental agency(ies) and authority(ies) regarding the potential abuse or neglect of an adult patient (including domestic violence); however, we will only disclose this information if the patient agrees or we are required or authorized by law to disclose this information;
• notifying your employer under limited circumstances related primarily to workplace injury or illness or medical surveillance.

2. Health Oversight Activities. Our Practice may disclose your IIHI to a health oversight agency for activities authorized by law. Oversight activities can include for example, investigations, inspections, audits, surveys, licensure and disciplinary actions; civil, administrative, and criminal procedures or actions; or other activities necessary for the government to monitor government programs, compliance with civil rights laws, and the health care system in general.

3. Lawsuits and Similar Proceedings. Our Practice may use and disclose your IIHI in response to a court or administrative order, if you are involved in a lawsuit or similar proceeding. We also may disclose your IIHI in response to a discovery request, subpoena, or other lawful process by another party involved in the dispute, but only if we have made an effort to inform you of the request or to obtain an order protecting the information the party has requested.

4. Law Enforcement. We may release IIHI if asked to do so by a law-enforcement official:
• regarding a crime victim in certain situations, if we are unable to obtain the person's agreement;
• concerning a death we believe has resulted from criminal conduct;
• regarding criminal conduct at our offices;
• in response to a warrant, summons, court order, subpoena or similar legal process to identify/locate a suspect, material witness, fugitive or missing person;
• in an emergency, to report a crime (including the location or victim(s) of the crime. or the description, identity, or location of the perpetrator).

5. Deceased Patients. Our Practice may release IIHI to a medical examiner or coroner to identify a deceased individual or to identify the cause of death. If necessary, we also may release information in order for funeral directors to perform their jobs.

6. Organ and Tissue Donation. Our Practice may release your IIHI to organizations that handle organ, eye or tissue procurement or transplantation, including organ donation banks as necessary to facilitate organ or tissue donation and transplantation if you are an organ donor.

7. Research. Our Practice may use and disclose your IIHI for research purposes in certain limited circumstances. We will obtain your written authorization to use your IIHI for research purposes except when an Internal Review Board or Privacy Board has determined that the waiver of your authorization satisfies the following:
• the use or disclosure involves no more than a minimal risk to your privacy based on the following:
• an adequate plan to protect the identifiers from improper use and disclosure;
• an adequate plan to destroy the identifiers at the earliest opportunity consistent with the research (unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law); and
• adequate written assurances that the PHI will not be re-used or disclosed to any other person or entity (except as required by law) for authorized oversight of the research study, or for other research for which the use or disclosure would otherwise be permitted.
• the research could not practicably be conducted without the waiver; and
• the research could not practicably be conducted without access to and use of the PHI.

8. Serious Threats to Health or Safety. Our Practice may use and disclose your IIHI when necessary to reduce or prevent a serious threat to your health and safety or the health and safety of another individual or the public. Under these circumstances, we will only make disclosures to a person or organization able to help prevent the threat.

9. Military. Our Practice may disclose your IIHI if you are a member of U.S. or foreign military forces (including veterans) and if required by the appropriate authorities.

10. National Security. Our Practice may disclose your IIHI to federal officials for intelligence and national security activities authorized by law. We also may disclose your IIHI to federal officials in order to protect the President, other officials or foreign heads of state, or to conduct investigations.

11. Inmates. Our Practice may disclose your IlHI to correctional institutions or law enforcement officials if you are an inmate or under the custody of a law enforcement official. Disclosure for these purposes would be necessary: (a) for the institution to provide health care services to you; (b) for the safety and security of the institution; and/or (c) to protect your health and safety or the health and safety of other individuals.

12. Workers' Compensation. Our Practice may release your IIHI for workers' compensation and similar programs.

E. YOUR RIGHTS REGARDING YOUR IIHI - You have the following rights regarding the IlHI that we maintain about you:

1. Confidential Communications. You have the right to request that our practice communicate with you about your health and related issues in a particular manner or at a certain location. For instance, you may ask that we contact you at home, rather than work In order to request a type of confidential communication, you must make a written request to: CARDIOLOGY ASSOCIATES, P.C., 1030 HILLPOINT BLVD., SUFFOLK, VIRGINIA, 23434, telephone: (757) 539-0444, specifying the requested method of contact, or the location where you wish to be contacted. Our practice will accommodate reasonable requests. You do not need to give a reason for your request.

2. Requesting Restrictions. You have the right to request a restriction in our use or disclosure of your IIHI for treatment, payment or health care operations. Additionally, you have the right to request that we restrict our disclosure of your IIHI to only certain individuals involved in your care or the payment for your care, such as family members and friends. We are not required to agree to your request; however, if we do agree, we are bound by our agreement except when otherwise required by law, in emergencies, or when the information is necessary to treat you. In order to request a restriction in our use or disclosure of your IIHI, you must make your request in writing to: CARDIOLOGY ASSOCIATES, P.C., 1030 HILLPOINT BLVD., SUFFOLK, VIRGINIA, 23434, telephone: (757) 539-0444. Your request must describe in a clear and concise fashion:
(a) the information you wish restricted;
(b) whether you are requesting to limit our practice's use, disclosure or both; and
(c) to whom you want the limits to apply.

3. Inspection and Copies. You have the right to inspect and obtain a copy of the IIHI that may be used to make decisions about you, including patient medical records and billing records, but not including psychotherapy notes. You must submit your request in writing to: CARDIOLOGY ASSOCIATES, P.C., 1030 HILLPOINT BLVD., SUFFOLK, VIRGINIA, 23434, telephone: (757) 539-0444, in order to inspect and/or obtain a copy of your IIHI. Our practice may charge a fee for the costs of copying, mailing, labor and supplies associated with your request. Our practice may deny your request to inspect and/or copy in certain limited circumstances; however, you may request a review of our denial. Another licensed health care professional chosen by us will conduct reviews.

4. Amendment. You may ask us to amend your health information if you believe it is incorrect or incomplete, and you may request an amendment for as long as the information is kept by us for malpractice. To request an amendment, your request must be made in writing and submitted to: CARDIOLOGY ASSOCIATES, P.C., 1030 HILLPOINT BLVD., SUFFOLK, VIRGINIA, 23434, telephone: (757) 539-0444. You must provide us with a reason that' supports your request for amendment. Our Practice will deny your request if you fail to submit your request (and the reason supporting your request) in writing. Also, we may deny your request if you ask us to amend information that is in our opinion: (a) accurate and complete; (b) not part of the IIHI kept by or for the Practice; (c) not part of the IIHI which you would be permitted to inspect and copy; or (d) not created by our practice, unless the individual or entity that created the information is not available to amend the information.

5. Accounting of Disclosures. All of our patients have the right to request an "accounting of disclosures." An "accounting of disclosures" is a list of certain non-routine disclosures our Practice has made of your IIHI for non-treatment, non-payment or non-operations purposes. Use of your IIHI as part of the routine patient care in our practice is not required to be documented. For example, the doctor sharing information with the nurse; or the billing department using your information to file your insurance claim. In order to obtain an accounting of disclosures, you must submit your request in writing to: CARDIOLOGY ASSOCIATES, P.C., 1030 HILLPOINT BLVD., SUFFOLK, VIRGINIA, 23434, telephone: (757) 539-0444. All requests for an "accounting of disclosures" must state a time period, which may not be longer than six (6) years from the date of disclosure and may not include dates before April 14, 2003. The first list you request within a 12-month period is free of charge, but our Practice may charge you for additional lists within the same 12-monrh period. Our Practice will notify you of the costs involved with additional requests, and you may withdraw your request before you incur any costs.

6. Right to a Paper Copy of This Notice. You are entitled to receive a paper copy of our Notice of Privacy Practices. You may ask us to give you a copy of this notice at any time. To obtain a paper copy of this notice, contact: CARDIOLOGY ASSOCIATES, P.C., 1030 HILLPOINT BLVD., SUFFOLK, VIRGINIA, 23434, telephone: (757) 539-0444.

7. Right to File a Complaint. If you believe your privacy rights have been violated, you may file a complaint with our Practice or with the Secretary of the Department of Health and Human Services. To file a complaint with our Practice, contact: PRACTICE MANAGER - CARDIOLOGY ASSOCIATES, P.C., 1030 HILLPOINT BLVD., SUFFOLK, VIRGINIA, 23434, telephone: (757) 539-0444. All complaints must be submitted in writing. You will not be penalized for filing a complaint.

8. Right to Provide an Authorization for Other Uses and Disclosures. Our Practice will obtain your written authorization for uses and disclosures that are nor identified by this notice or permitted by applicable law. Any authorization you provide to us regarding the use and disclosure of your IIHI may be revoked at any time in writing. After you revoke your authorization, we will no longer use or disclose your IIHI for the reasons described in the authorization. Please note we are required to retain records of your care.

Again, if you have any questions regarding this notice or our health information privacy policies, please contact: CARDIOLOGY ASSOCIATES, P.C., 1030 HILLPOINT BLVD., SUFFOLK, VIRGINIA, 23434, telephone: (757) 539-0444.

Revised 8/4/07

CARDIOLOGY ASSOCIATES, PC
Identity Theft / Red Flag/ Patient Misidentification Policy
April 7, 2009

Purpose

To describe the measures to be followed when health care is obtained under a fictitious name or in another person’s name. This includes situations when a person intentionally misrepresents himself/herself and when a person gives his/her real name, but the hospital or other facility accesses the wrong medical record so that the medical records of two patients are commingled.

Policy

CARDIOLOGY ASSOCIATES, PC strives to prevent the intentional or inadvertent misuse of patient names, identities, and medical records; to report criminal activity relating to identity theft and theft of services to appropriate authorities; and to take steps to correct and/or prevent further harm to any person whose name or other identifying information is used unlawfully or inappropriately.

Procedure
1. Request Identification at Registration Points.

All registration personnel should review and include in each patient’s file a scanned/copy of a photo ID issued by a local, state, or federal government agency (e.g., a driver’s license; passport; military ID, etc.). In the event the patient does not have photo ID, ask for two forms of non-photo ID, one of which has been issued by a state or federal agency (e.g., Social Security card, US Military Card, Voters Registration Card, Birth Certificate, etc.) When the patient is under 18 or if the patient is unable due to their condition to produce identification, the responsible party’s identification shall be requested. Each time a patient visits, check whether the identification provided is valid, copy the identification provided, and match any photo to the patient/responsible party. During the registration process, if an identity alert flag appears the staff should call the Office Manager or the applicable Privacy Officer for resolution.

A. Emergency Care—NO DELAY. Providing identification is not a condition for obtaining emergency care. The process of confirming a patient’s identity must never delay the provision of an appropriate medical screening examination or necessary stabilizing treatment for emergency medical conditions.

B. Responding to Questions. If asked the reason for the identifying procedures, explain that the procedures are “for patient protection to prevent identity theft and theft of services.” Politely remind questioners this is the same process used to cash a check, make a large credit card purchase, or board a plane.

C. Refusal to Provide or Lack of Identification. No one should be refused care because they do not have acceptable identification with them. Patients should be asked to bring appropriate documents to their next visit.

2. Signs of Possible Identity Theft- (Red Flags).

Employees should be alert for cases of possible identity theft. Potential signs of identity theft include: (1) any patient appearing and giving an identity that has been flagged in Identity Theft Database, (2) a patient providing photo ID that does not match the patient, (3) a patient giving a social security number different than one used on a previous visit, (4) a patient giving information that conflicts with information in the patient’s file or received from third parties, such as insurance companies, and (5) family members/friends calling the patient by a name different than that provided by the patient at registration.

If an employee reasonably believes identity theft has occurred or may be occurring, immediately notify the Office Manager or Privacy Officer. The Office Manager/Privacy Officer will involve Authorities on an as-needed basis (e.g., to perform background checks, to contact the person believed to be a victim of the identity theft, and if medical circumstances allow, to interview the patient, etc.).

3. When Identity Theft Is Alleged by a Patient.

Staff personnel should advise the patient to report the identity theft incident to law enforcement and indicate that paperwork will be forwarded for the patient to complete. Complete and send the letter attached as Exhibit A with a copy of the FTC Identity Theft affidavit, attached hereto as Exhibit B, also available at http://www.ftc.gov/bcp/edu/resources/forms/affidavit.pdf. Unless there is actual knowledge that identity theft has occurred at the facility, the facility must receive a properly completed and signed FTC Identity Theft Affidavit before correcting medical or payment records or proceeding with other victim assistance steps under this policy. Once the identity theft allegation is supported by an FTC Identify Theft Affidavit, the facility must flag the account of the patient alleging identity theft so that medical personnel are alert to the issue that the medical record may contain inaccurate information about the patient. The facility then can proceed with the remainder of the steps set out in this policy.

4. When Identity Theft Occurs.

If a person obtains or uses the personal identifying information of another to obtain (or to attempt to obtain) medical services or information in the name of such other person without consent or lawful authority, the facility shall take the following steps:

A. Notifications. When identity theft is reasonably suspected or is known to have occurred by an employee (e.g., by receipt of a properly completed and signed FTC Identity Theft Affidavit), the employee must immediately complete the Identity Alert reporting form attached as Exhibit C and route copies of the same to the entity Privacy Officer, Administrator, Office Manager, and Billing Manager and attach a copy of the relevant photo ID. If the incident occurs on a weekend, reporting should occur the next business day. The Privacy Officer will review and make decisions on the finding and make all external reporting and notification decisions. External notification and reporting will occur only as directed by the Privacy Officer.

i. Reporting Medicaid Fraud. When there is actual knowledge of Medicaid fraud (e.g., a patient uses another person’s Medicaid information to obtain medical care), the fraud must be reported immediately to the Medicaid OIG: 1-800-HHS-TIPS (1-800-447-8477).

ii. Mail Theft. For incidents involving mail theft, the U.S. Postal Inspection Service will be contacted.

iii. Security Breach. If the identity theft involves unauthorized access of unencrypted computerized data containing a person’s first name or first initial and last name and (1) a social security number, (2) driver’s license number, or (3) financial account number (including a credit or debit card number) in combination with any required security code, access code, or password that would permit access to an individual's financial account, the Privacy Officer will direct reporting in accordance with all State laws whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person. Such reporting will be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs

of law enforcement.

iiii. Coordinating with Area Health Care Providers. The victim’s written authorization generally will be obtained prior to alerting non-CARDIOLOGY ASSOCIATES health care providers about the possibility of identity theft in connection with the victim’s identifying information. See CARDIOLOGY ASSOCIATES HIPAA Policy, “Authorization to Release Information.” However, in the event circumstances indicate that the identity thief may imminently use the victim’s information to defraud a non-CARDIOLOGY ASSOCIATES health care provider (e.g., identity thief is “shopping” area emergency departments for medication) and such circumstances do not allow enough time to obtain the victim’s written authorization to disclose the victim’s name and address to the non-Cardiology Associates provider to prevent further fraudulent activity in connection with the victim’s identifying information, the Privacy Officer may disclose (or direct disclosure) to a non- Cardiology Associates provider information about the identity theft victim to allow the unrelated provider to determine whether it has an existing or past relationship with the victim. The information disclosed shall be limited to the minimum necessary to determine whether the victim has an existing or past relationship with the area health care provider (e.g., victim’s name and address; photograph of identity theft suspect). If the non- Cardiology Associates provider confirms it has an existing or past relationship with the victim, the minimum necessary information regarding the identity theft incident may be disclosed so that the provider is alert to the potential for fraudulent activity related to the victim’s identifying information. In the event the identity theft victim does not have an existing or past relationship with the non-Cardiology Associates provider, the victim’s written authorization must be obtained prior to releasing any identifying information about the victim to a non- Cardiology Associates provider.

B. Accounts on Hold. The Billing Manager will put all patient accounts affected by the identity theft on hold pending the outcome of the investigation.

C. Security Department; Reports to Law Enforcement; Reporting Medicaid Fraud. Cardiology Associates Administration will provide any necessary assistance with determining the identity of the patient and provide feedback to the Office Manager, Billing Manager, and the Privacy Officer. If the Administration office together with the Privacy Officer believe in good faith that identity theft or theft of services has occurred on the entity’s premises, and the value of the services in question exceeds or may exceed $500, the Administration will instruct the entity’s Privacy Officer to report the incident to the law enforcement agency in the city or county in which the facility is located. In order to facilitate reporting and efficient prosecution of identity theft crimes, the entity should prepare a summary of the information that the entity believes in good faith constitutes evidence of criminal conduct that occurred on the entity’s premises (e.g., information provided by the victim and the suspect; any fingerprint, photo, and copies of security films taken of the suspect; a statement of the value of services obtained by the suspect, etc.). Administration will make reasonable efforts to limit the disclosure of protected health information to the minimum necessary to report the suspected identity theft, and the information disclosed will not directly or indirectly identify any patient as a mental health services recipient. CARDIOLOGY ASSOCIATES Administration must obtain the investigating officer’s name and phone number, consult with law enforcement about the timing and the content of any victim notification (to ensure notification does not impede a law enforcement investigation), and explain that the investigating officer’s name and phone number will be shared with the identity theft victim in any victim notification.

D. Notifying Victims of Identity Theft When the Patient Does Not Know Identity Theft Has Occurred. After consultation with law enforcement about the timing and the content of any victim notification (to ensure notification does not impede a law enforcement investigation), victims of identity theft will be notified by CARDIOLOGY ASSOCIATES Administration as directed by the Privacy Officer. The letter attached to this Policy as Exhibit D may be used as a form to notify a victim of identity theft. Victims of identity theft should be encouraged to cooperate with law enforcement in identifying and prosecuting the suspected identity thief. Encourage the victim to complete the FTC Identity Theft Affidavit attached hereto as Exhibit B and available at http://www.ftc.gov/bcp/conline/pubs/credit/affidavit.pdf.

E. Correcting Medical and Payment Records of Identity Theft Victims; Flagging; Verification and Releasing Bill Hold. To ensure that (1) inaccurate health information is not inadvertently relied upon in treating a patient, (2) a patient or a third-party payer is not billed for services the patient did not receive, and (3) patient health information is protected from inappropriate disclosure, patient medical and payment records must be corrected when a case of identity theft occurs.

i. Medical Records. After appropriate consultation with and input from the patient (whose identity has been properly verified and documented, including through receipt of a properly completed FTC Identity Theft Affidavit) and appropriate clinical personnel, CARDIOLOGY ASSOCIATES Administration will make appropriate corrections to the patient’s medical record to be certain the record contains correct entries only (e.g., by transferring visit from incorrect MPI record to appropriate MPI record). Corrections shall be made in accordance with the CARDIOLOGY ASSOCIATES medical record corrections policy and HIPAA Policy. A detailed explanation of the corrections shall be generated by CARDIOLOGY ASSOCIATES Administration and verified by the patient. Pursuant to CARDIOLOGY ASSOCIATES HIPAA Policy, Administration may need to send amended information to persons who have received incorrect or incomplete information. Administration shall remove all related documents from the Medical Records EMR System and make replacements with appropriately revised documents. The patient’s verification of the corrected medical record shall be documented and included as part of the case file forwarded to the Privacy Officer.

ii. Payment Records. After appropriate consultation with and input from the patient (whose identity has been properly verified and documented, including through receipt of a properly completed FTC Identity Theft Affidavit), the entity’s billing department will make appropriate corrections to the patient’s billing information, inform and provide documentation to any third-party payer affected by the adjustments, and make any necessary repayments to ensure that the patient and the payer pay only for services actually provided to the patient. Corrections shall be made in accordance with the entity’s billing record corrections policy and HIPAA Policy. A detailed explanation of the corrections shall be generated by the entity and verified by the patient. The patient’s verification of the corrected billing records shall be documented and included as part of the case file forwarded to the Privacy Officer.

iii. Flagging. The Office Manager will add an MPI Alert Flag of “Identity issue/ call Security” to each MPI record affected by the identity theft event. iv. Verification; Release of Hold. The Office Manager and/or Billing Manager will verify that all demographic and insurance information is correct after the visit is transferred to the appropriate MPI record and will ensure that all related documents are removed from the Medical Records EMR System and replaced with appropriately revised documents. Once all medical and billing records have been corrected, the Office Manager and/or the Billing Manager will release the bill hold and bill appropriately.

F. Assisting Identity Theft Victims.

i. Copies of Records On Written Request. Identity theft victims are entitled to obtain a copy of the business transaction records maintained by the facility (or by others on the facility’s behalf) relating to the identity theft free of charge. “Business transaction records” may include billing and medical record information. The facility must provide these records within 30 days of receipt of the victim’s written request. The facility also must provide these records to any law enforcement agency which the victim authorizes. Before providing such records, the facility must ask for proof of identity, which may be a government-issued ID card, the same type of information the identity thief used to access the patient’s account, or the type of information the facility is currently requesting from patients, a police report (regarding the identity theft), and a completed FTC Identity Theft Affidavit (available at http://www.ftc.gov/bcp/conline/pubs/credit/affidavit.pdf, and attached hereto as Exhibit B). Document receipt of and copy all such information. The facility may refuse to provide business transaction records if the facility determines in good faith that: (i) the true identity of the person asking for the information cannot be verified; (ii) the request for the information is based on a misrepresentation; or (iii) state or federal law prohibits the facility from disclosing such information.

ii. Mitigation. The facility should mitigate, to the extent practicable, any harmful effect that is known to the facility as a result of unlawful use or disclosure of protected health information in connection with a case of identity theft.

G. Recoveries from Suspect. If known to the entity, the facility may bill the identity theft suspect for unlawfully obtained services. If a suspect is identified and the entity has suffered an ascertainable loss (such as by providing services never paid for), the entity may consider pursuing a civil claim. Consult with the Privacy Officer for further guidance.

H. Accounting for Disclosures. The entity’s Privacy Officer should determine whether, as result of identity theft, protected health information was inappropriately disclosed. If protected health information was inappropriately disclosed, CARDIOLOGY ASSOCIATES Administration must account for such disclosures in accordance with the CARDIOLOGY ASSOCIATES HIPAA Policy.

I. Update Identity Theft Database. When identity theft is reasonably suspected, either the Office Manager or the Privacy Officer must update the CARDIOLOGY ASSOCIATES Identity Theft Database with the Identity Alert Form to include alerts on both the identity theft victim and any other name or identification provided by the suspect.

5. When Patient Misidentification Occurs. If it is determined that patient misidentification, but not identity theft, has occurred (as, for example, when a patient gives his or her real name, but the incorrect medical record is pulled up and the medical information of two patients is subsequently intermingled), the facility shall take the following steps:

A. Notifications. When patient misidentification has occurred, the employee discovering the misidentification must immediately complete the Identity Alert reporting form attached as Exhibit C and route copies of the same to the entity Privacy Officer, Administrator, HIPAA Officer, Office Manager, and Billing Manager and Attach a copy of the relevant photo ID. If the incident occurs on a weekend, reporting should occur the next business day. The Privacy Officer will review and make decisions on the finding and make all external reporting and notification decisions. External notification and reporting will occur only as directed by the Privacy Officer. For example, the Privacy Officer will direct the following reporting:

i. Security Breach. If the identity theft involves unauthorized access of unencrypted computerized data containing a person’s first name or first initial and last name and (1) a social security number, (2) driver’s license number, or (3) financial account number (including a credit or debit card number) in combination with any required security code, access code, or password that would permit access to an individual's financial account, the Privacy Officer will direct reporting in accordance with all State laws whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person. Such reporting will be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement.

B. Accounts on Hold. The Billing Manager will put all patient accounts affected by the patient misidentification on hold pending the outcome of the investigation.

C. Notifying Affected Patients; Mitigation Efforts. Patients affected by patient misidentification will be notified by the Privacy Officer as directed by CARDIOLOGY ASSOCIATES Administration. The letter attached to this Policy as Exhibit E may be used as a form to notify such patients. The facility should mitigate, to the extent practicable, any harmful effect that is known to the facility as a result of unlawful use or disclosure of protected health information in connection with a case of patient misidentification.

D. Correcting Medical and Payment Records; Verification; Release of Hold. To ensure that (1) inaccurate health information is not inadvertently relied upon in treating a patient, (2) a patient or a third-party payer is not billed for services the patient did not receive, and (3) patient health information is protected from inappropriate disclosure, patient medical and payment records must be corrected when a case of patient misidentification occurs.

iii. Verification; Release of Hold. The Office Manager and/or the Billing Manager will verify that all demographic and insurance information is correct after the visit is transferred to the appropriate MPI record and will ensure that all related documents are removed from the Optical System and replaced with appropriately revised documents. Once all medical and billing records have been corrected, the Office Manager and/or the Billing Manager will release the bill hold and bill appropriately.

E. Accounting for Disclosures. The entity’s Privacy Officer should determine whether, as result of patient misidentification, protected health information was inappropriately disclosed. If protected health information was inappropriately disclosed, CARDIOLOGY ASSOCIATES Administration must account for such disclosures in accordance with the CARDIOLOGY ASSOCIATES HIPAA Policy.

6. Documentation. A copy of all documentation concerning identity theft or patient misidentification must be provided to the Privacy Officer.

7. Checklists. Checklists for action items related to this policy are attached as Exhibit F.

8. Definitions.

A. Identity theft means the act of: knowingly obtaining, possessing, buying, or using, the personal identifying information of another: (i) with the intent to commit any unlawful act including, but not limited to, obtaining or attempting to obtain credit, goods, services or medical information in the name of such other person; and (ii)(a) without the consent of such other person; or (b) without the lawful authority to obtain, possess, buy or use such identifying information.

B. Theft of services includes: (i) intentionally obtaining services by deception, fraud, coercion, false pretense or any other means to avoid payment for the services; and (ii) having control over the disposition of services to others, knowingly diverts those services to the person's own benefit or to the benefit of another not entitled thereto.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Exhibit A to Identity Theft/Patient Misidentification Policy Identity Theft/Patient Misidentification Policy

Letter regarding Identity Theft Report

[Date]

[Patient Name]

[Patient Address]

Re: Identity Theft Report Made on_______________ [insert date]

RESPONSE REQUIRED

Dear ____________________:

This letter responds to your report that a person used your name, insurance information, or other personal information to obtain health care items or services at this facility. Please follow the instructions in this letter so that we can help you address this problem.

After reading the instructions for the enclosed Identity Theft Affidavit, complete the Identity Theft Affidavit (also available at http://www.ftc.gov/bcp/conline/pubs/credit/affidavit.pdf), including all details of the identity theft incident that you know. Make copies of the required documentation (e.g., photo identification; police report regarding the incident, etc.) and attach them to your affidavit. Sign the affidavit, and then have the affidavit notarized or witnessed by two people who are not members of your family. Return the completed signed affidavit and accompanying documentation to this office within two weeks from the date of this letter so this facility can take the necessary steps to correct your medical record and patient account.

“Medical identity theft” is very serious because, in addition to causing financial problems, identity theft can lead to inappropriate care when incorrect information is included in a patient’s medical record. For example, if the blood type of a person who misused your information is listed in your record, you could be given the wrong type of blood in an emergency. Once we receive your properly completed and signed affidavit, and appropriate supporting documentation, our Health Information Management and Patient Accounts office will work with you to make necessary corrections to your medical record and patient accounts. In the meantime, should you need to visit this facility or any other health care provider, you should let the provider know that the information in your medical record may be incorrect because your identity has been used to obtain health care items or services fraudulently.

We encourage you to alert other area hospitals and health care providers that your identifying information is being used in a fraudulent manner because identity thieves often obtain services and items from more than one health care provider. You may also want to visit the FTC’s website at http://www.ftc.gov/bcp/edu/microsites/idtheft/, which has information to help individuals guard against and deal with identity theft, and you may want to review the information in the FTC’s publication, “Take Charge: Fighting Back Against Identity Theft.” You can call 1-877-438-4338 to request a free copy.

Sincerely,

Enclosure (FTC Identity Theft Affidavit)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Exhibit B to Identity Theft/Patient Misidentification Policy to Identity Theft/Patient Misidentification Policy

FTC ID Theft Affidavit

See PDF document ID_Theft_affidavit_FTC under projects/redflag compliance/

Or at : http://www.ftc.gov/bcp/conline/pubs/credit/affidavit.pdf

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Exhibit C to Identity Theft/Patient Misidentification

IDENTITY ALERT FORM

This form should be completed by hospital or other facility personnel when the identity of a patient is questioned, either because of identity theft or patient misidentification.

Form completed by:____________________ Date/Time:____________________________

Title:________________________________ Department:_______________________

Patient presented to facility using the following information:

Name:_________________________________ Phone:_________________________________

Address:________________________________ SS#:___________________________________

_______________________________________ DOB:__________________________________

Date: Time: _______________

Presenting Complaint:____________________________________________________________

Approximate Cost of Visit: ________________________________

Existing MPI Used:______________________ New MPI Created:______________________

Account No. Assigned:____________________ Consent Form Signature: _________________

Insurance Information Presented (specify if Was the health information of any other patient

Medicaid, Medicare, or other governmental provided to this individual (such that the

programs): _____________________________ hospital/facility needs to account for such

_______________________________________ disclosures)?__________________________

Other information (who discovered discrepancy; was Security called, was photo secured, etc.):

List all involved staff members:_____________________________________________________

Based on investigation, the correct patient is:

Name:_________________________________ Phone:_________________________________

Address:________________________________ SS#:___________________________________

_______________________________________ DOB:__________________________________

MPI: Time:

Reason:__________________________________________________________________________

ATTACH A COPY OF THE RELEVANT PHOTO ID AND FORWARD THE COMPLETED FORM TO THE MEDICAL GROUP PRIVACY OFFICER; OFFICE MANAGER; ADMINISTRATOR AND THE BILLING MANAGER.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Exhibit D to Identity Theft/Patient Misidentification Policy
Letter Regarding Identity Theft

[Date]

BY CERTIFIED MAIL, RETURN RECEIPT REQUESTED

[Patient Name]

[Patient Address]

Re: Suspected Identity Theft

Dear ____________________:

This letter addresses the unauthorized use of your name and other personal information at _____________ on ___________________________. [Explain factual situation and describe compromise of information in detail (e.g., how it happened; information disclosed; what actions have been taken to remedy situation, etc.). Include the statement that, “We have reported this incident to _____________ (name law enforcement officer) at the ____ [local law enforcement agency], who can be reached at ______. We also have placed an alert on your account at this facility in an effort to prevent further misuse of your identity.”]

“Medical identity theft” is very serious because, in addition to causing financial problems, identity theft can lead to inappropriate care when incorrect information is included in a patient’s medical record. For example, if the blood type of a person who misused your health insurance information is listed in your record, you could be given the wrong type of blood in an emergency. If you believe you are the victim of medical identity theft, you should ask to review and make appropriate corrections to your medical record so that you receive appropriate care. Therefore, for your health and safety, it is very important that your medical records do not contain information about another person. We request your assistance in ensuring that our records about you are correct.

We have removed from your medical record information relating to care given on ________________________________ because [we have determined/you have indicated] you did not receive services at this hospital on those dates. After removing that information, your medical record shows the following visits:

Date of Visit Reason for Visit

___________ _____________

If someone other than you made any of the above visits, or you do not remember one or more of these visits, please contact us immediately. You can review your entire medical record by visiting this facility’s Health Information Management office, and we encourage you to do so. In addition to making sure your medical record with this facility is accurate, we also encourage you to check the accuracy of your records with other health care providers and your health insurance plan(s).

[Based on the information we have received relating to the improper use of your name and other identifying information on ___________________________, this facility will not bill you or your insurer for the services it provided on ______________________. We are in the process of correcting your account with your health insurer. If you receive a bill or insurance statement relating to a visit to this facility by someone other than you, please let us know as soon as possible.] We also recommend that you carefully monitor explanations of benefits (EOBs) received from your health insurer to determine if any other person has used your identity to obtain health care. If you receive an EOB or bill for health care you do not remember obtaining, immediately contact your insurer and the health care provider who furnished the services.

Given the possibility that your personal information may be further misused, we recommend that you place a fraud alert on your credit file. A fraud alert tells creditors to contact you and verify your identity before they open any new accounts or change existing accounts. You can call any one of the three major credit bureaus. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts, place a fraud alert on your credit file. A fraud alert tells creditors to contact you and verify your identity before they open any new accounts or change existing accounts. You can call any one of the three major credit bureaus. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts. All three credit reports will be sent to you, free of charge, for your review.

Equifax Experian TransUnionCorp

800-525-6285 888-397-3742 800-680-7289

Even if you do not find any suspicious activity on your initial credit reports, you should continue monitoring your credit reports carefully to be certain there have been no unauthorized transactions made or new accounts opened in your name. Victim information sometimes is held for use or shared among a group of thieves at different times. Checking your credit reports periodically can help you spot problems and address them quickly. You are entitled under federal law to get one free comprehensive disclosure of all the information in your credit file from each of the three national credit bureaus listed about once every twelve months. You may request your free annual credit report by visiting http://AnnualCreditReport.com or by calling (877)FACTACT.

If you find suspicious activity on your credit reports or have reason to believe your information is being misused, immediately notify the credit bureaus. If you believe an unauthorized account has been opened in your name, immediately contact the financial institution that holds the account. You should also file a police report. Ask for a copy of the police report because many creditors want the information it contains to absolve you of the fraudulent debts. You should also file a complaint with the FTC at www.consumer.gov/idtheft or at 1-877-ID-THEFT (877-438-4338). Your complaint will be added to the FTC’s Identity Theft Data Clearinghouse, where it will be accessible to law enforcers for their investigations. You may want to visit the FTC’s website at http://www.ftc.gov/bcp/edu/microsites/idtheft/ , which has information to help individuals guard against and deal with identity theft, and you may want to review the information in the FTC’s publication, “Take Charge: Fighting Back Against Identity Theft.” You can call 1-877-438-4338 to request a free copy.

We encourage you to report any helpful information to ________ [investigating law enforcement officer] at the ____ [local law enforcement agency]. We also encourage you to alert other area hospitals and health care providers that your identifying information is being used in a fraudulent manner. If we can be of further assistance, please contact me at the number listed below.

Sincerely,

Privacy Officer

[Facility]

[Telephone number]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Exhibit E to Identity Theft/Patient Misidentification Policy-Letter Regarding Patient Misidentification

[Date]

[Patient Name]

[Patient Address]

Dear [Mr. ___/ Ms. ____]:

This letter is [to inform you of / in response to your report of] an erroneous use of your name or identifying information at [Name of entity] (“Entity”) and to provide you with information to assist you in preventing this incident from affecting your medical care.

[Explain factual situation and describe how records became commingled.]

The integrity of your medical record is very important, and your record should only reflect your health history and medical items services provided to you. For example, if the blood type of another person who is listed in your record, you could be given the wrong type of blood in an emergency. Therefore, for your health and safety, it is very important that your medical records do not contain information about another person. We request your assistance in ensuring that our records about you are correct.

Date of Visit Reason for Visit

____________ _____________

[Based on the information we have received relating to the use of your name and other identifying information on ___________________________, this facility will not bill you or your insurer for the services it provided on ______________________. We are in the process of correcting your account with your health insurer. If you receive a bill or insurance statement relating to a visit to this facility by someone other than you, please let us know as soon as possible.] We also recommend that you carefully monitor explanations of benefits (EOBs) received from your health insurer. If you receive an EOB or bill for health care you do not remember obtaining, immediately contact your insurer and the health care provider who furnished the services.

We hope this letter is helpful. If there is any other way the entity can assist you, or should you have any questions, please do not hesitate to contact me.

Sincerely,

Privacy Officer

[Facility] [Telephone number]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Exhibit F to Identity Theft/Patient Misidentification Policy

Checklists of Action Items

When Identity Theft Is Alleged

1. Advise victim to report identity theft incident to law enforcement and indicate that paperwork will be forwarded for victim to complete.

2. Complete and send victim report of ID theft letter (Exhibit A), with a copy of the FTC Identity Theft affidavit (Exhibit B) to be completed by victim.

3. When victim’s allegation is supported by a properly completed and signed FTC Identify Theft Affidavit, flag the victim’s account so that medical personnel know the medical record may contain inaccurate information.

4. Follow remainder of the steps. .

When Identity Theft is Reasonably Suspected or Known to have Occurred

5. Complete Exhibit C (Identity Alert reporting form). .

6. Route copies of Exhibit C with a copy of the relevant photo ID to the entity’s Privacy Officer, Administrator, Office Manager, and Billing Manager.

7. The Billing Manager will put affected patient accounts on hold pending the outcome of the investigation. .

8. CARDIOLOGY ASSOCIATES Administration will review and make decisions on the investigation and make all external reporting and notification decisions. The Privacy Officer will direct reporting of actual knowledge of Medicaid fraud to the Medicaid OIG at 1-800-HHS-TIPS (1-800-447-8477), for incidents involving mail theft, will direct reporting to U.S. Postal Inspection Service; if identity theft involves unauthorized access of unencrypted computerized data, special reporting will occur in accordance with state laws; and coordinating with area health care providers.

9. If identity theft or theft of services has occurred and the value of the services in question report the exceeds $500, the Privacy Officer will instruct CARDIOLOGY ASSOCIATES Administration to incident to the appropriate law enforcement agency, subject to the information limitations in Section 4(C). The Privacy Officer will obtain the investigating officer’s name and phone number, and will consult with law enforcement about the timing and the content of any victim notification. .

10. The Privacy Officer will notify victims of identity theft as directed by Administration after consultation with law enforcement. Use the letter regarding identity theft (Exhibit D) to notify a victim of identity theft and include the FTC Identity Theft Affidavit (Exhibit B).

11. The Office Manager will correct the medical record in accordance with Section 4(E)(i) and document and forward to the Privacy Officer for patient’s verification of the corrected medical record shall be documented and included as part of the case file forwarded to the Privacy Officer.

12. The Billing Department will correct the patient’s billing information and make all necessary payment adjustments in accordance with Section 4(E)(ii). The patient’s verification of the corrected billing record shall be documented and included as part of the case file forwarded to the Privacy Officer

13. The Privacy Officer will determine whether accounting for disclosures to the identity theft suspect is required.

14. The Office Manager will add an MPI Alert Flag of “Identity issue/ call Privacy Officer” to each MPI record affected by the identity theft event.

15. Once the Office Manager and/or the Billing Manager verify that all demographic and insurance information is correct after the visit is transferred to the appropriate MPI record and all related documents are removed from the EMR Medical Records System and replaced with appropriately revised documents, the bill hold will be released

so that appropriate billing occurs.

16. Identity theft suspect will be billed for services and litigation will be considered.

17. Either the Office Manager or Privacy Officer will update the CARDIOLOGY ASSOCIATES Identity Theft Database with the Identity Alert Form.

18. A copy of all documentation concerning identity theft will be provided to the Privacy Officer.

All rights reserved. The information contained in this Website should not be used as a substitute for the medical care and advice of your Physician. If you have any specific questions or concerns, please contact us!

CARDIOLOGY ASSOCIATES, PC

WELCOME

ABOUT US

Shoaib Bakht, MD

Apurva M. Patel, MD

Bhavdeep K. Gupta, MD

OUR STAFF

CAREER OPPORTUNITIES

SERVICES WE PROVIDE

HOSPITAL AFFILIATIONS

PHYSICIAN REFERRALS

PATIENT EDUCATION

FAQ/PRE-TEST INSTRUCTIONS

WHAT IS A STRESS TEST?

CONTACT US

DIRECTIONS TO OUR OFFICES

POLICIES

IDENTITY THEFT POLICY

FINANCIAL POLICY

HIPPA-PRIVACY NOTICE

LINKS

Listening to your heart!