Cornerstone Medical Group Privacy Policy

Cornerstone Medical Group complies with the Health Insurance Portability and Accountability Act of 1996 and Department of Health and Human Services rules that are designed to preserve the privacy of identifiable patient information.

Cornerstone Medical Group is permitted to use or disclose protected health information (“PHI”) if the disclosure is to the patient themselves; a patient’s personal representative; a deceased person’s personal representative or family provided Cornerstone Medical Group had not obtained an objection to sharing his or her PHI and the PHI disclosed pertains to the individual’s involvement in the deceased’s care or payment for services rendered; to a school if the PHI disclosed is related to a patient’s proof of immunization if required by state or other law for school admittance and the authorization to disclose such records is documented; a valid HIPAA authorization form (see Authorization for Use and Disclosure of PHI form); to a business associate, vendor or subcontractor in accordance with an applicable Business Associate Agreement; to the Department of Health and Human Services or the State Department of Health for compliance reviews, investigations, or as otherwise required by law; and to a recipient with which Cornerstone Medical Group has entered into a data use agreement that meets the requirements of HIPAA regulations.

Cornerstone Medical Group must have authorization from individuals before using or disclosing protected health information (PHI) for a purpose not otherwise permitted or required by this rule. Specifically, except for psychotherapy notes, Cornerstone Medical Group is not required to obtain the patient’s (or an individual acting as the patient’s legal representative) authorization to use or disclose PHI to carry out treatment, payment, and health care operations.

PHI may be used or disclosed to an authorized public or private disaster relief agency for the purpose of helping such entity notify a patient’s family member, personal representative, or another person responsible for the patient’s care, of the individual’s location, general condition, or death.

The HIPAA rule does not require Cornerstone Medical Group to obtain the individual’s authorization for uses and disclosures of PHI for uses and disclosures requiring an opportunity for the individual to agree or to object (e.g., this pertains to hospital and facility patient directories and information for clergy) or uses and disclosures for which consent, an authorization, or opportunity to agree to object is not required, for disclosures to the individual, or for required disclosures to the Secretary of the Department of Health and Human Services.

There is an exception to the above. If a health plan requests a PHI disclosure of a patient for purposes of carrying out payment or health care operations (not treatment), and the patient has paid for the health care item or service out-of-pocket in full, and the disclosure is not otherwise required by law, then Cornerstone Medical Group may not disclose the PHI. However, the patient’s request for such restriction will only be applicable to that particular service. The patient will have to request a restriction for each service thereafter.

Cornerstone Medical Group is bound to comply with statements provided on the authorization form. Uses or disclosures by Cornerstone Medical Group for purposes not specified in the authorization are violations of the HIPAA law. Cornerstone Medical Group must comply with the requirements of HIPAA with respect to the PHI of a deceased individual for a period of 50 years following the death of the individual.