Notice of Privacy Practices

THIS NOTICE APPLIES TO CORNERSTONE MEDICAL GROUP, LLC AND CORNERSTONE MEDICAL MANAGEMENT, INC.

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU WILL BE USED AND DISCLOSED AND WHO YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW THIS NOTICE CAREFULLY.

Cornerstone Medical Group and Cornerstone Medical Management, collectively referred to as Cornerstone, understand that your medical information is personal. We are committed to protecting your privacy.

Cornerstone is required by law to protect the privacy of health information that may reveal your identity, and to provide you with a copy of this notice which describes the health information privacy practices of our hospital and our affiliated health care providers. This notice will tell you about the ways in which we may use and disclose health information about you or your child. We also describe your rights and our duties regarding the use and disclosure of health information.

HOW WE MAY USE AND DISCLOSE YOUR PROTECTED HEALTH INFORMATION

Cornerstone has the right to use and disclose health information for your treatment, to pay for your health care and to operate our business. Not every use or disclosure in each category will be listed. However, all of the ways we are permitted to use and disclose information will fall within one of the categories.

For Treatment: We may use or disclose health information to aid in your treatment or the coordination of your care. For example, we may disclose information to your doctors, nurses, technicians, medical students, or other health care personnel who care for you at a hospital or other outside provider or healthcare location. We may also disclose medical information about you to people (family members, friends, clergy, home health or other support agencies) involved in maintaining your health or well-being to ensure that everyone caring for you has the information they need.

For Payment: We may use and disclose your health information for purposes of billing for treatment and services you received and collecting payment from you, an insurance company or a third party. For example, we may tell your health insurer about a treatment you are going to receive in order to get prior approval or to verify if your plan will cover the treatment. We may also give information to someone who helps pay for your care.

For Health Care Operations: We may use and disclose your health information for health care operations. For example, we may use and disclose your information for assessing the quality of care and outcomes in your cases and similar cases, identify risk, ensure completeness and accuracy of medical records, and perform continuous improvement to our facilities and services. Some of the information is shared with outside parties who perform these health care operations or other services on behalf of Cornerstone. We refer to these parties as “business associates” and they must also take steps to keep your health information private. Also, if the ownership of Cornerstone or any affiliates changes as a result of business mergers and acquisitions, your medical information may be disclosed to the new entity.

Cornerstone may use and disclose health information to contact you:

  • At the address, email and telephone numbers you provide to us about scheduled or cancelled appointments, registration or updates to your insurance, pre-procedure requirements, test results, billing and/or payment matters. We may leave messages on your phone.
  • With information about patient care issues, pharmacy concerns, treatment choices, screening reminders, and follow up care instructions.
  • With health-related information on new services and/or products that may be of interest to you.
  • At an e-mail address or mail address to assist us in activities such as conducting patient satisfaction surveys.

Other Examples of Health Care Operations:

  • Public Health Activities. Your health information may be disclosed to avoid serious threat to the health or safety of you or any other person as determined by law. When requested, we may make disclosure for public health activities:
      • To report births and deaths;
      • To report abuse and/or neglect of a child, disabled person or elderly person; or domestic violence;
      • To report to agencies such as cancer registries and/or the Food and Drug Administration;
      • To prevent or control disease, injury or disability;
      • To notify people of recalls of products they may be using;
      • To promote proper use of medication(s); or
      • To notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition.
  • Disclosure to Family, Friends, or Others. Cornerstone may share relevant information about you with a family member, partner, or other person close to you if they are involved in your care or payment for your care. Some examples are:
      • Notify a family member or other person responsible for you of your location, general medical condition, or death.
      • If you are in an emergency situation and not able to make your wishes known, we will use our best judgment to decide whether to share information if it is thought to be in your best interest.
      • In the event of a disaster or public emergency, Cornerstone will use or share your health information with a public or private agency assisting in disaster relief. We may share information to coordinate efforts to notify someone on your behalf.
  • School Immunization.
  • Research. We may disclose health information to researchers when the research has been approved by an institutional review board that has reviewed the research proposal and established protocols to ensure the privacy of your health information. You may be contacted about research studies that might interest you.
  • Organ and Tissue Donation. If you are a potential organ donor, we may release medical information to organ procurement organizations or the eye or tissue banks, as necessary, to facilitate organ or tissue donation and transplantation.
  • Law Enforcement. Cornerstone may use and disclose health information about you as required by law. For example, we may disclose information for the following purposes:
    • To report information related to victims of abuse, neglect, or domestic violence; and
    • To assist law enforcement officials in their law enforcement duties.

To the extent that we have your substance use disorder patient records, subject to 42 CFR part 2, we will not share that information for investigations or legal proceedings against you without (1) your written consent or (2) a court order and a subpoena.

  • Worker’s Compensation. Cornerstone may use and disclose health information for worker’s compensation or similar programs. These programs provide benefits for work-related injuries or illness and have specific laws and regulations to coordinate.
  • Medical Examiners, Coroners and Funeral Directors. Health Information may be disclosed to a medical examiner or coroner in an effort to identify a deceased individual, or determine the cause of death. Health information may also be disclosed to funeral directors to enable them to carry out their duties.
  • Military and Veteran. If you are a member of the armed forces, we may release your medical information as required by law. We may also release medical information about foreign military personnel to the appropriate foreign military authority as required by law.

USES AND DISCLOSURES OF YOUR PROTECTED HEALTH INFORMATION THAT REQUIRE YOUR WRITTEN PERMISSION (AUTHORIZATION)

Using or disclosing your health information for purposes other than treatment, payment and operations requires your specific approval called “authorization.” In addition, certain information in your medical record is considered by state and/or federal law to be highly confidential. For example, HIV testing or test results, certain clinical psychotherapy documentation, and certain genetic information receives additional protection from disclosures, and at times, requires your authorization before further disclosure to third parties for treatment, payment or health care operations.

How else can we use or share your health information?

We are allowed or required to share your information in other ways – usually in ways that contribute to the public good, such as public health and research. We have to meet many conditions in the law before we can share your information for these purposes.

In all cases, including those listed below, if we have substance use disorder patient records about you that are subject to 42 CFR part 2, we cannot use or disclose such in civil, criminal, administrative, or legislative investigations or proceedings against you without (1) your consent or (2) a court order and a subpoena.

Health Information Exchange:

We may participate in Health Information Exchange (HIE) such as Epic Care Everywhere and Massachusetts Health Information HIway which enables the electronic movement of health-related information among diverse organizations such as physicians’ offices, hospitals, pharmacies, nursing facilities, and insurance companies. Patient participation is intended to enhance coordination of care among multiple providers and may avoid the need for you to undergo duplicate tests. The information provided to an HIE includes both your medical and demographic information. Participation is optional and in some instances we may be required to obtain your written authorization prior to disclosing any of your health information to an HIE.

You may opt out of participation in an HIE, except to the extent that the providers have already acted upon your previously provided authorization.

YOUR RIGHTS WITH RESPECT TO YOUR HEALTH INFORMATION AND HOW TO EXERCISE THEM

Although your health record is the physical property of the healthcare practitioner or facility that compiled it, you have the right to:

Request Limits on the Use and Sharing of Your Health Information. You have the right to ask for certain restrictions on the use and sharing of your health information for treatment, payment or health care operations. To request restrictions, you must make your request in writing and it must include details of exactly what information you want to limit; whether you want to limit our use, disclosure or both; and what information is affected by the limits you select.

Cornerstone is not required to agree to your request unless the following conditions are met: If you pay for a health care product or service in full (out-of-pocket), you may request that we not share health information pertaining only to the product or service with your health insurance plan for purposes of carrying out payment or health care operations (and is not for purposes of carrying out treatment).

If we agree to your request, we must put the restriction in writing to you and abide by it except if you need to be treated in an emergency. You may not ask us to restrict uses and sharing of health information that we are legally required to make.

Request Confidential Communications. You have the right to request that we communicate with you about medical matters in a certain way or at a certain location. For example, you may request that we contact you only at work. To request confidential communications, you must make your request in writing to the practice manager listed at the beginning. We will not ask you the reason for the request and we will agree to the request to the extent that it is reasonable for us to do. Your request must tell us how and where you wish to be contracted.

Inspect and Obtain a Copy. You have the right to look at and get a paper or electronic copy of your health information and/or bills. You may also request your test results directly from the lab(s) where your tests were done. To inspect and copy medical information that may be used to make decisions about you, you must submit your request in writing to the practice manager. If you request copies of your information, there may be a charge applied for the costs associated with your request. We will respond to your requests within thirty (30) days from receipt of your request. If necessary, we may ask for an extension of thirty (30) days by providing a written notification to you with the reason for the delay and expected date to fulfill your request. If your request is denied, we will explain the reason for the denial in writing and explain any additional right for appeal.

Change or Amend your Health Information. You have the right to ask us to change your health information related to your treatment and bills if you think that there has been a mistake or that there is information missing. You must make your request in writing to the practice manager and give the reason for why you want the change. We have 60 days to respond to your request. If we deny your requests, we must give you a written statement with the reasons for the denial and explain any additional rights for appeal. If we grant your request, we will ask you to tell us the persons you want to receive the changes. You must agree to have us notify them along with any others who received the information before corrections were made, and who may have relied on the incorrect information to give you treatment.

Receive an Accounting of Disclosures (Record of when your health information was shared without your written authorization). You have the right to get a record of the times that your health information has been shared outside the sharing for the purposes of treatment, payment, and operations or disclosures you previously authorized. You must make this request in writing to the practice manager. You may request this listing as far back as six (6) years. We have sixty (60) days to respond to your request. Your first request for an accounting of disclosures in any 12-month period is free. For additional lists, we may charge you the cost of providing the list. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time before any costs are incurred.

Choose Someone to Act for You. You have the right to choose a person to act on your behalf. If you have given someone medical power of attorney or if someone is your legal guardian or designated representative, that person can exercise your rights and make choices about your health information. 

Ask for a Printed Copy of the Notice. You have the right to receive a paper copy of this Notice.

OUR DUTY WITH RESPECT TO YOUR HEALTH INFORMATION

Cornerstone is required by law to keep your health information private. Cornerstone will notify you in the event of a breach of your health information. We are required to give people notice of our legal duties and privacy practices with respect to your health information. Cornerstone must abide by the terms of the Notice currently in effect. Cornerstone reserves the right to make the new Notice provisions effective for all protected health information that it maintains. If we do update the Notice, the new Notice will be posted on all Cornerstone entity websites and in all registration areas for public viewing.  

Records Management. Cornerstone is required to comply with state law and maintain your medical records in accordance with applicable state and federal regulations. A copy of the Medical Record Retention Policy can be requested at the contact numbers below.

HOW TO FILE A COMPLAINT (WHEN YOU BELIEVE YOUR PRIVACY RIGHTS HAVE BEEN VIOLATED)

If you think that Cornerstone may have violated your privacy rights or you disagree with any action we have taken with regard to your health information, we want you and/or your representative to speak with us. If you present a complaint, your care will not be affected in any way.

You may file a complaint by sending a written complaint to:

U.S. Department of Health and Human Services

J.F.K. Federal Building

Room 1875

Boston, MA 02203

Phone: 617-565-1340

Email: OCRComplaint@hhs.gov

PRIVACY OFFICER: JENNIFER RICHLIN

E-MAIL: jrichlin@cornerstonemedicalgroup.com PHONE: (617) 731-6334

Cornerstone will take no retaliatory action against you if you file a complaint about our privacy practices.