OMS LLC d/b/a Walgreens Optical is committed to protecting the privacy and security of all private health information created or received in relation to our patients. This Notice covers the privacy practices of OMS LLC d/b/a Walgreens Optical.
This Notice of Privacy Practices describes how protected health information may be used or disclosed by OMS LLC d/b/a Walgreens Optical to carry out treatment, payment and health care operations, and for other purposes that are permitted or required by law. This Notice also sets out our legal obligations concerning your protected health information, and describes your rights to access and control your protected health information.
This Notice of Privacy Practices has been drafted to be consistent with what is known as the "HIPAA Privacy Rule," and any of the terms not defined in this Notice should have the same meaning as they have in the HIPAA Privacy Rule.
This Notice of Privacy Practices is revised from time to time. The effective date of this most current notice is December 1, 2016. This revised notice supersedes all previous notices.
Under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), health care providers called covered entities must take steps to protect the privacy of your "protected health information." Protected health information (or "PHI") is individually identifiable health information, including demographic information, collected from you or created or received by a health care provider that relates to: (1) your past, present, or future physical or mental health or condition; (2) the provision of health care to you; or (3) the past, present, or future payment for the provision of health care to you. We are obligated to provide you with a copy of this Notice of our legal duties and of our privacy practices with respect to PHI, and we must abide by the terms of this Notice. We reserve the right to change the provisions of our Notice and make the new provisions effective for all PHI that we maintain. We will post a copy of our current notice at our office that will contain the applicable effective date.
PRIMARY USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION
The following is a description of how we are most likely to use and/or disclose your PHI.
Treatment. We may use or disclose your PHI for your treatment and to provide you with treatment-related health care services. For example, we may disclose your PHI to health care providers, technicians, and other personnel who are involved in your medical care and need the information to provide you with medical care.
Payment. We may use or disclose your PHI so that we may bill and receive payment from you, an insurance company or a third party for the treatment and services you received. For example, we may disclose PHI to your health plan so that the plan will pay for your treatment.
Health Care Operations. We may use or disclose your PHI for health care operations. These functions include, but are not limited to: quality assessment and improvement, business planning, and business development. For example, we may use or disclose your PHI to respond to an inquiry from you or in connection with fraud and abuse detection and compliance programs.
Appointment Reminders. We may use and disclose your PHI to contact you and remind you that you have an appointment with us.
Business Associates. We may contract with individuals and entities (called Business Associates) to perform various functions on our behalf or to provide certain types of services. We require the Business Associates to agree in writing to contract terms designed to appropriately safeguard your information. For example, we may disclose your PHI to the personnel of a management company that assists us with handling our daily operations, such as billing.
Other Covered Entities. We may use or disclose your PHI to assist health care providers in connection with their treatment or payment activities, or to assist other covered entities in connection with payment activities and certain health care operations. For example, we may disclose your PHI to a health care provider when needed by the provider to render treatment to you, and we may disclose PHI to another covered entity to conduct health care operations in the areas of quality assurance and improvement activities, or accreditation, certification, licensing or credentialing.
Security Breaches. We may use or disclose your PHI when determining whether a security breach has occurred. We may also use or disclose your PHI in responding to a breach, as required under the HIPAA Breach Notification Rules. For example, if an unauthorized individual accesses our computer network, we would investigate the incident to determine the extent of the breach and if PHI had been accessed, used or disclosed in violation of the HIPAA Privacy Rule. If a breach for purposes of HIPAA has occurred, you have a legal right to be notified of the breach. Therefore, we would notify you of any HIPAA breach affecting your PHI. We are also required to notify the U.S. Department of Health and Human Services and the media (in some cases) of the breach but your PHI will not be disclosed when such entities are notified of the breach.
POTENTIAL IMPACT OF STATE LAW
The HIPAA Privacy Regulations generally do not "preempt" (or take precedence over) state privacy or other applicable laws that provide individuals greater privacy protections. As a result, to the extent state law applies, the privacy laws of a particular state, or other federal laws, rather than the HIPAA Privacy Regulations, might impose a more stringent privacy standard under which we will be required to operate. For example, where such laws have been enacted, we will follow more stringent state privacy laws that relate to uses and disclosures of PHI concerning HIV or AIDS, mental health, substance abuse/chemical dependency, genetic testing, reproductive rights, etc.
OTHER POSSIBLE USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION
The following is a description of other possible ways in which we may, and are permitted to, use and/or disclose your PHI.
Required by Law. We may use or disclose your PHI to the extent required to do so by federal, state or local law. For example, we may disclose your PHI when required by national security laws or public health disclosure laws.
Public Health Activities. We may use or disclose your PHI for public health activities that are permitted or required by law. For example, we may use or disclose information for the purpose of preventing or controlling disease, injury, or disability, or we may disclose such information to a public health authority authorized to receive reports of child abuse or neglect. We also may disclose PHI, if directed by a public health authority, to a foreign government agency that is collaborating with the public health authority.
Health Oversight Activities. We may disclose your PHI to a health oversight agency for activities authorized by law, such as: audits; investigations; inspections; licensure or disciplinary actions; or civil, administrative, or criminal proceedings or actions. Oversight agencies seeking this information include government agencies that oversee: (1) the health care system; (2) government benefit programs; (3) other government regulatory programs; and (4) compliance with civil rights laws.
Abuse or Neglect. We may disclose your PHI to a government authority that is authorized by law to receive reports of abuse, neglect, or domestic violence. Additionally, as required by law, we may disclose your PHI to a governmental entity authorized to receive such information if we believe that you have been a victim of abuse, neglect, or domestic violence.
Legal Proceedings. We may disclose your PHI: (1) in the course of any judicial or administrative proceeding; (2) in response to an order of a court or administrative tribunal (to the extent such disclosure is expressly authorized); and (3) in response to a subpoena, a discovery request, or other lawful process, once we have met all administrative requirements of the HIPAA Privacy Rule. For example, we may disclose your PHI in response to a court order for such information, but limited to the minimum amount of PHI necessary to comply with the terms of the order.
Law Enforcement. Under certain conditions, we also may disclose your PHI to law enforcement officials. For example, some of the reasons for such a disclosure may include: (1) it is required by law or some other legal process; (2) it is necessary to locate or identify a suspect, fugitive, material witness, or missing person; or (3) it is necessary to provide evidence of a crime that occurred on our premises.
Coroners, Medical Examiners, Funeral Directors, and Organ Donation. We may disclose PHI to a coroner or medical examiner for purposes of identifying a deceased person, determining a cause of death, or for the coroner or medical examiner to perform other duties authorized by law. We also may disclose, as authorized by law, information to funeral directors so that they may carry out their duties. Further, we may disclose PHI to organizations that handle organ, eye, or tissue donation and transplantation.
Research. We may disclose your PHI to researchers when an institutional review board or privacy board has: (1) reviewed the research proposal and established protocols to ensure the privacy of the information; and (2) approved the research. For example, a research project may involve comparing the health of patient who received one treatment to those who received another for the same condition.
To Prevent a Serious Threat to Health or Safety. Consistent with applicable federal and state laws, we may disclose your PHI if we believe that the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. We also may disclose PHI if it is necessary for law enforcement authorities to identify or apprehend an individual.
Military Activity and National Security, Protective Services. Under certain conditions, we may disclose your PHI if you are, or were, Armed Forces personnel for activities deemed necessary by appropriate military command authorities. If you are a member of foreign military service, we may disclose, in certain circumstances, your information to the foreign military authority. We also may disclose your PHI to authorized federal officials for conducting national security and intelligence activities, and for the protection of the President, other authorized persons, or heads of state.
Workers' Compensation. We may disclose your PHI to comply with Workers' Compensation laws and other similar programs that provide benefits for work-related injuries or illnesses.
Inmates or Individuals in Custody. If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may release PHI to the correctional institution or law enforcement official, as permitted by HIPAA.
Others Involved in Your Health Care. Using our best judgment, we may make your PHI known to a family member, other relative, close personal friend or other person you identify. Such a use will be based on how involved the person is in your care, or payment that relates to your care. We may release information to parents, guardians, and other personal representatives if allowed by law. Even if you designate a personal representative, the HIPAA Privacy Rule permits us to elect not to treat the person as your personal representative if we have a reasonable belief that: (1) you have been, or may be, subjected to domestic violence, abuse, or neglect by such person; (2) treating such person as your personal representative could endanger you; or (3) we determine, in the exercise of our professional judgment, that it is not in your best interest to treat the person as your personal representative. We also may disclose your information to an entity assisting in a disaster relief effort so that your family can be notified about your condition, status, and location.
Marketing Activities and Fundraising. The HIPAA Privacy Rule requires an authorization for most uses and disclosures relating to (i) marketing activities, (ii) the sale of PHI and (iii) psychotherapy notes. In accordance with the HIPAA Privacy Rule requirements, we will not use or disclose your PHI for these purposes without obtaining your specific authorization except as specifically allowed by HIPAA. We may use and disclose PHI to tell you about treatment alternatives or health-related services that may be of interest to you without your authorization. We will not, however, send you communications about products or services that are subsidized by a third party without your authorization. We may inform you about products or services during face-to-face communications with you without your authorization, including providing related written materials to you. We may also provide you with promotional gifts of nominal value without your authorization that may encourage you to purchase or use a product or service. PHI may be used for fundraising communications but you have the right to opt-out of receiving such communications.
REQUIRED DISCLOSURES OF YOUR PROTECTED HEALTH INFORMATION
The following is a description of disclosures that we are required by law to make.
Disclosures to the Secretary of the U.S. Department of Health and Human Services. We are required to disclose your PHI to the Secretary of the U.S. Department of Health and Human Services when the Secretary is investigating or determining our compliance with the HIPAA Privacy Rule.
Disclosures to You. We are required to disclose to you most of your PHI in a "designated record set" when you request access to this information. Generally, a "designated record set" contains medical and billing records, as well as other records that are used to make decisions about your health care.
Other Uses and Disclosures of Your PHI. Other uses and disclosures of your PHI that are not described above in this Notice will be made only with your written authorization. If you provide us with such an authorization, you may revoke the authorization in writing, and this revocation will be effective for future uses and disclosures of PHI. However, the revocation will not be effective for information that we already have used or disclosed, relying on the authorization.
The following is a description of your rights with respect to your PHI.
Right to Request a Restriction. You have the right to request a restriction or limitation on the PHI we use for purposes of treatment, payment and health care operations. You also have the right to limit disclosures made to family members, friends or other individuals who are involved with your care or payment for your care. For example, you could request that we not disclose information about a treatment you are receiving to a family member who is caring for you. We are not required to agree to all such requests. If we do agree to the restriction, we will comply with the restriction unless the information is needed to provide emergency treatment to you. If you pay for services yourself (e.g., out-of-pocket and without any third party contribution or billing), we will not disclose your PHI to a health plan if you instruct us not to do so. You must make your request, in writing, to our office.
Right to Request Confidential Communications. You may request that we communicate with you regarding your information in an alternative manner or at an alternative location. For example, you may ask that we only contact you at your work address or via e-mail. You must make your request, in writing, to our office. We will accommodate all reasonable requests. If you terminate your request for confidential communications, the restriction will be removed for all of your PHI that we hold, including PHI that was previously protected.
Right to Inspect and Copy. You have the right to inspect and copy your PHI that is contained in a "designated record set." Generally, a "designated record set" contains medical and billing records, as well as other records that are used to make decisions about your health care. You may specify whether you would like a hard copy or electronic copy of your PHI. We will provide you with the form and format of PHI that you specify, to the extent it is readily producible. If it is not readily producible in that form or format, we will work with you to come up with an acceptable alternative. You may also request that we transmit a copy of your PHI directly to another person as long as you make this request in writing, sign the request and clearly identify the designated person and where to send the copy of your PHI. We may charge a reasonable, cost-based fee for labor, supplies, postage and the preparation of any summary that your request in connection with providing you or your designee with the information.
You must make your request, in writing, to our office. We may deny your request to inspect and copy your PHI in certain limited circumstances. If you are denied access to your information, you may request that the denial be reviewed. To request a review, you must contact us at the number/address provided in this Notice. A licensed health care professional chosen by us will review your request and the denial. The person performing this review will not be the same one who denied your initial request. Under certain conditions, our denial will not be able to be reviewed. If this event occurs, we will inform you in our denial that the decision is not able to be reviewed.
Right to Amend. If you believe that your PHI is incorrect or incomplete, you may request that we amend the information. You must make your request, in writing, to our office. In certain cases, we may deny your request for an amendment. For example, we may deny your request if the information you want to amend was not created by us, but by another entity. If we deny your request, you have the right to file a statement of disagreement with us. Your statement of disagreement will be linked with the disputed information and all future disclosures of the disputed information will include your statement.
Right of an Accounting. You have a right to an accounting of certain disclosures of your PHI that are for reasons other than treatment, payment, or health care operations or for which you provided a signed authorization. There also are other exceptions to this right. An accounting will include the date(s) of the disclosure, to whom we made the disclosure, a brief description of the information disclosed, and the purpose for the disclosure.
You must make your request, in writing, to our office. Your request may be for disclosures made up to six (6) years before the date of your request. The first list you request within a 12-month period will be free. For additional lists, we may charge you for the costs of providing the list. We will notify you of the cost involved and you may choose to withdraw or modify your request at the time before any costs are incurred.
Right to a Paper Copy of This Notice. You have the right to a paper copy of this Notice, even if you have agreed to accept this Notice electronically. To receive a paper copy, contact Ed Barnwell, OMS LLC d/b/a Walgreens Optical, 1608 S. Ashland Ave. #85400, Chicago, IL 60608-2013, 872 222-9003.
You may file a complaint in writing to us if you believe that we have violated your privacy rights. You may file a complaint with us by contacting:
OMS LLC d/b/a Walgreens Optical
1608 S. Ashland Ave. #85400
Chicago, IL 60608-2013
You also may file a complaint with the Secretary of the U.S. Department of Health and Human Services. We will not penalize or in any other way retaliate against you for filing a complaint with the Secretary or with us.