4709 GOLF ROAD, SUITE 1150



Polices and Practices to Protect the Privacy of Your Health Information when Receiving

Psychological Services




I. Uses and Disclosures for Treatment, Payment, and Health Care Operations

We may use or disclose your protected health information (PHI), for treatment, payment, and

health care operations purposes with your consent. To help clarify these terms, here are some


  • “PHI” refers to information in your health record that could identify you.
  • “Treatment, Payment and Health Care Operations”

– Treatment is when we provide, coordinate or manage your health care and other

services related to your health care. An example of treatment would be when we consult

with another health care provider, such as your family physician or another psychologist.

– Payment is when we obtain reimbursement for your healthcare. Examples of payment

are when we disclose your PHI to your health insurer to obtain reimbursement for your

health care or to determine eligibility or coverage.

– Health Care Operations are activities that relate to the performance and operation

of our practice. Examples of health care operations are quality assessment and

improvement activities, business-related matters such as audits and administrative

services, and case management and care coordination.

  • “Use” applies only to activities within our office such as sharing, employing, applying,

utilizing, examining, and analyzing information that identifies you.

  • “Disclosure” applies to activities outside of our office, such as releasing, transferring, or

providing access to information about you to other parties.

II. Uses and Disclosures Requiring Authorization

We may use or disclose PHI for purposes outside of treatment, payment, and health care

operations when your appropriate authorization is obtained. An “authorization” is written

permission above and beyond the general consent that permits only specific disclosures. In

those instances when we are asked for information for purposes outside of treatment, payment

and health care operations, we will obtain an authorization from you before releasing this

information. We will also need to obtain an authorization before releasing your psychotherapy

notes. “Psychotherapy notes” are notes we have made about our conversation during a private,

group, joint, or family counseling session, which we have kept separate from the rest of your

medical record. These notes are given a greater degree of protection than PHI.

You may revoke all such authorizations (of PHI or psychotherapy notes) at any time, provided

each revocation is in writing. You may not revoke an authorization to the extent that (1) we have

relied on that authorization; or (2) if the authorization was obtained as a condition of obtaining

insurance coverage, and the law provides the insurer the right to contest the claim under the


I will also obtain an authorization from you before using or disclosing: PHI in a way that is not

described in this Notice. PHI in a way that is considered a sale of PHI. We will not share any

substance abuse treatment records or information with regard to HIV status without your written


III. Uses and Disclosures with Neither Consent nor Authorization

We may use or disclose PHI without your consent or authorization in the following


  • Child Abuse: If we know, or have reasonable cause to suspect, that a child is abused,

abandoned, or neglected by a parent, legal custodian, caregiver or other person responsible

for the child’s welfare, the law requires that we report such knowledge or suspicion to the

Florida Department of Child and Family Services.

  • Adult and Domestic Abuse: If we know, or have reasonable cause to suspect, that a

vulnerable adult (disabled or elderly) has been or is being abused, neglected, or exploited,

we are required by law to immediately report such knowledge or suspicion to the Central

Abuse Hotline.

  • Health Oversight: If a complaint is filed against us with the relevant state licensing board

(e.g. the Florida Board of Psychology), that department has the authority to subpoena

confidential mental health information from us relevant to that complaint.

  • Judicial or Administrative Proceedings: If you are involved in a court proceeding and a

request is made for information about your diagnosis or treatment and the records thereof,

such information is privileged under state law, and we will not release information without

the written authorization of you or your legal representative, or a subpoena of which you

have been properly notified and you have failed to inform us that you are opposing the

subpoena or a court order. The privilege does not apply when you are being evaluated for a

third party or where the evaluation is court ordered. You will be informed in advance if this is

the case.

  • Serious Threat to Health or Safety: When you present a clear and immediate probability of

physical harm to yourself, to other individuals, or to society, we may communicate relevant

information concerning this to the potential victim, appropriate family member, or law

enforcement or other appropriate authorities.

  • Worker’s Compensation: If you file a worker’s compensation claim, we must, upon request

of your employer, the insurance carrier, an authorized qualified rehabilitation provider, or

the attorney for the employer or insurance carrier, furnish your relevant records to those


  • When the use and disclosure without your consent or authorization is allowed under other

sections of Section 164.512 of the Privacy Rule and the state’s confidentiality law. This

includes certain narrowly-defined disclosures to law enforcement agencies, to a health

oversight agency (such as HHS or a state department of health), to a coroner or medical

examiner, for public health purposes relating to disease or FDA-regulated products, or

for specialized government functions such as fitness for military duties, eligibility for VA

benefits, and national security and intelligence.

IV. Client’s Rights and Psychologist’s Duties

Client’s Rights:

  • Right to Request Restrictions –You have the right to request restrictions on certain

uses and disclosures of protected health information about you. However, we are not

required to agree to a restriction you request.

  • Right to Receive Confidential Communications by Alternative Means and at Alternative

Locations – You have the right to request and receive confidential communications of

PHI by alternative means and at alternative locations. (For example, you may not want a

family member to know that you are seeing a therapist. Upon your request, we will send

your bills to another address.)

  • Right to Inspect and Copy – You have the right to inspect or obtain a copy (or both) of

PHI in our mental health and billing records used to make decisions about you for as

long as the PHI is maintained in the record. We may deny your access to PHI under

certain circumstances, but in some cases, you may have this decision reviewed. On your

request, we will discuss with you the details of the request and denial process.

  • Right to Amend – You have the right to request an amendment of PHI for as long as the

PHI is maintained in the record. We may deny your request. On your request, we will

discuss with you the details of the amendment process.

  • Right to an Accounting of with whom we’ve shared your information – You generally

have the right to receive an accounting of disclosures of PHI regarding you. On your

request, we will discuss with you the details of the accounting process.

  • Right to a Paper Copy – You have the right to obtain a paper copy of the notice from us

upon request, even if you have agreed to receive the notice electronically.

  • Right to Restrict Disclosures When You Have Paid for Your Care Out-of-Pocket. You

have the right to restrict certain disclosures of PHI to a health plan when you pay out-ofpocket in full for my services.

  • Right to Be Notified if There is a Breach of Your Unsecured PHI. You have a right to be

notified if: (a) there is a breach (a use or disclosure of your PHI in violation of the HIPAA

Privacy Rule) involving your PHI; (b) that PHI has not been encrypted to government

standards; and (c) my risk assessment fails to determine that there is a low probability

that your PHI has been compromised.

  • Right to Choose Someone to Act for You. If you have given someone medical power of

attorney or if someone is your legal guardian, that person can exercise your rights and

make decisions for you. We will be sure this person has authority before we take any


Psychologist’s Duties:

  • We are required by law to maintain the privacy of PHI and to provide you with a notice of our

legal duties and privacy practices with respect to PHI.

  • We reserve the right to change the privacy policies and practices described in this notice.

Unless we notify you of such changes, however, we are required to abide by the terms

currently in effect.

  • If we revise our policies and procedures, you will be notified about those changes in your

next office visit, by telephone communication, or by mail.

V. Complaints

If you are concerned that we have violated your privacy rights, or you disagree with a decision

we made about access to your records, you may contact our Privacy Officer, Dr. Rachel Riley

Fancher, PsyD at 312-854-9764.

You may also send a written complaint to the Secretary of the U.S. Department of Health and

Human Services 200 Independence Ave, S.W., Washington, D.C. 20201 or 1-877-696-6775.

We will not retaliate against you if a complaint is made.

VI. Breach Notification Addendum to Policies & Procedures

1.When the Practice becomes aware of or suspects a breach, as defined in Section 1 of the

breach notification Overview, the Practice will conduct a Risk Assessment, as outlined

in Section 2.A of the Overview. The Practice will keep a written record of that Risk


2. Unless the Practice determines that there is a low probability that PHI has been

compromised, the Practice will give notice of the breach as described in Sections 2.B

and 2.C of the breach notification overview.

3. The risk assessment can be done by a business associate if it was involved in the breach.

While the business associate will conduct a risk assessment of a breach of PHI in its

control, the Practice will provide any required notice to patients and HHS.

4. After any breach, particularly one that requires notice, the Practice will re-assess its privacy

and security practices to determine what changes should be made to prevent the reoccurrence of such breaches.

VII. Effective Date, Restrictions and Changes to Privacy Policy

This notice will go into effect on July 1, 2011.

Revised August 20, 2013.

Please reach out with any questions.

Back to Top