HIPAA Notice of Privacy

Means Lauf Super Drug
Effective May 18, 2015
If you have any questions about this Notice please contact our Privacy Officer, Angela Schuckers, at 155 Main Street, Brookville, PA 15825-1281, Phone: 814-849-7504.
This Notice describes how our practice and our health care professionals, employees, volunteers, trainees and staff may create, receive, maintain and transmit your medical information to carry out treatment, payment or health care operations and for other purposes that are described in this Notice. We understand that medical information about you and your health, called “Protected Health Information”, or “PHI,” is personal and we are committed to protecting medical information about you. This Notice applies to all records of your care generated by this practice.
This Notice also describes your right to access and control of your information. This information about you includes demographic information that may identify you and that relates to your past, present and future physical or mental health or condition and related health care services. Typically, PHI will include symptoms, examination and test results, diagnoses, treatment and a plan for future care or treatment. In some cases, federal or state laws may provide privacy protections to PHI that are more strict than those described in this Notice. In those cases, we will comply with the stricter law. For example, federal and state laws may provide privacy protections to PHI related to mental health, HIV/AIDS, reproductive health or chemical dependency that are more strict.
We are required by law to protect the privacy of your PHI and to follow the terms of this Notice. We may change the terms of this Notice at any time. The new Notice will then be effective for all PHI that we maintain at that time and thereafter. We will provide you with any revised Notice if you request a revised copy be sent to you in the mail or if you ask for one when you are in the facility.
I. Uses and Disclosures of Protected Health Information.

Your PHI may be used and disclosed for purposes of treatment, payment and health care operations. With the exception of uses or disclosures for treatment purposes, we will limit uses and disclosures of your PHI to the minimum necessary to achieve the permitted purpose of the use or disclosure. The following are examples of different ways we use and disclose medical information. These are examples only.
(a) Treatment: • We may use and disclose your PHI to provide, coordinate, or manage your medical treatment or any related services. This includes the coordination or management of your health care with a third party that has already obtained your permission to have access to your medical information. For example, we could disclose your PHI to a home health agency that provides care to you. We may also disclose PHI to other physicians who may be treating you, such as a physician to whom you have been referred to ensure that the physician has the necessary information to diagnose or treat you. In addition, we may disclose your PHI to another physician or health care provider, such as a laboratory.

(b) Payment: • We may use and disclose your PHI to obtain payment for the treatment and services you receive from us. For example, we may need to provide your health insurance plan information about your treatment plan so that they can make a determination of eligibility or to obtain prior approval for planned treatment. We may also need to obtain approval for a hospital stay which may require that relevant medical information be disclosed to the health plan to obtain approval for the hospital admission.

(c) Healthcare Operations: • We may use or disclose your PHI in order to support the business activities of our practice. These activities include, but are not limited to, reviewing our treatment of you, employee performance reviews, training of medical students, licensing, marketing and fundraising activities and conducting or arranging for other business activities.
• For example, we may use a sign-in sheet at the registration desk where you will be asked to sign your name and indicate your physician. We may also call you by name in the waiting room when your physician is ready to see you. We may use or disclose your medical information to remind you of your next appointment.
• We may share your PHI with third party "business associates" that perform activities on our behalf, such as billing or transcription for the practice. Whenever an arrangement between our facility and a business associate involves the use or disclosure of your medical information, we will have a written contract that contains terms that requires the business associate to protect the privacy of your PHI, and we will limit the disclosures to the minimum necessary amount of PHI to achieve the permitted purpose of the disclosure.

RJH Form F0210 (11/17/2008 – Rev. 07/2013) Page 2
• We may use or disclose your PHI to provide you with information about treatment alternatives or other health-related benefits and services that may be of interest to you. We may also use and disclose your PHI for other marketing activities. For example, your name and address may be used to send you a newsletter about our practice and the services we offer. We may also send you information about products or services that we believe may be beneficial to you. You may contact our Privacy Officer to request that these materials not be sent to you.
• We may use or disclose your demographic information and the dates that you received treatment from your physician, as necessary, in order to contact you for fundraising activities supported by our facility. If you do not want to receive these materials, please contact our Privacy Officer to request that these fundraising materials not be sent to you.
(d) Health Information Exchange: • Means Lauf Super Drug, along with certain other health care providers and practice groups in the area, participate in health information exchanges ("Exchange"). The Exchange facilitates electronic sharing and exchange of medical and other individually identifiable health information regarding patients among health care providers that participate in the Exchange. Through the Exchange we may electronically disclose demographic, medical, billing and other health-related information about you to other health care providers that participate in the Exchange and request such information for purposes of facilitating or providing treatment, arrangement for payment for health care services or otherwise conducting or administering their health care operations.

II. Other Permitted and Required Uses and Disclosures That May Be Made With Your Consent, Authorization or Opportunity to Object.

We may use and disclose your PHI in the following instances. You have the opportunity to agree or object to the use or disclosure of all or part of your medical information. If you are not present or able to agree or object to the use or disclosure of the medical information, then your physician may, using professional judgment, determine whether the disclosure is in your best interest. In this case, only the medical information that is relevant to your health care will be disclosed.
(a) Others Involved in Your Healthcare:
• Unless you object, we may disclose to a member of your family, a relative or close friend your PHI that directly relates to that person's involvement in your health care. If you are unable to agree or object to such a disclosure, we may disclose such information if we determine that it is in your best interest based on our professional judgment. We may use or disclose your information to notify or assist in notifying a family member or any other person that is responsible for your care at your location, general condition or death. Finally, we may use or disclose your PHI to an entity assisting in disaster relief efforts and to coordinate uses and disclosures to family or other individuals involved in your health care.
(b) Emergencies:
• We may use or disclose your PHI for emergency treatment. If this happens, we shall try to obtain your consent as soon as reasonable after the delivery of treatment. If the practice is required by law to treat you and has attempted to obtain your consent but is unable to do so, the practice may still use or disclose your medical information to treat you.
(c) Communication Barriers:
• We may use and disclose your information if the practice attempts to obtain consent from you but is unable to do so due to substantial communication barriers and, in our professional judgment, you intended to consent to use or disclosure under the circumstances.
III. Other Permitted and Required Uses and Disclosures That May Be Made Without Your Consent, Authorization or Opportunity to Object:

We may use or disclose your PHI in the following situations without your consent or authorization. These situations include:
(a) Required By Law:
• We may use or disclose your PHI when federal, state or local law requires disclosure. You will be notified of any such uses or disclosure.
(b) Public Health:
• We may disclose your PHI for public health activities and purposes to a public health authority that is permitted by law to collect or receive the information. This disclosure will be made for the purpose of controlling disease, injury or disability.
(c) Communicable Diseases:
• We may disclose your PHI, if authorized by law, to a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading the disease or condition.
(d) Health Oversight:
• We may disclose your PHI to a health oversight agency for activities authorized by law, such as audits, investigations, inspections and licensure. These activities are necessary for the government agencies to oversee the health care system, government benefit programs, other government regulatory programs and civil rights laws.
(e) Abuse or Neglect:
• We may disclose your PHI to a public health authority that is authorized by law to receive reports of child abuse or neglect. In addition, we may disclose your medical information to the governmental entity authorized to receive such

RJH Form F0210 (11/17/2008 – Rev. 07/2013) Page 3
information ifwe believe thatyou have been a victimofabuse,neglectordomesticviolence asisconsistentwith therequirementsofapplicable federal and state laws.
(f)Food and Drug Administration:
•We may disclose yourPHI toaperson or companyrequired by the Food and Drug Administration to reportadverseevents, productdefects or problems, biologic product deviations,track products,to enableproduct recalls,to makerepairs or replacements,or toconductpost marketing surveillance, as required.
(g)Legal Proceedings:
•We may disclose your PHI in the course of any judicial or administrative proceeding,when required by a courtorder oradministrative tribunal,andin certain conditionsin responseto a subpoena,discoveryrequestorotherlawfulprocess.
(h)Law Enforcement:
•Wemay disclose yourPHI,aslong asapplicable legalrequirementsare met,forlawenforcementpurposes.These law enforcement purposes include:(i) responding to a court order, subpoena,warrant, summons or otherwise requiredbylaw;(ii)identifying orlocating a suspect,fugitive,materialwitnessormissing person;(iii)pertaining to victimsofa crime; (iv)suspecting that death has occurred as a resultof criminal conduct; (v) in the event that a crime occurs onthe premisesofthe practice;and (vi)responding to a medicalemergency(noton the Practice'spremises)and itislikelythat a crime has occurred.
(i)Coroners, Funeral Directors, and Organ Donors:
•Wemay disclose your PHIto a coroner ormedicalexaminer for identification purposes,determining cause of death orforthe coroner or medicalexaminer to perform other duties authorized by law.We mayalso disclose PHIto funeraldirectors asnecessary to carry out theirduties.
•Wemayuse and disclose yourPHIforresearch purposesin certainlimited circumstances.Wewillobtain yourwritten authorization to use your PHI for research purposes except when an Internal Review Board (“IRB”) or Privacy Board hasdetermined that the waiver ofyourauthorization satisfies the following:(i) the use or disclosure involvesno more than a minimal risk to your privacy based on the following:(A)an adequate plan to protect the identifiers from improper useand disclosure; (B) an adequate plan to destroy the identifiers at the earliest opportunity consistentwith the research(unless there is a health orresearch justification for retaining the identifiers or such retention is otherwise required bylaw);and (C)adequate, written assurances that the PHIwill not be re-used or disclosed to any other person or entity(exceptasrequired bylaw) for authorizedoversight oftheresearch study,or for other research forwhich the use ordisclosure would otherwise bepermitted; (ii) the research could not practicably be conducted without the waiver; and (iii)the research could not practicablybe conducted without accessto and use of the PHI.
(k)Criminal Activity:
•Consistent with applicable federal and state laws, we may discloseyourPHI if we believe that the use or disclosure isnecessary to prevent or lessen a serious and imminent threat to the health orsafety of a person or the public.We may also disclose PHIifitisnecessaryforlawenforcementauthoritiesto identifyorapprehendanindividual.
(l)Organ and Tissue Donation:
•Ifyou are an organ donor,we may releaseyourPHI to organizationsthat handle organ procurement or organ, eye ortissue transplantation or to an organ donation bank, as necessary,to facilitate organ ortissue donation and transplantation.
(m)MilitaryActivity and National Security:
•If you are a member of the armed forces, we may use or disclose PHI (i) as required by militarycommandauthorities;(ii)for the purpose of determining by the Department of Veterans Affairsofyour eligibilityfor benefits; or(iii)for foreignmilitarypersonnelto the appropriate foreign militaryauthority.We mayalso discloseyourmedicalinformation to authorized federalofficialsforconducting nationalsecurityand intelligence activities,including forthe protectiveservicesto the President or otherslegally authorized.
(n)Workers' Compensation:
•Wemay disclose your PHI as authorized to comply with workers'compensation lawsand othersimilarprogramsthatprovide benefitsfor work-related injuriesor illness.
•Wemay use or disclose your PHIifyou are an inmate of acorrectional facility and our practice created or received yourhealth information in the course of providing care to you.
(p)Required Uses and Disclosures:
•Underthelaw,wemustmake disclosurestoyouandwhen requiredbytheSecretaryoftheDepartmentofHealthand Human Services to investigateordetermine our compliancewithour legalobligations to safeguard your PHI.
IV.TheFollowing IsaStatementofYourRightswith RespecttoYourPHIandaBriefDescription ofHow YouMayExercise These Rights.
(a)You have the right to inspect and copyyour PHI.
•This means you may inspectand obtain a copy ofyour PHI that has originated in our practice.We maycharge you a reasonable fee forcopying and mailing records.To theextentwe maintain anyportion ofyourPHIin electronic

RJH Form F0210 (11/17/2008 –Rev.07/2013)Page 3
RJH Form F0210 (11/17/2008 – Rev. 07/2013) Page 4
format, you have the right to receive such PHI from us in an electronic format. We will charge no more than actual labor cost to provide you electronic versions of your PHI that we maintain in electronic format.
• After you have made a written request to our Privacy Officer we will have thirty (30) days to satisfy your request. If we deny your request to inspect or copy your medical information, we will provide you with a written explanation of the denial.
• You may not have a right to inspect or copy psychotherapy notes. In some circumstances, you may have a right to have the decision to deny you access reviewed. Please contact the Privacy Officer if you have any questions about access to your medical record.
(b) You have the right to request a restriction of your PHI.
• You may ask us not to use or disclose part of your PHI for the purposes of treatment, payment or healthcare operations. You may also request that your PHI not be disclosed to family members or friends who may be involved in your care or for notification purposes as described in this Notice. You must state in writing the specific restriction requested and to whom you want the restriction to apply.
• If we believe it is in your best interest to permit use and disclosure of your PHI, your medical information will not be restricted; provided, however, we must agree to your request to restrict disclosure of your PHI if: (i) the disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law; and (ii) the information pertains solely to a health care item or service for which you (and not your health plan) have paid us in full. If we do agree to the requested restriction, we may not use or disclose your PHI in violation of that restriction unless it is needed to provide emergency treatment. Your written request must be specific as to what information you want to limit and to whom you want the limits to apply. The request should be sent, in writing, to our Privacy Officer.
(c) You have the right to request to receive confidential communications from us at a location other than your primary address.
• We will try to accommodate reasonable requests. Please make this request in writing to our Privacy Officer.
(d) You have the right to request an amendment to your PHI.
• If you feel that medical information we have about you is incorrect or incomplete, you may request we amend the information. If you wish to request an amendment to your medical information, please contact our Privacy Officer. In certain cases, we may deny your request for an amendment. If we deny your request for amendment, you have the right to file a statement of disagreement with us.
(e) You have the right to receive an accounting of disclosures, if any, of your PHI.
• This right applies to disclosures for purposes other than treatment, payment or healthcare operations as described in this Notice. It excludes disclosures we may have made to you, family members or friends involved in your care, or for notification purposes. It also excludes any disclosures we made pursuant to an authorization. To receive information regarding disclosures made for a specific time period no longer than six (6) years and after April 14, 2003, please submit your request in writing to our Privacy Officer. We must provide the first accounting in any 12-month period to you without charge. Thereafter, we will notify you in writing of the cost involved in preparing this list.
(f) Uses and Disclosures of PHI Based upon Your Written Authorization.
• Other uses and disclosures of your PHI not covered by this Notice or required by law will be made only with your written authorization. For example, most uses and disclosures of psychotherapy notes, the use or disclosure of PHI for marketing purposes, any use or disclosure of PHI that constitute a sale of that information, and uses and disclosures other than those described in this Notice, require your authorization. You may revoke this authorization at any time, except to the extent that our practice has taken an action in reliance on the use or disclosure indicated in the prior authorization.
(g) Right to be Notified of a Breach.
• You have the right to be notified in the event that we (or our business associate) discover a breach of unsecured PHI.
(h) Complaints:
• You may complain to us or to the Secretary of Health and Human Services if you believe we have violated your privacy rights. You may file a complaint with us by notifying our Privacy Officer, in writing. We will not retaliate against you for filing a complaint.