HIPAA Notice of Privacy Practices

Plain-Language Summary

• We protect your medical information and only use or share it as the law allows.
• Your information is used to treat you, get paid, and run our practice safely and lawfully.
• You have rights to see, get a copy of, correct, and ask us to limit your records.
• We must tell you if there is a breach affecting your unsecured information.
• You can file a complaint with us or with the federal Office for Civil Rights — and we will not retaliate.

1. Who This Notice Applies To

This Notice applies to 5D Cancer Services and to all members of our workforce — including physicians, nurses, technologists, dosimetrists, medical physicists, administrative staff, and contractors — at our facility located at 1308 E 900 South, Unit B, St. George, UT 84790. We are a HIPAA-covered health-care provider.

2. What Protected Health Information Is

"Protected Health Information" (PHI) is individually identifiable health information that we create, receive, maintain, or transmit — in any form or medium — relating to your past, present, or future physical or mental health, the health-care services we provide to you, or payment for those services. PHI includes demographic information that could identify you (such as name, address, date of birth, and Social Security number) when associated with health information.

3. Uses & Disclosures for Treatment, Payment & Health-Care Operations

We are permitted by HIPAA to use and disclose your PHI without your authorization for the following core purposes:

3.1 Treatment

We use and share your PHI with physicians, nurses, technologists, medical physicists, dosimetrists, pharmacists, laboratories, imaging facilities, hospitals, and other clinicians who provide, coordinate, or manage your care. For example, your radiation-oncology treatment plan, simulation imaging, and dose data may be shared with your medical oncologist, surgeon, or referring physician to coordinate your overall cancer care.

3.2 Payment

We use and share your PHI to obtain payment for the services we provide. This includes verifying eligibility, obtaining prior authorization, submitting claims to insurance carriers, billing you and your responsible party, and pursuing collections where necessary.

3.3 Health-Care Operations

We use and share your PHI to operate the practice safely and effectively. Examples include quality assessment and improvement, peer review, training of students and clinicians, accreditation activities, audit and compliance reviews, business management, and arranging for legal, accounting, or other professional services.

4. Other Permitted & Required Uses & Disclosures

HIPAA permits or requires us to use or disclose your PHI without your authorization in additional limited circumstances, including:

• As required by law – including reporting to public-health authorities and complying with court orders or subpoenas as the law allows.
• Public-health activities – such as reporting communicable diseases, adverse events to the FDA, or vital statistics.
• Victims of abuse, neglect, or domestic violence – consistent with applicable law.
• Health-oversight activities – audits, investigations, and licensure inspections by government agencies.
• Judicial and administrative proceedings – in response to a valid order or qualifying request.
• Law enforcement – for limited purposes such as identifying or locating a suspect or reporting certain wounds.
• Coroners, medical examiners, and funeral directors – as necessary to perform their duties.
• Organ, eye, or tissue donation – when you are an organ donor.
• Research – with appropriate IRB or privacy-board approval, or where the information is de-identified.
• To avert a serious threat to health or safety.
• Specialized government functions – including military, veterans, national security, and protective services for the President.
• Workers' compensation – as authorized by and to the extent necessary to comply with workers'-compensation laws.
• Business associates – vendors performing services on our behalf under HIPAA-compliant Business Associate Agreements.
• Family members and others involved in your care – we may share information directly relevant to that person's involvement in your care, unless you object.
• Appointment reminders, treatment alternatives, and health-related benefits and services.

5. Uses & Disclosures Requiring Your Written Authorization

Other uses and disclosures of your PHI will be made only with your written authorization. In particular, we will obtain your authorization before:

• Using or disclosing psychotherapy notes (where applicable).
• Using or disclosing PHI for marketing communications, except for face-to-face communications and certain promotional gifts of nominal value.
• Selling your PHI.
• Most other uses or disclosures not described in this Notice.

You may revoke an authorization in writing at any time, except to the extent we have already acted in reliance on it.

6. Your Rights Under HIPAA

You have the following rights with respect to your PHI:

• Right to inspect and copy your PHI in our designated record set, including in electronic form when we maintain it electronically. We may charge a reasonable, cost-based fee. We may deny access in certain limited circumstances and, where you have a right to review the denial, we will provide one.
• Right to request an amendment if you believe information in your records is incorrect or incomplete. We may deny your request under certain circumstances and will provide a written explanation; you may submit a written statement of disagreement that will be included with your records.
• Right to an accounting of disclosures of your PHI made by us in the six years prior to your request, excluding certain disclosures (such as those for treatment, payment, or operations).
• Right to request restrictions on certain uses and disclosures of your PHI for treatment, payment, and health-care operations, and to certain disclosures to family or friends. We are not required to agree, except that we must agree to a request to restrict disclosure of PHI to a health plan if (a) the disclosure is for payment or operations and is not otherwise required by law, and (b) the PHI pertains solely to a health-care item or service for which you (or someone on your behalf, other than the health plan) have paid us in full out-of-pocket.
• Right to confidential communications – you may request that we contact you by alternative means or at alternative locations (e.g., only by mail and not by phone) and we will accommodate reasonable requests.
• Right to a paper copy of this Notice, even if you have agreed to receive it electronically.
• Right to be notified of a breach of unsecured PHI as described in Section 8.
• Right to file a complaint as described in Section 11 – without retaliation.

Most rights must be exercised in writing. Forms are available from our Privacy Officer.

7. Our Duties

• We are required by law to maintain the privacy and security of your PHI.
• We are required to provide you with this Notice of our legal duties and privacy practices with respect to PHI, and to abide by the terms of the Notice currently in effect.
• We must notify you following a breach of unsecured PHI involving you.
• We must obtain your written authorization for uses and disclosures other than those described above.
• We may not retaliate against you for exercising any right under HIPAA.

8. Breach Notification

If we discover a breach of unsecured PHI, we will notify affected individuals without unreasonable delay and in no case later than 60 days after discovery, in accordance with 45 C.F.R. §§ 164.400-414. Where a breach involves more than 500 residents of a state or jurisdiction, we will also notify prominent media outlets and the Secretary of the U.S. Department of Health and Human Services.

9. Minors & Personal Representatives

In general, parents and legal guardians are personal representatives of their unemancipated minor children for purposes of accessing PHI, except where Utah law permits a minor to consent to a service without parental consent — in which case the minor controls access to the related PHI. Personal representatives (such as a court-appointed guardian or an agent under a durable power of attorney for health care) are treated as the individual under HIPAA, except where doing so would endanger the patient.

10. State Law (Utah) Where More Protective

Some categories of information — including HIV/AIDS status, mental-health information, substance-use treatment information (which may also be subject to 42 C.F.R. Part 2), genetic information, and reproductive-health information — receive heightened protection under federal or Utah state law. Where state or other federal law is more protective than HIPAA, we follow the more protective standard.

11. Complaints

If you believe your privacy rights have been violated, you may file a complaint:

We will not retaliate against you in any way for filing a complaint.

12. Changes to This Notice

We reserve the right to change this Notice at any time and to make the revised Notice effective for all PHI we maintain. The revised Notice will be posted in our facility, made available on request, and posted on this Site. The current Notice's effective date is shown at the top of this page.

13. How to Contact Us

See also our Privacy Policy for non-PHI information practices and our Terms of Service for the rules governing use of this Site.