The 21st Century Cures Act
The Act mandates that notes created in an electronic health record (EHR) must be immediately available to clients through a secure online portal, known as a Patient Portal. The law requires healthcare providers to release certain records from a client’s electronic health record into the Patient Portal. The 21st Century Cures Act is effective October 2022.
Health Affiliates Maine clients can conveniently manage their behavioral health information online using the Patient Portal. The Patient Portal provides personalized and secure access to portions of your behavioral health record. It also offers you the ability to sign documents, send secure messages to your provider(s), and view select lab and test results — all from your phone or computer. The Patient Portal is a free service for all Health Affiliate Maine clients. Learn more here.
The Cures Act provides several exceptions in which information may be blocked from being shared to a client’s portal:
- Preventing Harm Exception: It is permissible to block access to records that are reasonable and necessary to prevent harm to a client or another person.
Example: An example of a preventing harm exception would be a provider blocking the release of a client’s record if they believe the records will result in a safety risk to the client or another person. - Privacy Exception: The Cures Act does not render existing federal and state privacy laws obsolete. Under the privacy exception, an organization would not be required to disclose a client’s information in a way that is prohibited under applicable privacy laws.
Example: State laws indicate certain protections for minors seeking behavioral health care and therefore, some health information may only be accessible to the client/minor. - Security Exception: Like the privacy exception, the security exception does not negate a provider’s duties when it comes to protecting the privacy of client’s information with appropriate safeguards. If a request for records presents a threat to the “confidentiality, integrity, and availability” of client information, access may be denied.
Example: If a client is requesting access to their information in an insecure manner, such as via unencrypted email, the provider could block the information from being shared in this manner. - Infeasibility Exception: This exception recognizes that legitimate challenges may limit a provider’s ability to comply when they are out of the provider’s control.
Example: In the event of a natural or human-made disaster, the provider must respond, in writing, within 10 business days of receipt of the client’s request. The provider need not immediately fulfill that request. - Health IT Performance Exception: Applies when health IT, most commonly the EHR (electronic health record), is down for required or necessary maintenance or upgrades. In this case, the system may be down for no longer than necessary to maintain or improve the system.
Example: A client requests access to their most recent progress note during a system upgrade where the medical practice has no access to the note itself.
Notice of Privacy Practices
This notice of privacy practices describes how medical information about you may be used and disclosed and how you can get access to this information. Please be advised that all mental health and substance use information about you requires a specific written authorization signed by you prior to its release. Please review this document carefully.
This Notice of Privacy Practices (the “Notice”) describes the legal obligations of Health Affiliates Maine, LLC (the “Company”) and your legal rights regarding your protected health information held by the Company under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act). Among other things, this Notice describes how your protected health information may be used or disclosed to carry out treatment, payment, or health care operations, or for any other purposes that are permitted or required by law.
We are required to provide this Notice of Privacy Practices to you pursuant to HIPAA.
The HIPAA Privacy Rule protects only certain medical information known as “protected health information.” Generally, protected health information is health information, including demographic information, collected from you or created or received by a health care provider, a health care clearinghouse, a health plan, or your employer on behalf of a group health plan, from which it is possible to individually identify you and that relates to:
(1) your past, present, or future physical or mental health or condition;
(2) the provision of health care to you; or
(3) the past, present, or future payment for the provision of health care to you.
Information gathered by voluntary user submission
Health Affiliates Maine (HAM) collects the name, postal address, and email address of those users who contact us through our website. This information may be collected and used for marketing purposes. However, any information collected from the Health Affiliates Maine website will not be shared or sold to any outside individuals or companies and is reserved solely for the use of Health Affiliates Maine.
Information gathered by our web server
For each visitor to the Health Affiliates Maine website, our web server recognizes the consumer’s domain name, the pages or areas of the site that are visited, and the link followed to gain access to the HAM website. Our web server does not collect the email address of individual users. We use this information to assess user trends and interest in various areas of the HAM website and for site evaluation and development.
Contact information
Call: 1-877-888-4304
Email: info@healthaffiliatesmaine.com
Effective Date
This Notice is effective March 21, 2014; Revisions made November 5, 2015; December 9, 2016; May 14, 2018; September 23, 2019.
We are required by law to:
- maintain the privacy of your protected health information;
- provide you with certain rights with respect to your protected health information;
- provide you with a copy of this Notice of our legal duties and privacy practices with respect to your protected health information; and
- follow the terms of the Notice that is currently in effect.
We reserve the right to change the terms of this Notice and to make new provisions regarding your protected health information that we maintain, as allowed or required by law. If we make any material change to this Notice, we will provide you with a copy of our revised Notice of Privacy Practices by mailing a copy to your last known address on file and by posting the revised Notice to our website.
How We May Use and Disclose Your Protected Health Information
Under the law, we may use or disclose your protected health information under certain circumstances without your permission. The following categories describe the different ways that we may use and disclose your protected health information. For each category of uses or disclosures we will explain what we mean and present some examples. Not every use or disclosure in a category will be listed. However, all of the ways we are permitted to use and disclose information will fall within one of the categories.
For Treatment. We may use or disclose your protected health information to facilitate medical treatment or services by providers. We may disclose medical information about you to providers, including doctors, nurses, technicians, medical students, or other hospital personnel who are involved in taking care of you. For example, we might disclose information about your medical condition to your primary care physician in order to coordinate your treatment services.
For Payment. We may use or disclose your protected health information to facilitate payment for the treatment and services you receive from the Company, or to coordinate insurance reimbursement. Likewise, we may share your protected health information with another entity to assist with the processing of payments.
For Health Care Operations. We may use and disclose your protected health information for other Company operations. These uses and disclosures are necessary to Company operations. For example, we may use medical information in connection with conducting quality assessment and improvement activities; conducting or arranging for medical review, legal services, audit services, and fraud and abuse detection programs; organizational planning and development such as cost management; and business management and general Company administrative activities.
Treatment Alternatives or Health-Related Benefits and Services. We may use and disclose your protected health information to send you information about treatment alternatives or other health-related benefits and services that might be of interest to you.
To Business Associates. We may contract with individuals or entities known as Business Associates to perform various functions on our behalf or to provide certain types of services. In order to perform these functions or to provide these services, Business Associates will receive, create, maintain, transmit, use, and/or disclose your protected health information, but only after they agree in writing with us to implement appropriate safeguards regarding your protected health information. For example, we may disclose your protected health information to a Business Associate to process claims for health services rendered or to provide support services, such as utilization management or records destruction, but only after the Business Associate enters into a Business Associate contract with us.
As Required by Law. We will disclose your protected health information when required to do so by federal, state, or local law. For example, we may disclose your protected health information when required by national security laws or public health disclosure laws.
To Avert a Serious Threat to Health or Safety. We may use and disclose your protected health information when necessary to prevent a serious threat to your health and safety, or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat. For example, we may disclose your protected health information in a proceeding regarding the licensure of a physician.
In addition to the above, the following categories describe other possible ways that we may use and disclose your protected health information without your specific authorization. For each category of uses or disclosures, we will explain what we mean and present some examples. Not every use or disclosure in a category will be listed. However, all of the ways we are permitted to use and disclose information will fall within one of the categories.
Organ and Tissue Donation. If you are an organ donor, we may release your protected health information after your death to organizations that handle organ procurement or organ, eye, or tissue transplantation or to an organ donation bank, as necessary to facilitate organ or tissue donation and transplantation.
Military. If you are a member of the armed forces, we may release your protected health information as required by military command authorities. We may also release protected health information about foreign military personnel to the appropriate foreign military authority.
Workers’ Compensation. We may release your protected health information for workers’ compensation or similar programs, but only as authorized by, and to the extent necessary to comply with, laws relating to workers’ compensation and similar programs that provide benefits for work-related injuries or illness.
Public Health Risks. We may disclose your protected health information for public health activities. These activities generally include the following:
- to prevent or control disease, injury, or disability;
- to report births and deaths;
- to report child abuse or neglect;
- to report reactions to medications or problems with products;
- to notify people of recalls of products they may be using;
- to notify a person who may have been exposed to a disease or at risk for contracting or spreading a disease or condition;
- to notify the appropriate government authority if we believe that a patient has been the victim of abuse, neglect, or domestic violence. We will only make this disclosure if you agree, or when required or authorized by law.
Health Oversight Activities. We may disclose your protected health information to a health oversight agency for activities authorized by law. These oversight activities include, for example, audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws.
Lawsuits and Disputes. If you are involved in a lawsuit or a dispute, we may disclose your protected health information in response to a court or administrative order. We may also disclose your protected health information in response to a subpoena, discovery request, or other lawful process by someone involved in a legal dispute, but only if efforts have been made to tell you about the request or to obtain a court or administrative order protecting the information requested.
Law Enforcement. If requested by a law enforcement official to disclose your protected health information that is of a sensitive nature, such as mental health, substance abuse or HIV information, we will take all reasonable steps available under the law to avoid disclosure of such sensitive information. If asked by a law-enforcement official to disclose other protected health information of a less sensitive nature, we will disclose such information when authorized by law, including-
- in response to a court order, subpoena, warrant, summons, or similar process;
- to identify or locate a suspect, fugitive, material witness, or missing person;
- about the victim of a crime if, under certain limited circumstances, we are unable to obtain the victim’s agreement;
- about a death that we believe may be the result of criminal conduct; and
- about criminal conduct.
Coroners, Medical Examiners, and Funeral Directors. We may release protected health information to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death. We may also release medical information about patients to funeral directors, as necessary to carry out their duties.
National Security and Intelligence Activities. We may release your protected health information to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law.
Inmates. If you are an inmate of a correctional institution or are in the custody of a law-enforcement official, we may disclose your protected health information to the correctional institution or law-enforcement official if necessary (1) for the institution to provide you with health care; (2) to protect your health and safety or the health and safety of others; or (3) for the safety and security of the correctional institution.
Research. We may disclose your protected health information to researchers when:
(1) the individual identifiers have been removed; or
(2) when an institutional review board or privacy board has reviewed the research proposal and established protocols to ensure the privacy of the requested information, and approves the research.
All clients will have immediate access to providers’ notes through the Patient Portal after the provider completed them in the electronic health record.
The following is a description of disclosures of your protected health information we are required to make.
Government Audits. We are required to disclose your protected health information to the Secretary of the United States Department of Health and Human Services when the Secretary is investigating or determining our compliance with the HIPAA privacy rule.
Disclosures to You. When you request, we are required to disclose to you the portion of your protected health information that contains medical records, billing records, and any other records used to make decisions regarding your health care treatment. We are also required, when requested, to provide you with an accounting of most disclosures of your protected health information if the disclosure was for reasons other than for payment, treatment, or health care operations, and if the protected health information was not disclosed pursuant to your individual authorization.
You have the following rights with respect to your protected health information:
Right to Inspect and Copy. You have the right to inspect and copy certain protected health information that may be used to make decisions about your treatment. If the information you request is maintained electronically, and you request an electronic copy, we will provide a copy in the electronic form and format you request, if the information can be readily produced in that form and format; if the information cannot be readily produced in that form and format, we will work with you to come to an agreement on form and format. If we cannot agree on an electronic form and format, we will provide you with a paper copy.
To inspect and copy your protected health information, you must submit your request in writing. If you request a copy of the information, we may charge a reasonable fee for the costs of copying, mailing, or other supplies associated with your request.
We may deny your request to inspect and copy in certain very limited circumstances. If you are denied access to your medical information, you may request that the denial be reviewed by submitting a written request to Health Affiliates Maine.
Your records will be maintained by Health Affiliates Maine for six (6) years after discharge from services, or six (6) years after the 18th birthday for discharges from children’s services. A copy of your record can be requested at any time while it is being maintained. After the maintenance period, records will be shredded and no longer available.
Right to Amend. If you feel that the protected health information we have about you is incorrect or incomplete, you may ask us to amend the information. You have the right to request an amendment for as long as the information is kept by the Company.
To request an amendment, your request must be made in writing and provide a reason that supports your request.
We may deny your request for an amendment if it is not in writing or does not include a reason to support the request. In addition, we may deny your request if you ask us to amend information that:
- is not part of the medical information kept by the Company;
- was not created by us, unless the person or entity that created the information is no longer available to make the amendment;
- is not part of the information that you would be permitted to inspect and copy; or
- is already accurate and complete.
If we deny your request, you have the right to file a statement of disagreement with us and any future disclosures of the disputed information will include your statement.
Right to an Accounting of Disclosures. You have the right to request an “accounting” of certain disclosures of your protected health information. The accounting will not include (1) disclosures for purposes of treatment, payment, or health care operations; (2) disclosures made to you; (3) disclosures made pursuant to your authorization; (4) disclosures made to friends or family in your presence or because of an emergency; (5) disclosures for national security purposes; and (6) disclosures incidental to otherwise permissible disclosures.
To request this list or accounting of disclosures, you must submit your request in writing. Your request must state the time period you want the accounting to cover, which may not be longer than six years before the date of the request. Your request should indicate in what form you want the list (for example, paper or electronic). The first list you request within a 12-month period will be provided free of charge. For additional lists, we may charge you for the costs of providing the list. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time before any costs are incurred.
Right to Request Restrictions. You have the right to request a restriction or limitation on your protected health information that we use or disclose for treatment, payment, or health care operations. You also have the right to request a limit on your protected health information that we disclose to someone who is involved in your care or the payment for your care, such as a family member or friend. However, if you request a restriction and the personal health information you asked us to restrict is needed to provide you with emergency treatment, we may use that information or disclose that information to a health care provider in order to provide you with emergency treatment.
Except as provided in the next paragraph, we are not required to agree to your request. However, if we do agree to the request, we will honor the restriction until you revoke it or we notify you.
We will comply with any restriction request if (1) except as otherwise required by law, the disclosure is to a health plan for purposes of carrying out payment or health care operations (and is not for purposes of carrying out treatment); and (2) the protected health information pertains solely to a health care item or service for which the health care provider involved has been paid in full by you or another person.
To request restrictions, you must make your request in writing and include (1) what information you want to limit; (2) whether you want to limit our use, disclosure, or both; and (3) to whom you want the limits to apply-for example, disclosures to your spouse.
Right to Request Confidential Communications. You have the right to request that we communicate with you about medical matters in a certain way or at a certain location. For example, you can ask that we only contact you at work or by mail.
To request confidential communications, you must make your request in writing. We will not ask you the reason for your request. Your request must specify how or where you wish to be contacted. We will accommodate all reasonable requests.
Right to Be Notified of a Breach. You have the right to be notified in the event that we (or a Business Associate) discover a breach of unsecured protected health information.
Right to a Paper Copy of This Notice. You have the right to a paper copy of this notice. You may ask us to give you a copy of this notice at any time. Even if you have agreed to receive this notice electronically, you are still entitled to a paper copy of this notice.
You may obtain a copy of this notice at our website, www.healthaffiliatesmaine.com
To obtain a paper copy of this notice, contact our Privacy Officer, at (877) 888-4304.
If you believe that your privacy rights have been violated, you may file a complaint with the Company or with the Office for Civil Rights of the United States Department of Health and Human Services. All complaints must be submitted in writing. You will not be penalized, or in any other way retaliated against, for filing a complaint with the Office for Civil Rights or with us.
To exercise any of your rights and/or file a complaint with Health Affiliates Maine, please contact our Privacy Officer, Health Affiliates Maine, PO Box 1150, Auburn Maine 04211 (phone: (877) 888-4304).