HIPPA Notice

Hedges Prescription Shop of Sarasota, Inc. d/b/a Hedges Healthmart Pharmacy

HIPAA NOTICE OF PRIVACY PRACTICES

(“Notice”)

Effective September 1, 2013

If you have any questions about this Notice please contact our Privacy Officer, Merly Miller, at 24 North Lime Avenue, Sarasota, FL 34237, Phone: 941-366-2424.

This Notice describes how our practice and our health care professionals, employees, volunteers, trainees and staff may create, receive, maintain and transmit your medical information to carry out treatment, payment or health care operations and for other purposes that are described in this Notice. We understand that medical information about you and your health, called “Protected Health Information”, or “PHI,” is personal and we are committed to protecting medical information about you. This Notice applies to all records of your care generated by this practice.

This Notice also describes your right to access and control of your information. This information about you includes demographic information that may identify you and that relates to your past, present and future physical or mental health or condition and related health care services. Typically, PHI will include symptoms, examination and test results, diagnoses, treatment and a plan for future care or treatment. In some cases, federal or state laws may provide privacy protections to PHI that are more strict than those described in this Notice. In those cases, we will comply with the stricter law. For example, federal and state laws may provide privacy protections to PHI related to mental health, HIV/AIDS, reproductive health or chemical dependency that are more strict.

We are required by law to protect the privacy of your PHI and to follow the terms of this Notice. We may change the terms of this Notice at any time. The new Notice will then be effective for all PHI that we maintain at that time and thereafter. We will provide you with any revised Notice if you request a revised copy be sent to you in the mail or if you ask for one when you are in the facility.

I. Uses and Disclosures of Protected Health Information.

Your PHI may be used and disclosed for purposes of treatment, payment and health care operations. With the exception of uses or disclosures for treatment purposes, we will limit uses and disclosures of your PHI to the minimum necessary to achieve the permitted purpose of the use or disclosure. The following are examples of different ways we use and disclose medical information. These are examples only.

(a) Treatment:

• We may use and disclose your PHI to provide, coordinate, or manage your medical treatment or any related services. This includes the coordination or management of your health care with a third party that has already obtained your permission to have access to your medical information. For example, we could disclose your PHI to a home health agency that provides care to you. We may also disclose PHI to other physicians who may be treating you, such as a physician to whom you have been referred to ensure that the physician has the necessary information to diagnose or treat you. In addition, we may disclose your PHI to another physician or health care provider, such as a laboratory.

(b) Payment:

• We may use and disclose your PHI to obtain payment for the treatment and services you receive from us. For example, we may need to provide your health insurance plan information about your treatment plan so that they can make a determination of eligibility or to obtain prior approval for planned treatment. We may also need to obtain approval for a hospital stay which may require that relevant medical information be disclosed to the health plan to obtain approval for the hospital admission.

(c) Healthcare Operations:

• We may use or disclose your PHI in order to support the business activities of our practice. These activities include, but are not limited to, reviewing our treatment of you, employee performance reviews, training of medical students, licensing, marketing and fundraising activities and conducting or arranging for other business activities.

• For example, we may use a sign-in sheet at the registration desk where you will be asked to sign your name and indicate your physician or health care provider. We may also call you by name in the waiting room when your physician or health care provider is ready to see you. We may use or disclose your medical information to remind you of your next appointment.

• We may share your PHI with third party “business associates” that perform activities on our behalf, such as billing or transcription for the practice. Whenever an arrangement between our facility and a business associate involves the use or disclosure of your medical information, we will have a written contract that contains terms that requires the business

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. IT FURTHER DETAILS HOW YOU OR YOUR PERSONAL REPRESENTATIVE MAY GAIN ACCESS TO THIS INFORMATION.

PLEASE REVIEW CAREFULLY.

RJH Form F0210 (11/17/2008 – Rev. 07/2013) Page 1

associate to protect the privacy of your PHI, and we will limit the disclosures to the minimum necessary amount of PHI to achieve the permitted purpose of the disclosure.

• We may use or disclose your PHI to provide you with information about treatment alternatives or other health-related benefits and services that may be of interest to you. We may also use and disclose your PHI for other marketing activities. For example, your name and address may be used to send you a newsletter about our practice and the services we offer. We may also send you information about products or services that we believe may be beneficial to you. You may contact our Privacy Officer to request that these materials not be sent to you.

• We may use or disclose your demographic information and the dates that you received treatment from your physician or health care provider, as necessary, in order to contact you for fundraising activities supported by our facility. If you do not want to receive these materials, please contact our Privacy Officer to request that these fundraising materials not be sent to you.

(d) Health Information Exchange:

• Hedges Prescription Shop of Sarasota, Inc. d/b/a Hedges Healthmart Pharmacy, along with certain other health care providers and practice groups in the area, participate in health information exchanges (“Exchange”). The Exchange facilitates electronic sharing and exchange of medical and other individually identifiable health information regarding patients among health care providers that participate in the Exchange. Through the Exchange we may electronically disclose demographic, medical, billing and other health-related information about you to other health care providers that participate in the Exchange and request such information for purposes of facilitating or providing treatment, arrangement for payment for health care services or otherwise conducting or administering their health care operations.

II. Other Permitted and Required Uses and Disclosures That May Be Made With Your Consent, Authorization or Opportunity to Object.

We may use and disclose your PHI in the following instances. You have the opportunity to agree or object to the use or disclosure of all or part of your medical information. If you are not present or able to agree or object to the use or disclosure of the medical information, then your physician or health care provider may, using professional judgment, determine whether the disclosure is in your best interest. In this case, only the medical information that is relevant to your health care will be disclosed.

(a) Others Involved in Your Healthcare:

• Unless you object, we may disclose to a member of your family, a relative or close friend your PHI that directly relates to that person’s involvement in your health care. If you are unable to agree or object to such a disclosure, we may disclose such information if we determine that it is in your best interest based on our professional judgment. We may use or disclose your information to notify or assist in notifying a family member or any other person that is responsible for your care at your location, general condition or death. Finally, we may use or disclose your PHI to an entity assisting in disaster relief efforts and to coordinate uses and disclosures to family or other individuals involved in your health care.

(b) Emergencies:

• We may use or disclose your PHI for emergency treatment. If this happens, we shall try to obtain your consent as soon as reasonable after the delivery of treatment. If the practice is required by law to treat you and has attempted to obtain your consent but is unable to do so, the practice may still use or disclose your medical information to treat you.

(c) Communication Barriers:

• We may use and disclose your information if the practice attempts to obtain consent from you but is unable to do so due to substantial communication barriers and, in our professional judgment, you intended to consent to use or disclosure under the circumstances.

III. Other Permitted and Required Uses and Disclosures That May Be Made Without Your Consent, Authorization or Opportunity to Object:

We may use or disclose your PHI in the following situations without your consent or authorization. These situations include:

(a) Required By Law:

• We may use or disclose your PHI when federal, state or local law requires disclosure. You will be notified of any such uses or disclosure.

(b) Public Health:

• We may disclose your PHI for public health activities and purposes to a public health authority that is permitted by law to collect or receive the information. This disclosure will be made for the purpose of controlling disease, injury or disability.

(c) Communicable Diseases:

• We may disclose your PHI, if authorized by law, to a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading the disease or condition.

(d) Health Oversight:

• We may disclose your PHI to a health oversight agency for activities authorized by law, such as audits, investigations, inspections and licensure. These activities are necessary for the government agencies to oversee the health care system, government benefit programs, other government regulatory programs and civil rights laws.

(e) Abuse or Neglect:

RJH Form F0210 (11/17/2008 – Rev. 07/2013) Page 2

• We may disclose your PHI to a public health authority that is authorized by law to receive reports of child abuse or neglect. In addition, we may disclose your medical information to the governmental entity authorized to receive such information if we believe that you have been a victim of abuse, neglect or domestic violence as is consistent with the requirements of applicable federal and state laws.

(f) Food and Drug Administration:

• We may disclose your PHI to a person or company required by the Food and Drug Administration to report adverse events, product defects or problems, biologic product deviations, track products, to enable product recalls, to make repairs or replacements, or to conduct post marketing surveillance, as required.

(g) Legal Proceedings:

• We may disclose your PHI in the course of any judicial or administrative proceeding, when required by a court order or administrative tribunal, and in certain conditions in response to a subpoena, discovery request or other lawful process.

(h) Law Enforcement:

• We may disclose your PHI, as long as applicable legal requirements are met, for law enforcement purposes. These law enforcement purposes include: (i) responding to a court order, subpoena, warrant, summons or otherwise required by law; (ii) identifying or locating a suspect, fugitive, material witness or missing person; (iii) pertaining to victims of a crime; (iv) suspecting that death has occurred as a result of criminal conduct; (v) in the event that a crime occurs on the premises of the practice; and (vi) responding to a medical emergency (not on the Practice’s premises) and it is likely that a crime has occurred.

(i) Coroners, Funeral Directors, and Organ Donors:

• We may disclose your PHI to a coroner or medical examiner for identification purposes, determining cause of death or for the coroner or medical examiner to perform other duties authorized by law. We may also disclose PHI to funeral directors as necessary to carry out their duties.

(j) Research:

• We may use and disclose your PHI for research purposes in certain limited circumstances. We will obtain your written authorization to use your PHI for research purposes except when an Internal Review Board (“IRB”) or Privacy Board has determined that the waiver of your authorization satisfies the following: (i) the use or disclosure involves no more than a minimal risk to your privacy based on the following: (A) an adequate plan to protect the identifiers from improper use and disclosure; (B) an adequate plan to destroy the identifiers at the earliest opportunity consistent with the research (unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law); and (C) adequate, written assurances that the PHI will not be re-used or disclosed to any other person or entity (except as required by law) for authorized oversight of the research study, or for other research for which the use or disclosure would otherwise be permitted; (ii) the research could not practicably be conducted without the waiver; and (iii) the research could not practicably be conducted without access to and use of the PHI.

(k) Criminal Activity:

• Consistent with applicable federal and state laws, we may disclose your PHI if we believe that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. We may also disclose PHI if it is necessary for law enforcement authorities to identify or apprehend an individual.

(l) Organ and Tissue Donation:

• If you are an organ donor, we may release your PHI to organizations that handle organ procurement or organ, eye or tissue transplantation or to an organ donation bank, as necessary, to facilitate organ or tissue donation and transplantation.

(m) Military Activity and National Security:

• If you are a member of the armed forces, we may use or disclose PHI (i) as required by military command authorities; (ii) for the purpose of determining by the Department of Veterans Affairs of your eligibility for benefits; or (iii) for foreign military personnel to the appropriate foreign military authority. We may also disclose your medical information to authorized federal officials for conducting national security and intelligence activities, including for the protective services to the President or others legally authorized.

(n) Workers’ Compensation:

• We may disclose your PHI as authorized to comply with workers’ compensation laws and other similar programs that provide benefits for work-related injuries or illness.

(o) Inmates:

• We may use or disclose your PHI if you are an inmate of a correctional facility and our practice created or received your health information in the course of providing care to you.

(p) Required Uses and Disclosures:

• Under the law, we must make disclosures to you and when required by the Secretary of the Department of Health and Human Services to investigate or determine our compliance with our legal obligations to safeguard your PHI.

IV. The Following Is a Statement of Your Rights with Respect to Your PHI and a Brief Description of How You May Exercise These Rights.

(a) You have the right to inspect and copy your PHI.

RJH Form F0210 (11/17/2008 – Rev. 07/2013) Page 3

• This means you may inspect and obtain a copy of your PHI that has originated in our practice. We may charge you a reasonable fee for copying and mailing records. To the extent we maintain any portion of your PHI in electronic format, you have the right to receive such PHI from us in an electronic format. We will charge no more than actual labor cost to provide you electronic versions of your PHI that we maintain in electronic format.

• After you have made a written request to our Privacy Officer we will have thirty (30) days to satisfy your request. If we deny your request to inspect or copy your medical information, we will provide you with a written explanation of the denial.

• You may not have a right to inspect or copy psychotherapy notes. In some circumstances, you may have a right to have the decision to deny you access reviewed. Please contact the Privacy Officer if you have any questions about access to your medical record.

(b) You have the right to request a restriction of your PHI.

• You may ask us not to use or disclose part of your PHI for the purposes of treatment, payment or healthcare operations. You may also request that your PHI not be disclosed to family members or friends who may be involved in your care or for notification purposes as described in this Notice. You must state in writing the specific restriction requested and to whom you want the restriction to apply.

• If we believe it is in your best interest to permit use and disclosure of your PHI, your medical information will not be restricted; provided, however, we must agree to your request to restrict disclosure of your PHI if: (i) the disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law; and (ii) the information pertains solely to a health care item or service for which you (and not your health plan) have paid us in full. If we do agree to the requested restriction, we may not use or disclose your PHI in violation of that restriction unless it is needed to provide emergency treatment. Your written request must be specific as to what information you want to limit and to whom you want the limits to apply. The request should be sent, in writing, to our Privacy Officer.

(c) You have the right to request to receive confidential communications from us at a location other than your primary address.

• We will try to accommodate reasonable requests. Please make this request in writing to our Privacy Officer.

(d) You have the right to request an amendment to your PHI.

• If you feel that medical information we have about you is incorrect or incomplete, you may request we amend the information. If you wish to request an amendment to your medical information, please contact our Privacy Officer. In certain cases, we may deny your request for an amendment. If we deny your request for amendment, you have the right to file a statement of disagreement with us.

(e) You have the right to receive an accounting of disclosures, if any, of your PHI.

• This right applies to disclosures for purposes other than treatment, payment or healthcare operations as described in this Notice. It excludes disclosures we may have made to you, family members or friends involved in your care, or for notification purposes. It also excludes any disclosures we made pursuant to an authorization. To receive information regarding disclosures made for a specific time period no longer than six (6) years and after April 14, 2003, please submit your request in writing to our Privacy Officer. We must provide the first accounting in any 12-month period to you without charge. Thereafter, we will notify you in writing of the cost involved in preparing this list.

(f) Uses and Disclosures of PHI Based upon Your Written Authorization.

• Other uses and disclosures of your PHI not covered by this Notice or required by law will be made only with your written authorization. For example, most uses and disclosures of psychotherapy notes, the use or disclosure of PHI for marketing purposes, any use or disclosure of PHI that constitute a sale of that information, and uses and disclosures other than those described in this Notice, require your authorization. You may revoke this authorization at any time, except to the extent that our practice has taken an action in reliance on the use or disclosure indicated in the prior authorization.

(g) Right to be Notified of a Breach.

• You have the right to be notified in the event that we (or our business associate) discover a breach of unsecured PHI.

(h) Complaints:

• You may complain to us or to the Secretary of Health and Human Services if you believe we have violated your privacy rights. You may file a complaint with us by notifying our Privacy Officer, in writing. We will not retaliate against you for filing a complaint.

RJH Form F0210 (11/17/2008 – Rev. 07/2013) Page 4