Privacy Policy
Effective Date: September 23, 2013
Last Reviewed: October 1, 2020
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. Mirror, Inc. (“Mirror,” “us,” or “we”) understands that information we collect about you and your health is personal. This Notice of Privacy Practices (“Notice”) describes the practices we will follow with regard to your “protected health information” (“PHI”).
PHI is a special term, defined by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its regulations (the “Privacy Rule”). PHI means individually identifiable health information (including demographic information) that is created or received by a health care provider, a health plan, your employer, or a health care clearinghouse and relates to: (i) your past, present, or future physical or mental health or condition; (ii) the delivery of health care to you; or (iii) the past, present, or future payment for the delivery of health care to you. We provide health care to our patients and clients in partnership with physicians and other professionals and organizations. The privacy practices described in this Notice will be followed by members of Mirror’s staff, their physician colleagues and other health care practitioners who provide medical and medical-related services to you, and who cooperate in sharing PHI about you as necessary to carry out treatment, payment, and health care operations at Mirror.
Keeping your health information private is one of our most important responsibilities. We are committed to protecting your PHI and following all laws regarding the use of your PHI. If you have questions about any part of this Notice or if you want more information about the privacy practices at Mirror, please contact the Contact Office listed at the end of this Notice.
A. Our Rights and Obligations
1. We are required by law to maintain the privacy of your PHI.
2. We are required to give you this Notice about our privacy practices, our legal duties, and your rights concerning PHI.
3. We are required to follow the privacy practices described in this Notice.
These privacy practices will remain in effect until we replace or modify them.
4. We are required to notify you following a breach of unsecured PHI.
5. We reserve the right to change our privacy practices and the terms of this Notice at any time, provided that the change is permitted by law. We reserve the right to have such a change affect all PHI we maintain, including PHI we received or created before the change. We will post a copy of the current notice in waiting areas, exam rooms, and on our website at www.mirrorinc.org. You may receive a copy of the current Notice at any time. The Notice will contain the effective date on the first page. If you are a new patient, you will be provided a copy of the current Notice the first time you register at Mirror for services. You will be asked to acknowledge in writing that you received this Notice.
B. How Mirror May Use or Disclose Your Health Information
The following categories describe the ways Mirror may use and disclose your PHI, as part of our normal operations to assist you, without asking you for permission. For each category of uses and disclosures, we will explain what we mean and present some examples. In each category we will only disclose the minimum amount of information needed to accomplish the task. Not every use or disclosure in a category will be listed. However, the ways we are permitted to use NEED HELP? Call us 855-396-1169 Menu Search … and disclose your PHI will fall within one of the categories.
1. Uses and Disclosures for Treatment, Payment and Health Care Operations
a. Treatment : We may use or disclose your PHI to provide the necessary treatment to you. For example, if you are a client of one of the Mirror treatment programs, we may use your PHI to provide you with treatment or services. We may disclose your PHI to qualified mental health professionals; qualified medical professionals; qualified counselors or other social services professionals. Your treatment team members will internally discuss your PHI in order to develop and carry out a plan for your services. Mirror may share your PHI in order to coordinate the different things you need, such as prescriptions, medical tests, special dietary needs, personal assistance, etc. It is worth noting that programs offering alcohol and drug treatment services also fall under the Federal Confidentiality Regulations (also known as “Confidentiality of Alcohol and Drug Abuse Patient Records Title 42 CFR Chapter One Part 2). This legislation is fairly detailed and wide sweeping in nature. Under the Federal Confidentiality Regulations, release of information concerning clients enrolled in addiction treatment services is generally limited to disclosures only if permitted in writing by the client. Some exceptions to this apply but will not be discussed in this Notice.
b. Payment Functions: We may use or disclose your PHI for all activities that are included within the definition of “payment” set out in the Privacy Rule and we may use or disclose your PHI to obtain payment for the services we provide. For example, use may use or disclose your PHI to determine eligibility for plan benefits, obtain premiums, facilitate payment for the treatment and services received from providers, determine program responsibilities for benefits, and to coordinate program benefits. In addition, payment functions may include reviewing the medical necessity for health care services, reviewing a plan of care for payment to one of Mirror’s community-based partners, such as a state mental hospital, a Community Mental Health Center, a Regional Alcohol and Drug Abuse Treatment or Assessment Center. We may also use or disclose your PHI to facilitate proper payment for treatment such as providing your Medicaid or other health insurance coverage identification number to a health care provider, a pharmacy, or other health providers who have agreed to provide services for our clients. The definition of “payment” includes many more items, so please refer to the Privacy Rule for a complete list.
c. Health Care Operations: We may use or disclose your PHI for all activities that are included within the definition of “health care operations” set out in the Privacy Rule. For example, we may use or disclose your PHI to carry out necessary program related activities. Such activities may include activities related to plan coverage; conducting quality assessment and improvement activities; conducting or arranging for medical or program reviews, legal services, audit services, and fraud and abuse detection programs; business planning, management and general administration; case management and care coordination; accreditation, certification, licensing, or credentialing activities. The definition of “health care operations” includes many more items, so please refer to the Privacy Rule for a complete list.
2. Disclosures to Other Entities
a. Business Associates : We may disclose your PHI to a “business associate,” such as our billing service, which performs administrative services on our behalf. Business associates are permitted to receive, create, maintain, use, or disclose PHI, but only as provided in the Privacy Rule, and only after agreeing in writing to appropriately safeguard your PHI. b. Other Covered Entities : We may disclose your PHI to other health care providers, health care clearinghouse or health plans, in connection with their treatment, payment, or health care operations.
3. Uses and Disclosures for Which Your Permission May Be Sought
For purposes of this subsection only, the following conditions apply. If you are present and able to give your verbal permission, we will only use or disclose your PHI with your permission. This verbal permission will only cover a single encounter, and is not a substitute for a written authorization. If you are not present or are unable to give your permission, we will use or disclose your PHI only if we determine (based on our professional judgment) that the use or disclosure is in your best interest.
a. To Others Involved in Your Care : We may use or disclose your PHI to a relative or other individual who you have identified as being involved in your health care. If you are not present, our disclosure will be limited to the PHI that directly relates to the individual’s involvement in your health care.
b. For Limited Notification Purposes : We may use or disclose your PHI to help notify a relative or other individual who is responsible for your health care, of your location, general condition or death.
c. To Assist in Disaster Relief : We may disclose your PHI to an authorized public or private entity in order to assist in disaster relief efforts, or to coordinate uses and disclosures to relatives or other individuals involved in your health care.
4. Other Permitted Uses and Disclosures
a. Required by Law : We may use and disclose your PHI as required by federal, state or local law. As mentioned in Section B.1 above, the Federal Confidentiality Law also specifies when treatment providers are required to release information to the courts. Again this law is detailed and specific in nature and the court order must meet rigorous criteria set forth in 42 CFR 1-Part 2.
b. Public Health: As required by law, we may use and disclose your PHI for public health activities that are permitted or required by law. For example, we may disclose your PHI to public health authorities for purposes related to preventing or controlling disease, injury or disability; reporting to the Food and Drug Administration problems with products and reactions to medications; and reporting disease or infection exposure.
c. Disclosures about Victims of Abuse, Neglect or Domestic Violence: We may disclose your PHI, consistent with applicable federal and state laws, if we reasonably believe that you have been a victim of abuse, neglect, or domestic violence. Such disclosure will be made to a government authority, such as a social service or protective services agency which is authorized by law to receive reports of such abuse, neglect or domestic violence.
d. Health Oversight Activities: We may disclose your PHI to health oversight agencies during the course of audits, investigations, inspections, licensure and other proceedings related to oversight of the Mirror programs. Examples would be sharing health information with the Kansas Department of Social and Rehabilitation Services, Division of Health Care Policy, Mental Health, Addiction and Prevention Services for their licensure activities involving free standing addiction focused facilities, or the Kansas Department of Corrections, Administrative Office of the United States Courts, United States Probation Office and the United States Department of Justice, Federal Bureau of Prisons for their audit and/or compliance activities involving contracting agencies.
e. Judicial and Administrative Proceedings: We may disclose your PHI in the course of any administrative or judicial proceeding.
f. Law Enforcement: We may disclose your PHI to a law enforcement official for limited purposes such as identifying or locating a suspect, fugitive, material witness or missing person, or complying with a court order or subpoena or other law enforcement purposes.
g. Coroners, Medical Examiners and Funeral Directors: We may disclose your PHI to coroners, medical examiners and funeral directors as necessary for them to carry out their duties, such as identifying a deceased person or determining the cause of death.
h. Organ and Tissue Donation: We may disclose your PHI to organizations involved in procuring, banking, or transplanting organs and tissues, as necessary to facilitate organ or tissue donation and transplantation.
i. To the Secretary: We will disclose your PHI to the Secretary of the Department of Health and Human Services, when required to do, to enable the Secretary to investigate or determine our compliance with HIPAA and the Privacy Rule.
j. Public Safety: We may disclose your PHI to appropriate persons in order to prevent or lessen a serious and imminent threat to the health or safety of you, a particular person, or the general public. Any disclosure, however, would only be made to someone able to prevent the threat.
k. Proof of Immunization: We will disclose proof of immunization to a school that is required to have it before admitting a student if you have agreed to the disclosure on behalf of yourself or a dependent.
l. Specialized Government Functions: We may disclose your PHI, if you are in the Armed Forces, for activities deemed necessary by appropriate military command authorities, for determination of benefit eligibility by the Department of Veterans Affairs, or to foreign military authorities if you are a member of that foreign military service. We may disclose your PHI to authorized federal officials for conducting national security and intelligence activities (including for the provision of protective services to the President of the United States) or to the Department of State to make medical suitability determinations.
m. Worker’s Compensation: We may disclose your PHI as necessary to comply with Worker’s Compensation or similar laws.
n. Appointment Reminders: We may use and disclose your PHI to contact you with appointment reminders for treatment or services provided by Mirror.
o. Research Activities: We may disclose your PHI for research purposes when an institutional review board or a privacy board has (i) reviewed the research proposal and established protocols to ensure the privacy of the information, and (ii) approved the research.
p. Additional Services: We may use or disclose your PHI to send you information about alternative medical treatments and programs, or about health-related products and services that may be of interest to you, provided Mirror does not receive financial remuneration for making such communications. We may similarly describe products and services provided by Mirror and tell which plans Mirror participates in. When we see you, we may also use your PHI to encourage you to maintain a healthy lifestyle and get recommended tests, recommend that you participate in a disease management program, provide you with promotional gifts of nominal value, and tell you about government sponsored health programs. Finally, we may receive compensation that covers our cost of reminding you to take and refill your medication, or otherwise communicate about a drug or biologic that is currently prescribed to you.
q. Fundraising: We may use or disclose your PHI to contact you for fundraising purposes. However, you have the right to opt-out of receiving such fundraising communications. If you opt-out, we will not contact you for fundraising purposes.
r. Inmates, Parolees and Individuals on Probation: If you are an inmate of a federal or state correctional institution or are under the custody or supervision of a law enforcement official, then we may release your PHI necessary (i) for the institution or law enforcement official to provide you with or make referral for proper health care; (ii) to protect your health and safety or to protect the health and safety of others; or (iii) to protect the safety and security of the correctional institution or Mirror programs.
C. When Mirror May Not Use or Disclose Your Health Information.
Except as described in this Notice, we will not use or disclose your PHI without your written authorization. In addition, we are required to obtain your authorization under the following circumstances:
1. Psychotherapy Notes: Most uses and disclosures of psychotherapy notes will require your authorization.
2. Marketing: Uses and disclosures of PHI which result in Mirror receiving financial payment from a third party whose product or services is being marketed will require your authorization.
3. Sale of PHI: Disclosures that constitute a sale of PHI will require your authorization. If you do authorize us to use or disclose your PHI for another purpose, you may revoke your authorization in writing at any time by sending your written revocation to the Contact Office listed at the end of this Notice. If you revoke your authorization, we will no longer be able to use or disclose your PHI for the reasons covered by your written authorization. Please understand that criminal justice referrals are unable to revoke authorization(s) to certain parties.
D. Statement of Your Health Information Rights
1. Right to Request Restrictions: You have the right to request restrictions on certain uses and disclosures of your PHI. Mirror is not required to agree to the restrictions you request. Your request must be in writing. In your request, you must tell us (1) what information you want to limit; (2) whether you want to limit our use, disclosure or both; and (3) to whom you want the limits to apply, for example, disclosure to your spouse. Request forms are available from and must be submitted to the Contact Office listed at the end of this Notice. Again, we are not required to agree to your request. However, if you tell us not to disclose your PHI to your health plan concerning health care items and/or services for which you have paid for in full out-of-pocket, we will abide by your request.
2. Right to Request Confidential Communications: You have the right to request that we communicate with you about medical matters and receive your PHI through a reasonable alternative means or at an alternative location. For example, you can ask that we only contact you at work or by mail. We will not ask you the reason for your request. Your request must be in writing. In your request, you must tell us how or where you wish to be contacted. Request forms are available from and must be submitted to the Contact Office listed at the end of this Notice. We will make reasonable efforts to accommodate your request.
3. Right to Inspect and Copy: You have the right to inspect and copy your PHI that may be used to make decisions about your treatment or benefits, with the exception of psychotherapy notes, treatment plan evaluations, discharge summaries, alcohol/drug assessments, or information gathered for and used in legal or administrative proceedings. To inspect and copy such information, you must submit your request in writing to the Contact Office listed at the end of this Notice. If you request a copy of the information, we require that you prepay a reasonable fee to cover expenses associated with your request. Typically, we would charge $1.00 per copied page and $25.00 per hour of staff time to locate and copy your health information (regardless of the number of pages involved there will be a minimum charge of $25.00 assessed to you). We may deny your request to inspect and copy in certain very limited circumstances; if we deny you access to your PHI, you may request that the denial be reviewed.
4. Right to Request Amendment: You have the right to request that Mirror amend your PHI that you believe is incorrect or incomplete. Your request must be in writing and must include a reason or explanation that supports your request. Request forms are available from and must be submitted to the Contact Office listed at the end of this Notice. If we approve your request, we will include the amendment in any future disclosures of the relevant PHI. If your request is denied, we will provide you with information about our denial and how you can disagree with the denial. The denial, statement of disagreement, and rebuttal will be included in any future disclosures of the relevant PHI. We may deny your request for an amendment if it is not in writing or does not include a reason to support the request. In addition, we may deny your request if you ask us to amend PHI that: is not part of the PHI maintained by Mirror; was not created by us, unless the person or entity that created the information is no longer available to make the amendment; is not part of the information which you would be permitted to inspect and copy; or is accurate and complete. All denials will be made in writing.
5. Right to an Accounting of Disclosures: You have the right to receive a list of “accounting of disclosures” of your PHI made by us, except that we do not have to account for disclosures made for treatment, payment or health care operations (unless the disclosure was made through an electronic health record), disclosures authorized by you or disclosures made to you. If the PHI disclosed is an “electronic health record,” the accounting will include disclosures up to three years before the date of your request. If the PHI disclosed is not an “electronic health record,” the accounting will include disclosures up to six years before the date of your request. Your request must be in writing. Your request must include the time frame that you would like us to cover. Request forms are available from and must be submitted to the Contact Office listed at the end of this Notice. A minimum of $25.00 will be assessed to you for this request since a brief letter will need to be drafted and sent to you at the location designated by you. Again, we will require that you pre-pay for this service.
6. Right to Paper Copy: You have the right to receive a paper copy of this Notice at any time. Even if you have agreed to receive this Notice electronically, you are still entitled to a paper copy. To obtain a paper copy of this Notice, send your written request to the Contact Office listed at the end of this Notice. You may also obtain a printable copy of this Notice at our website (www.mirrorinc.org).
E. Complaints
If you believe your privacy rights have been violated, you may file a complaint with us, or with the Secretary of the Department of Health and Human Services, Region 7, Office of Civil Rights, Bolling Federal Building, 601 East 12th Street, Kansas City, MO 64106. To file a complaint with us, send a written complaint to the Contact Office listed at the end of this Notice. You will not be retaliated against for filing a complaint. Your health care services and/or benefits with Mirror will not be affected in any way.
F. Contact Office
Mirror, Inc.
Attn: Privacy Officer
Newton, KS 67114
Phone: (316) 283-6743
Fax: (316) 283-6830