About This Policy
This policy describes the personal information MTBC-PHR collects about you, why MTBC-PHR collects it and how MTBC-PHR uses it. MTBC’s policy also describes the choices you can make about how MTBC-PHR collects and uses your information.
About Medical Transcription Billing Corp. (MTBC®)
MTBC is a healthcare services company that specializes in medical billing, transcription, and electronic medical record (“EMR”) solutions for physicians of all specialties. Physicians and medical practices that use our service have online access to a wide-array of reports and features, including practice management reporting, online scheduling, as well as secure access to patient’s protected healthcare information “PHI”. MTBC have also made available the patient information on the individual websites created for these physicians and specialties.
What Information Does MTBC Collect?
In some areas of this website, we ask for personal information. For instance, user name (email address) & password must be disclosed in order to login into MTBC-PHR. A patient can request or create user name by physician. In such situations, a user may be required to provide certain information, including his/her name, address, email address, phone number. This list may be expanded without prior notice.
Patient’s can access their PHI through MTBC-PHR. PHI is information that identifies patients and relates patients’ past, present, or future physical or mental health or condition, the provision of healthcare to patients, or past, present, or future payment for the provision of healthcare to patients managed for patient’s physician/medical providers. This information is only posted in the Verisign secured Member’s Area, which is 128-bit encrypted and requires a username and password.
What does MTBC do with the information it collects?
This information is collected to help MTBC further develop its services, to provide access to valuable MTBC Internet-based information and services, and to bill as appropriate.
MTBC employs all reasonable and customary measures to protect PHI sent to MTBC through the Internet. Once MTBC receives PHI, it is posted in a secure password-protected database.
MTBC-PHR users are responsible for keeping passwords confidential and will be solely responsible for all uses of their password. If a user becomes aware of any unauthorized use of his or her password, he or she is responsible for contacting MTBC to request deactivation of the password. Most web browsers (Internet Explorer, Netscape, Mozilla, etc.) offer the opportunity to select a “remember password” function on the website. If a user selects this option, the password will thereafter be automatically identified when the user accesses the website. As a result, anyone with access to the specific computer may have access to patients’ PHI. Users alone are responsible for controlling access to their computers and for preventing unauthorized access to PHI.
How we may use and disclose medical information about you.
The following describes different ways that we are permitted to use and disclose medical information. For each category of uses or disclosures we will explain what we mean and try to give some examples. Not every use or disclosure in a category will be listed. However, all of the ways we are permitted to use and disclose information will fall within one of the categories.
We may disclose medical information about you to your healthcare physicians who are involved in caring for you at the clinic. Different departments of the clinic also may share medical information about you in order to coordinate the different services/treatments you need, such as prescriptions, laboratory work, and x-rays. We may also disclose medical information about you to people who may be involved in your healthcare & any other authorized individuals.
We may use and disclose your medical information so that the treatment and services you receive may be billed and payment may be collected from you, an insurance company, or a third party. We may tell your health plan about a treatment you are going to receive in order to obtain prior approval or to determine whether your plan will cover the treatment. We may also give information to someone who helps pay for your care.
For Health Care Operations
We may use and disclose your medical information for Health Care Operations. Healthcare operations are activities that are necessary to make sure that all of our patients receive quality care. We may also disclose information to doctors for review and learning purposes. When we do this, information that identifies you may be removed from this set of medical information so others may use it to study health care and health care delivery without learning who the specific patients are. If ownership of the MTBC-PHR changes as a result of sale, transfer, merger or consolidation, your medical information would be disclosed to the new entity, if that entity was to follow the same privacy policies.
We may use and disclose medical information to contact you as a reminder that you have an appointment for treatment or medical care.
We may use and disclose medical information to tell you about or recommend possible treatment options or health related benefits that may be of interest to you.
As Required By Law:
We will disclose your medical information when required to do so by federal, state or local law.
To Avert a Serious Threat to Health or Safety:
We may use and disclose your medical information when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. Any disclosure, however, would be only to someone able to help prevent the threatened harm.
We may disclose medical information about you to an entity assisting in a disaster relief effort so that your family can be notified about your condition, status and location.
Military and Veterans:
If you are a member of the armed forces, we may release your medical information as required by law. We may also release medical information about foreign military personnel to the appropriate foreign military authority as required by law.
We may release your medical information for workers’ compensation or similar programs. These programs provide benefits for work-related injuries or illness.
Public Health Risks:
We may disclose, when requested, your medical information for public health activities. These activities generally include the following:
- to prevent or control disease, injury or disability;
- to report births and deaths;
- to report abuse and/or neglect of a child, elder or disabled person;
- to report reactions to medications or problems with products;
- to notify people of recalls of products they may be using;
- to notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition;
Health Oversight Activities:
We may, when requested, disclose your medical information to a health oversight agency for activities authorized by law. These oversight activities include, audits, certifications, investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws.
Lawsuits and Disputes:
If you are involved in a lawsuit or a dispute, we may disclose your medical information in response to a court order. Under certain circumstances, we may also disclose your medical information in response to a subpoena or other lawful process, but we will do so only if efforts have been made to tell you about the request or to obtain an order protecting the information requested or if you or a court have provided written authorization.
We may release your medical information if asked to do so by a law enforcement official, if permitted by law:
- In response to a court order, subpoena, warrant, summons or similar process;
- To identify or locate a suspect, fugitive, material witness, or missing person;
- About the victim of a crime if, under certain limited circumstances, we are unable to obtain the person’s agreement;
- About a death we believe may be the result of criminal conduct;
- About criminal conduct; and
- In emergency circumstances: to report a crime; the location of the crime or victims; or the identity, description or location of the person who committed the crime.
National Security and Intelligence Activities:
If permitted by law, we may release your medical information to authorized federal officials for intelligence, counterintelligence, and other national security activities, authorized by law.
If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may release medical information about you to the correctional institution or law enforcement official, under certain circumstances if permitted by law. This release would be necessary (1) for the institution to provide you with health care; (2) to protect your health and safety or the health and safety of others; or (3) for the safety and security of the correctional institution.
Your rights regarding medical information about you:
You have the following rights regarding medical information we maintain about you: Right to Inspect and Obtain a Copy. You have the right to inspect and obtain a copy of your medical information that may be used to make decisions about your care. This request usually includes medical and billing records but does not include psychotherapy notes. To inspect and obtain a copy of your medical information that may be used to make decisions about you, you must submit your request in writing for our address. For copies of your physician’s office records, please contact your physician’s office directly. If you request a copy of the information, we may charge a fee for the costs of copying, mailing or other supplies associated with your request. We may deny your request to inspect and obtain a copy in certain very limited circumstances.
Right to Amend:
If you think that the medical information we have about you is incorrect or incomplete, you may ask us to amend the information. You have the right to request an amendment as long as the information is kept by or for the Clinic. Your request for an amendment will become a legal part of your medical record, to be sent out along with the rest of the record whenever a request for copies is received. No part of the original documentation in the medical record can be destroyed.
To request an amendment of your medical record, your request must be made in writing and submitted to our address. To request an amendment of your physician office record, contact your physician’s office directly. In addition, you must provide a reason that supports your request.
We may deny your request for an amendment if it is not in writing or does not include a reason to support the request. We may also deny your request if you ask us to amend information that:
- Was not created by us, or the person or entity that created the information is no longer available to make the amendment;
- Is not part of the medical information kept;
- Is not part of the information which you would be permitted to inspect and copy; or
- Is accurate and complete.
Right to Request an Accounting of Disclosures:
You have the right to request an “accounting of disclosures.” This is a list of the disclosures we made of your medical information for which an authorization was not obtained, or which were not made for purposes of treatment, payment, or healthcare operations.
To request this list or accounting of disclosures, you must submit your request in writing to our practice, Health Information Management, address. Your request must state a time period, which may not be longer than six years and may not include dates before April 14, 2003. Your request should indicate in what form you want the list (for example, on paper, electronically). The first list you request within a 12-month period will be free. For additional lists, we may charge you for the costs of providing the list. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time before any costs are incurred.
Right to Request Restrictions:
You have the right to request a restriction or limitation on the medical information we use or disclose about you for treatment, payment or health care operations. You also have the right to request a limit on the medical information we disclose about you to someone who is involved in your care or the payment for your care, such as a family member or friend.
We are not required to agree to your request for restrictions. If we do agree, we will comply with your request unless the information is needed to provide emergency treatment to you.
To request restrictions on your medical records, you must make your request in writing to our practice, Health Information Management, Restriction Request, address. To request restrictions on your physician office records, contact your physician’s office directly. In your request, you must tell us (1) what information you want to limit; (2) whether you want to limit our use, disclosure or both; and (3) to whom you want the limits to apply, for example, disclosures to your spouse.
Right to Request Confidential Communications:
You have the right to request that we communicate with you about medical matters in a certain way or at a certain location. For example, you can ask that we contact you only at work or by mail.
To request confidential communications, you must make your request in writing the practice Privacy Officer. We will not ask you the reason for your request. At our discretion, we will accommodate all reasonable requests. Your request must specify how or where you wish to be contacted.
Right to a Paper Copy of This Notice:
You have the right to a paper copy of this notice. You may ask us at any time to give you a copy of this notice. Even if you have agreed to receive this notice electronically, you are still entitled to a paper copy of this notice.
You may obtain a copy of this notice at our website to obtain a paper copy of this notice, please contact the Reception Desk or: our Office of Business Conduct.
Third Party Information Gathering
Sharing your information with people and services you trust
- If you share your information with others, you can view a list of who has access to your information and you can revoke sharing privileges at any time. When you revoke someone’s ability to read your health information, that party will no longer be able to read your information, but may have already seen or may retain a copy of the information.
- MTBC-PHR contains links to third-party service providers that are capable of securely integrating information to MTBC-PHR. These service providers (which may include your medical providers) may provide information about certain medical conditions or extend the functionality of MTBC-PHR in other ways. By creating a link to these service providers, you give them permission to integrate you information such as medical records, prescription histories, or test reports to your MTBC-PHR account.
- Some of these third-party service providers will be covered by federal and state health privacy laws (such as the Health Insurance Portability and Accountability Act, or “HIPAA”), and those laws will govern how they may use and share your information. HIPAA requires (as does MTBC-PHR) that you must authorize these providers to send information to your MTBC-PHR account. With that authorization, you also give them permission to integrate certain especially sensitive types of health information (such as mental health or substance abuse records) that are protected by federal and state laws and require special authorization. When you ask MTBC-PHR to send your health information to others, you will also be giving MTBC permission to send those sensitive types of health information.
- All entities or business associates covered by HIPAA are contractually required to comply with HIPAA’s rules related to collection, use, and sharing of your information. All other third-party service providers are contractually required to abide by the privacy & security policies, which require that they comply with strict privacy standards for how they collect, use, or share your information.
A cookie is a small text file that is stored on a user’s computer for record-keeping purposes. Cookies are used on this site. We do not link the information we store in cookies to any personally identifiable information you submit while on our site. We use session ID cookies to make it easier for you to navigate our site. A session ID cookie expires when you close your browser. A persistent cookie remains on your hard drive for an extended period of time. You can remove cookies by following directions in your Internet browser’s “help” file. To learn more about cookies, please visit this link: http://www.microsoft.com/info/cookies.mspx
As users navigate through a website, certain information can be passively collected (that is, gathered without the user actively providing the information), using various technologies and means, such as Internet Protocol addresses, cookies, Internet tags, and navigational data collection. MTBC uses Internet Protocol (IP) addresses on this site. An IP address is a number assigned to a computer by the Internet service provider so that it may access the internet. It is generally considered to be non-personally identifiable information because, in most cases, an IP address is dynamic (changing each time you connect to the Internet), rather than static (unique to a particular user’s computer). MTBC uses an IP address to diagnose problems with its server, report aggregate information and determine the fastest route for your computer to use in connecting to our site in order to administer and improve the website functionality.
MTBC logs IP addresses, or the location of your computer on the Internet, for systems administration and troubleshooting purposes. Log data is used in the aggregate to analyze usage of the website and may be used to contact you for purposes of promoting MTBC products or services. Your data will not be sold to, shared with, or otherwise made available to any third parties. If you reject cookies, you may still use our site, but your ability to use some areas of our site, will be limited.
MTBC servers are housed in a well-monitored and secure data center. Moreover, data protection mechanisms, security layers and data encryption measures have been implemented to prevent unauthorized access.
All PHI, as well as demographic information, is password protected and encrypted within the relevant databases. It is important for users to protect their password and computer from unauthorized access. When users submit personal information to the secure areas of MTBC’s website, MTBC encrypts it using Secure Sockets Layer (“SSL”), a software encryption technology. Encryption protects information against unauthorized access and modification once it is stored in the database.