MedConnect Pharmacy Effective Nov 1st , 2019


General Rule: No Use or Disclosure.

We may not use (within our company) or disclose (outside of the company) protected health information (PHI), except as these policies and procedures permit or require.  “Protected Health Information” or “PHI” means information that relates to a patient’s past, present, or future physical or mental condition, medical treatment, or payments for medical treatment, and that does or can be used to identify the patient.  If a patient brings us PHI, such as medical records, about himself or herself, that PHI will be placed in the patient’s chart and will become a part of the PHI that we keep on that patient.

Workforce members will use, disclose, and request only the minimum necessary PHI needed to perform their duties, except that this rule does not apply to PHI needed to be used, disclosed, or requested for treatment purposes.


Except under certain circumstances (see below), we must have a current and proper written authorization from the patient (or the patient’s personal representative) before we use or disclose a patient’s PHI for any purpose other than a purpose directly related to treatment, payment, or our own health care operations.

  • Authorization Revocation.  A patient may revoke an authorization at any time by written notice.  We will not rely on an authorization we know has been properly revoked.
  • Authorization Expiration.  We will not rely on an authorization we know has expired.
  • Authorization from Another Provider. We will use or disclose PHI as permitted by a valid authorization we receive from another healthcare provider.

As the disclosing entity, we will make our own “minimum necessary” determination with respect to a request for PHI from another health care provider.

Permitted Use or Disclosure Without Authorization (with Oral or Written Agreement).

We may use or disclose a patient’s PHI in the following situations without the need for a written authorization, with the patient’s oral agreement or written agreement, or if the patient is unavailable:

  • To individuals involved in the patient’s care or payment for the patient’s care for involvement and notification purposes, including if the patient is deceased (subject to the patient’s right to object or request a restriction on use and disclosure); and
  • For disaster relief efforts (subject to the patient’s right to object or request a restriction on use and disclosure).

If a patient wants to restrict disclosures of his or her PHI to someone who is involved in the patient’s care or payment for the patient’s care, such as a family member or a close personal friend, the patient may request a restriction.

We may use professional judgment and our experience with common practice to make reasonable inferences of the patient’s best interest in allowing a person to act on behalf of the patient.

Permitted Use or Disclosure Without Authorization or Oral or Written Agreement.

We may use or disclose a patient’s PHI in the following situations, without authorization or an oral agreement or a written agreement:

  • For treatment and services;
  • For payment;
  • For our health care operations;
  • To report abuse, neglect, or domestic violence to a government agency;
  • For certain research projects;
  • As required by law;
  • To avert a serious threat to health or safety;
  • To the United States or a foreign military;
  • As authorized by state worker’s compensation laws;
  • For public health disclosures;
  • For health oversight activities;
  • For legal proceedings, lawsuits, and other legal actions;
  • For law enforcement purposes;
  • To coroners, medical examiners, and funeral directors;
  • For national security and intelligence activities; and
  • For organ, eye, or tissue donation purposes.

Required Disclosures.

We will disclose PHI to a patient (or to the patient’s personal representative) in accordance with these policies and procedures.  We will not disclose to a personal representative we reasonably believe may be abusive to a patient any PHI we reasonably believe may promote or further such abuse, and we will make reports of such abusive behavior as required by law.  

Verification of Identity and Authority.

  • We will always verify the identity of any patient, and the identity and authority of any patient’s personal representative, government or law enforcement official, or other person, unknown to us, who requests PHI before we will disclose the PHI to that person.  Examples of appropriate identification include a photographic identification card, government identification card or badge, and appropriate document on government letterhead.  If the person is not the patient, we will obtain evidence of authority that the person is entitled to receive the PHI.  

If the identity and authority of the requesting individual cannot be verified, the individual will be informed that a new request must be completed and notarized and that we must be able to verify the person’s identity and authority before any PHI is disclosed.  We will document the incident and how we responded.

Third Party Vendors.

We will obtain satisfactory assurance in the form of a written contract that any third party vendors we engage that may receive, create, transmit or maintain PHI on our behalf (“Vendors”) will appropriately safeguard and limit their use and disclosure of the PHI.

These requirements are not applicable to our disclosures to a health care provider for treatment purposes.  We have developed a form Confidentiality Agreement for Vendors. 


  • If we learn that a Vendor has materially breached or violated its Confidentiality Agreement with us, we will take prompt, reasonable steps to see that the breach or violation is cured.  If the Vendor does not promptly and effectively cure the breach or violation, we will terminate our contract with the Vendor.

Patients’ Rights.

We will honor the rights of patients regarding their PHI.

Access.  Our patients have the right to request access to their PHI that we maintain about them. No PHI will be withheld from a patient or his/her authorized personal representative (authority of the personal representative must be confirmed as required by law) seeking access unless we confirm that the information may be withheld in accordance with applicable state or federal law. After receiving a request for access, we will contact our Vendors to retrieve any PHI they may have on the patient.

Requests for access to patient records must be in writing.  The form in which the patient would like to receive the records must be specified in the request (e.g., paper or electronic).  Access to the records will be provided in the form requested if it is readily producible in such format.  If the form requested is not readily producible, records must be provided in readable form agreed to by the individual.  If a patient or his/her authorized representative requests records to be provided in electronic format, the data should be encrypted.  If the patient/authorized representative requests that a copy be transmitted to a person designated by the patient/authorized representative, the request must be in writing.  

If possible, we will act on requests for access to records within 30 days of the request. If we are unable to act on a request within such 30-day period, we will provide written notice to the patient or the patient’s authorized representative, as applicable, and include the reasons for the delay and date by which access will be provided.  If the requested information is not available and the whereabouts are unknown, this information will be documented on the written request and returned to the individual with a copy filed in the patient record.

Charges for copying.  By Ohio statute, we may charge $.50 per page, plus our postage costs. If the record contains any item that requires a photographic process to copy, such as an x-ray or photograph, we may charge $5.00 per image. If we can deliver records electronically, we will provide the records in electronic form and will charge $0.30 per page, up to a maximum of $200 per request.

Amendment.  Our patients have the right to request an amendment or addendum to their PHI and other records for as long as we maintain them.   Requests to amend PHI, together with an explanation therefor, must be in writing.

  • We will act on a request for an amendment no later than 60 days after receipt of the request if we are able to do so.  If we are not able to respond to the request within such 60-day period, we will provide written notice to the patient or the patient’s authorized representative, as applicable, and include the reasons for the delay and the date by which we will act on the request. 

We will deny a request to amend PHI or records if: (i) we did not create the information; (ii) we do not have the information as part of our health and billing records kept by or for us; or (iii) we believe the information is accurate and complete.

We will not physically alter or delete existing notes in a patient’s chart.  We will inform the patient when we agree to make an amendment, and we will contact our Vendors to help assure that any PHI they have on the patient is appropriately amended, as necessary.  We will also contact any individuals or entities of which we are aware that we have sent erroneous or incomplete information and who may have acted on the erroneous or incomplete information to the detriment of the patient.

Denial of a Request for Access or Amendment.  If a request for access or amendment is denied, written notice will be provided and include the reason for denial. 

Disclosure Accounting. Our patients have the right to an accounting of certain disclosures we made of their PHI within the six years prior to their written request.  Requests for an accounting of disclosures of PHI must be in writing.  Each disclosure we make that we are required to account for (see next paragraph), must be documented showing the date of the disclosure, what was disclosed, the purpose of the disclosure, and the name and (if known) address of each person or entity to whom the disclosure was made.  The authorization permitting the disclosure (if required) or other documentation describing the disclosure must be included in the patient’s record and retained for at least six years from the date it was created or, in the case of an authorization, for at least six years from the date that it was last in effect.  

  • We will act on a request for an accounting no later than 60 days after receipt or the request if we are able to do so.  If we are not able to respond to the request within such 60-day period, we will provide written notice to the patient or the patient’s authorized representative, as applicable, and include the reasons for the delay and the date by which we will act on the request.

We are not required to account for disclosures we made:  (i) to carry out treatment, billing, and health care operations; (ii) to the patient (or the patient’s personal representative); (iii) incident to a permitted or required use or disclosure; (iv) to parties who receive the patient’s information pursuant to a valid authorization; (v) to those who request the patient’s information through a practice directory (unless the patient has elected to “opt out”); or (vi) to the patient’s family members, other relatives, or friends who are involved in the patient’s care, or who otherwise need to be notified of the patient’s location, general condition, or death (unless the patient has requested a restriction).

We may charge for any accounting that is more frequent than every 12 months, provided the patient is informed of the fee before the accounting is provided.

Restrictions on Uses or Disclosures.  Our patients have the right to request us to restrict uses or disclosures of their PHI, including for treatment, payment, or health care operations.  Patients also have the right to request us to restrict uses or disclosures of their PHI to someone who is involved in their care or payment for their care such as family members or close personal friends. Requests for restrictions on uses or disclosures of PHI must be in writing. If we do agree to a request, we will comply with our agreement (except in an appropriate medical emergency).

We may terminate an agreement restricting use or disclosure of PHI by a written notice of termination to the patient if:

  • The patient agrees to or requests the termination in writing;
  • The patient orally agrees to the termination and the oral agreement is documented; or
  • We inform the patient in writing we are terminating our agreement, except that such termination is only effective with respect to PHI created or received by us after we have informed the patient of the termination of the restrictions.

We will document in the patient’s chart any such agreed-to restrictions.  

Requests for Alternative Communications.  Our patients have the right to request that communications be made to alternate locations (e.g., at work instead of at a home address) or by alternative means (e.g., by phone instead of mail). Requests for alternative communications must be in writing.  We will accept and accommodate reasonable requests for patient communications to alternative locations or by alternative means.

Workforce Training and Management, Complaint Procedures, Data Safeguards, Administrative Practices.

Workforce Training and Management.

  • Training – All members of our workforce will be trained, as necessary and appropriate for them to carry out their functions.

After these policies and procedures are adopted, each new workforce member will be trained within a reasonable time after the member starts.  We will also retrain each workforce member whose functions are affected either by a material change in our confidentiality policies and procedures or in the member’s job functions, within a reasonable time after the change.

Our confidentiality policies and procedures attempt to ensure that workforce members have appropriate access to PHI if required for their job duties and prevent workforce members who do not have access from obtaining access to PHI. Workforce members who work with PHI have received appropriate authorization to do so.  Our hiring practices include reference and background checks and other appropriate mechanisms to ensure that access to PHI is appropriate.  When a workforce member is no longer employed by or affiliated with us, access privileges to PHI are terminated as soon as the ending of employment is effective, or sooner if the circumstances warrant. 

Periodic security reminders are provided to our workforce members to ensure awareness of security issues and concerns related to protected health information. Our workforce members receive information on our policies and procedures related to protection from malicious software, log-in monitoring, password management and reporting security incidents.

  • Sanctions, Discipline, and Mitigation – We will develop, document, disseminate, and implement appropriate discipline policies for workforce members who violate our confidentiality policies and procedures or any applicable federal or state privacy law.

Workforce members who violate our confidentiality policies and procedures or any applicable federal or state privacy law will be subject to disciplinary action, possibly up to and including termination of employment or status as a volunteer, consultant, or vendor. 

Complaints – We will implement procedures for individuals to formally complain about our confidentiality policies and procedures or our compliance with them.  We will also implement procedures to investigate and resolve such complaints.  

  • An individual may lodge a complaint with us by filing a written complaint.  Upon receipt of a complaint, we will take action to investigate the complaint and resolve any substantiated allegations.  We will not retaliate against any person who makes a complaint in good faith.

Data Safeguards and Reporting of Breaches of Confidentiality – We will strengthen these confidentiality policies and procedures with such additional policies and procedures as are needed to have reasonable and appropriate administrative, technical, and physical safeguards in place to ensure the integrity and confidentiality of the PHI we maintain.

Access to PHI is authorized, established, maintained and modified based on the minimum amount of protected health information necessary for workforce members to perform their jobs effectively. Documentation is maintained of all user accounts and authorized access privileges. Reviews of access rights and user accounts are conducted at regular intervals to ensure continued appropriateness of accounts and levels of access. Access privileges are modified or revoked whenever a user’s job function or access requires changes.  Modifications to user accounts are made with appropriate authorization.

We follow accepted standards of practice for creating, changing and safeguarding passwords.  

Members of our workforce are required to create passwords for user accounts, email and screensaver protection.  Passwords should not be based on personal information such as nicknames, family names, birthdates, or other information that can be easily guessed. Group passwords are not allowed.  We require all workforce members to change passwords regularly.  

We have systems and processes in place for guarding against, detecting and reporting malicious software. Members of our workforce are not allowed to open email attachments from unknown or untrustworthy sources, and are not allowed to download software from the Internet or install software on desktops or laptops without prior authorization.

We maintain access controls to limit the physical access to our practice and electronic information systems to authorized individuals, and we maintain procedures to prevent unauthorized access to our practice and tampering or theft of our equipment.

When we transmit PHI in email communications, we only transmit the minimum amount of information needed to achieve the purpose of the communication.  We will encrypt all email communications containing PHI and include the following statement or a similar statement in all emails as an extra precaution: 

Confidentiality Requirement:  This email message, including any attachment(s) is for the sole use of the intended recipient(s) and may contain confidential information.  Any unauthorized review, use, disclosure or distribution is strictly prohibited.  If you are not the intended recipient, please immediately contact the sender by email.

We will take reasonable steps to limit incidental uses and disclosures of PHI made incidental to an otherwise permitted or required use or disclosure.

All workforce members are required to report immediately any suspected or known violation of these confidentiality policies and procedures or any case in which a patient’s PHI might have been compromised.  Examples include:

Misdirected e-mails containing PHI;

Unencrypted lost or stolen laptops, PDAs, flash drives, or thumb drives with PHI on them;

Throwing away handwritten files or notes, including post-its, on a patient chart without shredding them first; or

Faxing patient information to an incorrect fax number. 

We will conduct an investigation of any alleged breach of confidentiality, and we will comply with any state or federal notifications laws that may apply to the information breach.

Documentation and Record Retention – We will maintain in written or electronic form all medical record documentation six years from the date of creation or when the document was last in effect, whichever is greater, or such longer period of time which may be required under state law.

Authorization to Contact. 

Marketing – Med Connect and its affiliates may use my contact information for marketing purposes.