Privacy Practices


    I. Duty to Safeguard Protected Health Information.

Individually identifiable information about your past, present, or future physical or mental condition, the provision of health care to you, or payment for your health care is considered "Protected Health Information" ("PHI"). As a covered entity under the Health Insurance Portability and Accountability Act (“HIPAA”) regulations, is required to extend certain protections to your PHI, and to give you this Notice about our privacy practices that explains how, when, and why we may use or disclose your PHI. Except in specified circumstances, we must attempt to use or disclose only the minimum amount of PHI necessary to accomplish the intended purpose of the use or disclosure.

We are required to follow the privacy practices described in this Notice, however we reserve the right to change our privacy practices and the terms of this Notice at any time. If we exercise our right to make such changes, we will distribute a copy of the new Notice to each affected individual by the most appropriate means. The document will be posted on our website and a printed version is available by contacting our HIPAA Privacy Officer at the address listed in Section V below.

    II. How We May Use and Disclose Your Protected Health Information.

The following is a description of how we are most likely to use and/or disclose your protected health information. We have a limited right to use and/or disclose your PHI for purposes of treatment, payment or our health care operations. For uses beyond that, we must have your written authorization unless the law permits or requires us to make the use or disclosure without your authorization. If we disclose your PHI to an outside entity in order for that entity to perform a function on our behalf, we must have in place an agreement from the outside entity that it will extend the same degree of privacy protection to your information that we must apply to your PHI. However, the law provides that we are permitted to make some uses/disclosures without your consent or authorization. The following offers more description and some examples of our potential uses/disclosures of your PHI.

Uses and Disclosures Relating to Treatment, Payment, or Health Care Operations. Generally, we may use or disclose your PHI as follows:

    For treatment: We may disclose your PHI to doctors, nurses, and other health care personnel who are involved in providing your health care. For example, your PHI will be shared among members of your treatment team. Your PHI may also be shared with outside entities performing ancillary services relating to your treatment, such as lab work or x-rays, or for consultation purposes, or federal or state Alcohol, Drug Addiction and Mental Health (ADAMH) boards and/or community mental health (CMH) boards or agencies involved in provision or coordination of your care.
    To obtain payment: We may use/disclose your PHI in order to bill or make payment for your health care services. For example, we may disclose information about you to our third party administrator (TPA) in order that the TPA can verify coverage of treatment you are seeking.
    For health care operations: We may use/disclose your PHI in the course of operating our business as it relates to services provided to you.

Uses and Disclosures Requiring Authorization: For uses and disclosures beyond treatment, payment and operations purposes we are required to have your written authorization, unless the use or disclosure falls within one of the exceptions described below. Authorizations can be revoked at any time to stop future uses/disclosures except to the extent that we have already undertaken an action in reliance upon your authorization.

Uses and Disclosures of PHI Not Requiring Consent or Authorization: The law provides that we may use/disclose your PHI from health records without consent or authorization in the following circumstances:

    When required by law: We may disclose PHI when a law requires that we report information about suspected abuse, neglect or domestic violence, or relating to suspected criminal activity, or in response to a court order. We must also disclose PHI to authorities that monitor compliance with these privacy requirements.
    For public health activities: We may disclose PHI when we are required to collect information about disease or injury, or to report vital statistics to the public health authority.
    For health oversight activities: We may disclose PHI to our TPA, the protection and advocacy agency, or another agency responsible for monitoring the health care system for such purposes as reporting or investigation of unusual incidents.
    Relating to decedents: We may disclose PHI relating to an individual's death to coroners, medical examiners or funeral directors, and to organ procurement organizations relating to organ, eye, or tissue donations or transplants.
    For research purposes: In certain circumstances, and under supervision of a privacy board, we may disclose PHI to our TPA’s research staff and their designees in order to assist medical/psychiatric research.
    To avert threat to health or safety: In order to avoid a serious threat to health or safety, we may disclose PHI as necessary to law enforcement or other persons who can reasonably prevent or lessen the threat of harm.
    For specific government functions: We may disclose PHI of military personnel and veterans in certain situations, to correctional facilities in certain situations, to government benefit programs relating to eligibility and enrollment, and for national security reasons, such as protection of the President.

Uses and Disclosures Requiring You to have an Opportunity to Object: In the following situations, we may disclose a limited amount of your PHI if we inform you about the disclosure in advance and you do not object, as long as the disclosure is not otherwise prohibited by law. However, if there is an emergency situation and you cannot be given your opportunity to object, disclosure may be made if it is consistent with any prior expressed wishes and disclosure is determined to be in your best interests. You must be informed and given an opportunity to object to further disclosure as soon as you are able to do so.

To families, friends or others involved in your care: We may share with these people information directly related to their involvement in your care, or payment for your care. We may also share PHI with these people to notify them about your location, general condition, or death.

    III. Your Rights Regarding Your Protected Health Information. You have the following rights relating to your protected health information:

To request restrictions on uses/disclosures: You have the right to ask that we limit how we use or disclose your PHI. We will consider your request, but are not legally bound to agree to the restriction. To the extent that we do agree to any restrictions on our use/disclosure of your PHI, we will put the agreement in writing and abide by it except in emergency situations. We cannot agree to limit uses/disclosures that are required by law.

To choose how we contact you: You have the right to ask that we send you information at an alternative address or by an alternative means. We must agree to your request as long as it is reasonably easy for us to do so.

To inspect and copy your PHI: Unless your access is restricted for clear and documented treatment reasons, you have a right to see your protected health information upon your written request. We will respond to your request within 30 days. There are provisions in the law that allow or require that we deny your request for access. If we deny your access, we will give you written reasons for the denial and explain any right to have the denial reviewed. If you want copies of your PHI, a charge for copying may be imposed, depending on your circumstances. You have a right to choose what portions of your information you want copied and to have prior information on the cost of copying. However, we are not required to provide direct access to the systems that contain your PHI but may provide this information in a data extract. You have a right to receive electronic copies of your health information including images linked to such information in the electronic form and format you request, if readily producible, or, if not, in a readable electronic form and format that is mutually agreeable. You also have a right to request a copy of your healthcare information to be transmitted to another person that you designate. However, certain charges may apply and you will be made aware of any charges and have the opportunity to agree to such charge or to change your request before any charge is incurred.

Other Disclosures of PHI: Uses and disclosures of your protected health information for marketing purposes, disclosures that constitute a sale of protected health information require authorization, as well as other uses and disclosures not described in this document will be made only with a HIPAA authorization received from the individual.

Fundraising: We will not use your PHI for the purposes of fundraising as allowed under HIPAA.

Breach Notification: If there is a breach in the security of our systems or those of our business associates on which your PHI is stored such that your information was or may have been accessed then you have a right to be notified following such a breach if your PHI was unsecured, i.e. not encrypted.

Treatment paid out of pocket in full:
Under HIPAA, you are allowed to restrict certain disclosures of protected information from your health plan if you pay out of pocket “in full” for such healthcare item or service. However, it is your responsibility to inform the healthcare provider that you have chosen to exercise this right before the service is provided. This includes to the physician who is providing treatment and/or the pharmacy that dispenses prescription medications or devices for such treatment. Therefore, you may want to request “paper prescriptions” in such cases so that your decision to pay out of pocket in full can be communicated to the pharmacy before the prescriptions are processed and communicated to the health plan or its agent.

Genetic Information: The Genetic Information Nondiscrimination Act (GINA) was recognized in the 2013 Omnibus HIPAA Changes Rule which prohibits most health plans from using or disclosing your genetic information for insurance underwriting purposes, this includes information about your family medical history.

To request amendment of your PHI: If you believe that there is a mistake or missing information in our record of your PHI, you may request, in writing, that we correct or add to the record. We will respond within 60 days of receiving your request. We may deny the request if we determine that the PHI is: (i) correct and complete; (ii) not created by us and/or not part of our records, or; (iii) not permitted to be disclosed. Any denial will state the reasons for denial and explain your rights to have the request and denial, along with any statement in response that you provide, appended to your PHI. If we approve the request for amendment, we will change the PHI and so inform you, and tell others that need to know about the change in the PHI.

To find out what disclosures have been made: You have a right to obtain a list of when, to whom, for what purpose, and what content of your PHI has been released other than instances of disclosure: for treatment, payment, and operations; to you, your family, persons directly involved in your care, responsible for payment of your care, or pursuant to your written authorization. The list also will not include any disclosures made for national security purposes, to law enforcement officials or correctional facilities, or disclosures made before April 14, 2003. We will respond to your written request for such a list within 60 days of receiving it. Your request can relate to disclosures going as far back as six years. There will be no charge for up to one such list each year. There may be a charge for more frequent requests.

To receive this notice: You have a right to receive a paper copy of this Notice and/or an electronic copy by email upon request. The document will be posted on our website and a printed version is available by contacting our HIPPAA Privacy Officer at the address listed in Section V below.

    IV. How to Complain about our Privacy Practices:

Right to file a Complaint: If you think we may have violated your privacy rights, or you disagree with a decision we made about access to your PHI, you may contact the person or persons listed in Section V below to find out how to file a complaint.

File a complaint with the HHS Secretary: You may also file a written complaint with the Secretary of the U.S. Department of Health and Human Services at Office for Civil Rights, U.S. Department of Health and Human Services, 200 Independence Avenue, S.W., Room 509F, HHH Building, Washington, D.C. 20201

The law protects you from retaliatory action if you make such complaints.

    V. Contact Person for Information, or to Submit a Complaint:

If you have questions concerning how to file complaints about our privacy practices, please submit your complaint in writing to: Community Pharmacy, Attn: HIPAA Compliance Officer, 101 Jim Wright Freeway South, Suite 200, Fort Worth, TX 76108

You may also file a complaint through our corporate website at: All complaints must be submitted in writing.

If you have any questions, please contact Community Pharmacy at (866) 361-0300.

    VI. Effective Date: This Notice is effective as of August 1, 2013.