HIPAA Notice of Privacy Practices
Effective January 1, 2014

Northeast Home Medical Supplies Inc.
15 North Lincoln Drive
Cairo, New York 12413


This Notice of Privacy Practices describes how we, our Business Associates and their subcontractors, may use and disclose your protected health information (PHI) to carry out treatment, payment or health care operations (TPO) and for other purposes that are permitted or required by law. (All of our Business Associates are obligated, by law and under contracts with us, to protect the privacy of your protected health information.) We are required by law to maintain the privacy of protected health information, to provide individuals with notice of our legal duties and privacy practices, and to notify affected individuals following a breach of unsecured protected health information. This Notice also describes your rights to access and control your protected health information. "Protected health information" is information about you, including demographic information, that may identify you and that relates to your past, present or future medical condition. If you have any questions about this Notice, please contact our Privacy Officer.

Your protected health information may be used and disclosed by us and others outside of our office that are involved in your care and treatment for the purpose of providing health care services to you, to pay your health care bills, to support business operations and any other use required by federal, state or local law.

Treatment: We will use and disclose your protected health information to provide, coordinate, or manage your health care and any related services. This includes the coordination or management of your health care with a third party. Unless you object in writing and it is not an emergency situation, we may release health information to people identified by you, such as family members or close personal friends or others who are helping to care for you.

Payment: We will use and disclose your protected health information so that the services you receive from us may be billed for and payment may be collected from you or on your behalf from an insurance company or a third party.

Healthcare Operations: We may use or disclose your protected health information in order to facilitate business operations. These activities include, but are not limited to, quality assessment and improvement, employee review, training of medical students, licensing, fundraising, and conducting or arranging for other business activities.

We may use or disclose your protected health information to contact you to remind you of appointments, and inform you about treatment alternatives or other health-related benefits and services that may be of interest to you. If we contact you for fundraising activities, we will provide you the choice to opt out of those activities. You may also choose to opt back in.

We may use or disclose your protected health information in the following situations without authorization: as required by federal, state or local law, public health activities, health oversight, abuse or neglect, food and drug administration requirements, legal proceedings, law enforcement, coroners, medical examiners, organ and tissue donation, research, military activity and national security, workers' compensation,inmates, and law enforcement.

Other Uses and Disclosures will be made only with your written authorization (unless otherwise required by law.) Without your authorization, we may not sell your protected health information or use or disclose your information for marketing purposes. Most uses and disclosures of mental health, addiction or HIV records require authorization unless it is an emergency.

You may revoke your authorization, at any time, in writing, except to the extent that we have taken an action in reliance on the use or disclosure indicated in the authorization.

You have the right to inspect and copy your protected health information (fees may apply) - Pursuant to your written request, you have the right to inspect or copy your protected health information whether in paper or electronic format. Under federal law, however, you may not inspect or copy the following records: Psychotherapy notes, information compiled in reasonable anticipation of, or used in, a civil, criminal, or administrative action or proceeding, protected health information restricted by law, information that is related to medical research in which you have agreed to participate, information whose disclosure may result in harm or injury to you or to another person, or information that was obtained under a promise of confidentiality.

You have the right to request a restriction of your protected health information - This means you may ask us not to use or disclose any part of your protected health information for the purposes of treatment, payment or healthcare operations. You may also request that any part of your protected health information not be disclosed to family members or friends who may be involved in your care or for notification purposes as described in this Notice of Privacy Practices. Your request must state the specific restriction requested and to whom you want the restriction to apply. We are not required to agree to your requested restriction except if you request that we not disclose protected health information to your health plan with respect to healthcare for which you have paid in full out of pocket.

You have the right to request to receive confidential communications from us by alternative means or at an alternative location.

You have the right to request an amendment to your protected health information - If we deny your request for amendment in writing within 60 days, you have the right to file a statement of disagreement with us. We may prepare a rebuttal to your statement and will provide you with a copy of any such rebuttal.

You have the right to receive an accounting of disclosures - You have the right to request a list of disclosures of your health information that we have made that were not for treatment, payment, or health care operations, required by law, or authorized by you. Your written request must state the time period for the requested information and be no greater than six years prior to date of request.

You have the right to receive notice of any security breach - We will notify you if your unsecured protected health information has been breached. We will abide by breach notification requirements under the law.

You have the right to obtain a paper copy of this notice upon request even if you have agreed to receive the notice electronically. The current notice will be posted in our corporate office.

Changes to this Notice - We reserve the right to change this notice. After an amendment is made, the revised notice will apply to all protected health information that we maintain, regardless of when it was created or received. Until such amendment is made, we are required by law to comply with this notice.

If you believe your privacy rights have been violated by us, you may file a written complaint with us or with the Secretary of the Department of Health and Human Services. You may file a complaint with us by notifying our Privacy Officer at the address listed above. We will not retaliate against you for filing a complaint.

HITECH stands for:

Health Information Technology for Economic and Clinical Health Act

  • It is part of the American Recovery and Reinvestment Act (ARRA).
  • The HITECH interim rule was enacted in 2009.
  • Widened the scope of privacy and security protections under HIPAA.
  • Included incentives related to health care information technology

such as:

  • creating a national health care infrastructure.
  • adopting an electronic health record (EHR) system.
  • The HITECH final rule was enacted in January, 2013.
  • Made a significant number of changes to HIPAA Privacy and Security.

Electronic data transmission is a double edged sword.

  • More technology = increased vulnerability of personal information.
  • As technology changes we have to do more to protect that information.
  • The confidential information we come in contact with everyday is only as safe as our weakest link.

What is Protected Health Information (PHI)?

  • Any type of individually identifiable health information
  • in any format including:
  • Paper or other media
  • Verbal
  • Photographed or duplicated
  • Electronically maintained and/or transmitted

What makes PHI identifiable?

  • Name
  • Address
  • Zip Code
  • Telephone number
  • Fax number
  • Photographs
  • Fingerprints
  • Email address
  • Internet address
  • Dates
  • Social Security Number
  • Medical Record Number
  • Patient Account Number
  • Insurance Plan Numbers
  • Vehicle Information
  • License Numbers
  • Medical Equipment
  • Numbers

Any unique number, code or characteristic that links information to a specific individual.

  • Patient Right to Send Record Copies to Others
  • Patients may also request that copies of their medical records be sent to other designated individuals.
  • Requests must be made in writing, clearly identifying the designated recipient and where to send the copy.
  • Records may be provided in an unencrypted form if the patient understands the risk and agrees in writing.
  • It is recommended that records not be sent via email.

Managing Written PHI
Documents containing PHI must be:

    • Turned face down when not in use.
    • Kept locked in an office, file cabinet or other storage location.
    • Check printers, fax machines and copiers after using to ensure that no papers are left behind.
    • Never remove paper documents containing PHI from any facility.

Faxing PHI

      • Faxing patient information outside of Northeast Home Medical Supplies Inc. is allowed in situations when health information is needed immediately or when mail or courier delivery will not meet a necessary timeframe.
      • Employees authorized to fax PHI must confirm the accuracy of the fax numbers and security of recipient machines.
      • Any fax that is sent to a location outside of Northeast Home Medical Supplies Inc. must be accompanied by a Northeast Home Medical Supplies Inc - approved fax cover sheet
      • Fax machines used to receive or transmit health information must be located in a secure area to protect the information from unauthorized users.

Receiving faxes:

      • Schedule with the sender whenever possible so that the faxed documents can be promptly removed from the fax machine.
      • Notify the sender if you receive a misdirected fax so the fax can be sent to the correct party.

Disposal of Paper Containing PHI

      • Dispose of documents with PHI (faxes, printed emails, informal notes or copies of patient notes) either by tearing them up or placing in secured shredder bins.
      • Never dispose of documents containing PHI in a trash or recycle receptacle or in a publicly accessible area.
      • Copies of PHI used for case presentations or other academic requirements must be destroyed in a confidential manner.
      • Acceptable Use of Northeast Home Medical Supplies Inc.

Information Technology Resources

  • Northeast Home Medical Supplies Inc. workforce members are responsible for the appropriate use and security of ePHI when using any IT resource.
  • Using any unauthorized IT resources or IT resources that could disrupt operations or compromise security is prohibited.

Data Authentication and Physical Safeguards

  • To protect from unauthorized access, IT resources must be physically secured.
  • Never leave computers or laptops unattended or unsecured in public areas.

Include a unique Access Control to Facilities

  • Northeast Home Medical Supplies Inc. limits physical access to all confidential information, including to the facilities in which it is housed.
  • Lock all file cabinets and rooms that contain confidential information.
  • Always wear your Northeast Home Medical Supplies Inc. identification badge for proper access.

Virus Protection
All computer equipment connected to the Northeast Home Medical Supplies Inc. network must:

  • have Northeast Home Medical Supplies Inc. approved, updated anti-virus protection software installed.
  • remain current with the manufacturer's operating system's security software updates.

Disposing of Electronic Confidential Information

  • Secure methods must be used to dispose of electronic data and output.
  • Prior to the removal or sale of any electronic storage media/devices, contact the Northeast Home Medical Supplies Inc. Materials Management Department to remove all Northeast Home Medical Supplies Inc. information, including PHI, residing on the devices.
  • Never leave computers/laptops or other devices unattended when planning disposal.

Electronic Systems Access Control

  • Access to Northeast Home Medical Supplies Inc. information systems is granted only to appropriately identified, validated and authorized individuals.
  • Users must each have a unique login and password.
  • Memorize your password and do not share your account information (username/password), password creation or password changes.
  • Do not log in to your computer to allow a fellow student to work under your username or request that another student do the same for you.

Electronic Systems Access Control

  • Ensure that all laptops are encrypted as required by Northeast Home Medical Supplies Inc. policy.
  • Always log off your computer or use a screen saver after using a shared computer or when your computer is left unattended.
  • You may be held responsible for improper access by another individual under your username and password. Electronic PHI (ePHI)
  • ePHI is Protected Health Information stored on electronic systems or transmitted through electronic means.

Includes personal information stored on:
Personal Computers with internal hard drives.

Removable storage devices such as:

  • USB memory sticks/keys
  • CDs/DVDs
  • Disks
  • Back-up tapes
  • External hard drives
  • Mobile Devices
  • Electronic transmission is data exchanged via the network, including wireless and DSL/cable home network connections.

Emailing PHI

  • Hand deliver or mail PHI whenever possible.
  • When necessary for treatment, payment or operations, email PHI only to individuals that are authorized to receive the information.
  • E-mail only from and to secure addresses with the Northeast Home Medical Supplies Inc. network (i.e. addresses ending in www.nehms.net)
  • Verify the recipient's address as secure before sending PHI via e-mail.
  • Email encryption must be used to send any confidential information outside of the Northeast Home Medical Supplies Inc. network. Email Encryption

To send a secure email:

  • Click the icon in the upper left hand corner of the email message screen OR
  • Include[Secure] (brackets and the word) in the email subject line. Texting PHI
  • Texting confidential information, including PHI, is not permitted under any circumstances.
  • Text messages are not encrypted and, therefore, are never secure.
  • Any text message sent containing confidential information, including PHI, is a violation of Northeast Home Medical Supplies Inc. policy, state and federal laws and must be reported immediately.

Social Media

  • PHI or other confidential information should never be shared on social media sites.
  • Any medical information that is posted must be completely de-identified.
  • Although you may think information has been deidentified, it may be possible to identify an individual, even with minimal information.


  • A breach is defined as any improper access, acquisition, use or disclosure of PHI that compromises the security or privacy of the information unless it can be proven that the risk of compromise to the information is low.
  • Includes situations in which more than the minimum necessary PHI is involved.
  • All potential breaches are evaluated Northeast Home Medical Supplies Inc. and mayresult in notifying the affected patient(s) and the Federal Office for Civil Rights (OCR).
  • OCR may investigate any breach that is reported.

Managing Breaches

  • Known or suspected breaches must be acted upon without delay to assess the situation and mitigate risk.

There are strict timeframes for notifying:

  • Affected patient(s)
  • Office for Civil Rights
  • If you know or suspect that a breach has occurred report it to your preceptor or a Northeast Home Medical Supplies Inc. manager immediately.
  • The Northeast Home Medical Supplies Inc. Privacy and/or Security Offices will be contacted for guidance.

Examples of Breaches that Have Occurred at Northeast Home Medical Supplies Inc…


  • Cmns, test results or other confidential communication mailed to the incorrect patient.
  • Discharge paperwork handed to the wrong patient
  • Paperwork containing PHI left in public areas.


  • Discussing a patient's medical information in a public area.
  • Discussing a patient's medical information in front of others without the patient's permission to communicate.

Examples of Breaches that Have Occurred at Northeast Home Medical Supplies Inc.

  • Electronic
  • Accessing patient information for purposes that are not related to job functions, educational responsibilities and/or assigned tasks including the PHI of co-workers, family members, friends, and VIPs.
  • Lost unencrypted laptops or other mobile devices containing PHI.
  • Texting PHI.
  • Computer screens containing PHI that are visible to unauthorized individuals.

Tips for Preventing Breaches

  • Keep track of documents containing PHI (don't leave unattended, don't take in the restroom etc.)
  • Keep private conversations private if PHI is being discussed (you never know who may overhear).
  • Never text PHI.
  • Do not share PHI via social media. Tips for Preventing Breaches
  • Obtain a patient's permission before involving others in a discussion that includes PHI.
  • Do not access or use patient information that is not related to your student responsibilities.
  • Never disclose PHI to anyone that is not authorized to have the information.
  • Encrypt all electronic equipment that may contain PHI. Patient Complaints Regarding Breaches of PHI
  • Patients may contact the UCHC Patient Relations Department with any concerns related to the privacy or security of their PHI.
  • Patients may also elect to register a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights.


this Page

Send Link

to Friends

Store Hours

Monday 9AM - 5PM
Tuesday 9AM - 5PM
Wednesday 9AM - 5PM
Thursday 9AM - 5PM
Friday 9AM - 5PM
Saturday & Sunday closed

Valid XHTML 1.0 Transitional
Valid CSS!