Notice of Privacy Practices

Effective on 3/9/2024

Skin Solutions Dermatology & Skin Cancer Surgery, P.C., a Tennessee for-profit corporation having a principal address at 200 Cool Springs Boulevard, Franklin, Tennessee 37067-2677, U.S.A.  (“Skin Solutions Dermatology,” “SSD,” “We,” “Us,” or “Our”), is committed to ensuring the privacy and security of you (“User,” “You,” or “Your”), and Your “protected health information,” or “PHI,” as that term is defined in the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”), and the pertinent provisions of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. The rules of privacy under HIPAA (collectively, the “HIPAA Privacy Rules”) afford individuals with a fundamental right to be informed as to how a Covered Entity (as defined herein), such as Skin Solutions Dermatology, may use and/or disclose Your PHI. 

This “Notice of Privacy Practices,” or “Notice,” is published pursuant to 45 C.F.R. § 164.520, and is available at https://www.skinsolutionsderm.com/notice-of-privacy-practices/. This Notice informs You of the following: (1) how Skin Solutions Dermatology may use and disclose Your PHI; (2) Your rights with respect to the PHI, and how You may exercise these rights; (3) SSD’s legal duties with respect to Your PHI, including an obligation to maintain the privacy of Your PHI; and (4) whom You can contact regarding the exercise of Your rights and the privacy practices of SSD. Please read this Notice carefully and completely to understand Our practices regarding the use and disclosure of Your PHI, and Your rights with respect to Your PHI, and how You may exercise said rights. 

Please be advised that this Notice is different from the SSD’s Privacy Policy, available at https://www.skinsolutionsderm.com/notice-of-privacy-practices/, which details the Skin Solutions Dermatology’s practices for collecting, maintaining, retaining, transferring, protecting, disclosing, or otherwise using Your personally identifiable information, excluding PHI, by or through the Company’s website available at https://www.skinsolutionsderm.com/ (the “Website”), including any and all content, functionality, and services offered on or through the Website. 

This Notice may change from time to time (“Changes”). Please routinely monitor this Notice for any updates, revisions, modifications, or amendments. We will notify You of any Changes by providing access to the newly published Notice on the Website. Skin Solutions Dermatology may notify You via email or by a prominent notice on Our Website, prior to or contemporaneous with the Changes becoming effective, and Skin Solutions Dermatology will update the date at the top of this Notice (the “Effective Date”). If the Changes to this Notice are material, Skin Solutions Dermatology will make reasonable efforts to provide notice to You and to obtain consent (as necessary) to any such Changes, as may be required by the HIPAA Privacy Rules. 

Definitions

Business Associate. “Business Associate” means any individual or entity that performs certain functions or activities on behalf of, or in service to, a Covered Entity (as defined herein) that involve the use or disclosure of PHI.

Covered Entity. “Covered Entity” means a health plan, a healthcare clearinghouse, or healthcare provider, like Skin Solutions Dermatology, that transmits any PHI in connection with health-related services. 

Health Information Exchange. “Health Information Exchange” or “HIE” means the electronic mobilization or portability of health care information, including PHI, across various organizations, including Covered Entities and health plans or health insurers, in accordance with nationally recognized standards. The exchange of health information, vis-à-vis an HIE, can, among other things: (i) provide quicker access to care, and improved coordination of care, for patients; and (ii) assist healthcare providers and public-health officials in making more informed decisions on the provision of healthcare. 

Health Records. “Health Records” means all the paper and electronic records related to a patient’s health care, in the past, present, and future, the records of which contain PHI.  

Applicability

Organizations Abiding by the Notice of Privacy Practices. Organizations that follow this Notice of Privacy Practices include all Skin Solutions Dermatology providers offering and providing health care to individuals at their care sites, including, but not limited to, the following care sites: 

1. Brentwood 5054 Thoroughbred Lane, Brentwood, Tennessee 37027
2. Clarksville 2130 Wilma Rudolph Boulevard, Clarksville, Tennessee 37040
3. Columbia 1040 North James Campbell Boulevard, Columbia, TN 38401
4. Franklin 200 Cool Springs Boulevard, Franklin, Tennessee 37067
5. Hendersonville 800 Saundersville Road, Hendersonville, Tennessee 37075
6. Mount Juliet 2542 North Mount Juliet Road, Mount Juliet, Tennessee 37122
7. Murfreesboro 818 East Clark Boulevard, Murfreesboro, Tennessee 37130
8. Nashville 6606 Charlotte Pike, Suite 106, Nashville, Tennessee 37209
9. Pulaski 600 East College Street, Pulaski, Tennessee 38478
10. Smyrna 617 Potomac Place, Suite 402, Smyrna, Tennessee 37167
11. Shelbyville 2509 Highway 231 North, Shelbyville, Tennessee 37160

Your Privacy Rights

Rights to Your PHI. Your Health Records are the property of SSD. Nevertheless, the HIPAA Privacy Rules afford you a number of rights regarding Your PHI that We use and disclose.

Right to Inspect and Receive a Copy. You may request to inspect or receive an electronic or paper copy of Your Health Records, or other personal records (e.g., billing records). Moreover, You may request that We transmit a copy of Your Health Records, or other personal records, to a third-party individual or entity. In some circumstances, We may deny Your request for certain records, including copies of Your Health Records. To the extent We deny Your request to inspect and/or receive a copy of Your Health Records, We will provide You with a reason for such denial in writing. And, to the extent We deny Your request to inspect and/or receive a copy of Your Health Records, You may request that We designate a licensed health care professional to review the denial. SSD may charge You for any reasonable fees pertaining to the copying, mailing, or transmission of paper or electronic copies of Your Health Record, as well as any other reasonable, pertinent costs and expenses. To make any such request, please consult the Section titled “Requests, Comments, and Complaints.” 

Right to Amend. If You believe Our copies of Your Health Records are incorrect, inaccurate, or incomplete, You have the right to request Us to correct, complete, supplement, or otherwise amend Your Health Records. To the extent You exercise Your right to request amendment of Your Health Records, You must provide such request in writing, coupled with an explanation of why the amendment is necessary. If We accept Your request, We will notify You of Our agreement with Your request, and We will amend Your Health Records. Importantly, Your original Health Records will not be deleted or revised; rather, We will add the supplemental information by an addendum to Your Health Records. If, however, We deny Your request, We will provide You with a written explanation of the basis of Our denial, as well as Your rights going forward. To make any such request, please consult the Section titled “Requests, Comments, and Complaints.”

Right to Receive Confidential Communications. You may request that We communicate with You about medical- or health-related matters, including Your Health Records, in a certain manner or at a certain place or location.  For example, You may request to receive communications at a P.O. Box, as opposed to a personal, residential address, or You may request to receive communications at an alternative telephone number or electronic-mail address. While in some circumstances We may accept an oral or verbal request to receive confidential communications; however, We may require You to provide said request in writing. Importantly, You need not provide a reason for Your request, but You must inform Us of the address to send Your bills for payment. We generally accept all reasonable requests. To the extent We are unable to contact You in the ways or locations You have requested, We may contact You using any information We have. To make any such request, please consult the Section titled “Requests, Comments, and Complaints.”

Right to Restrictions. You may request that We restrict the use and disclosure of Your Health Records for treatment, payment, or health-care operations. You may also restrict the disclosure of Your Health Records to family members or to others who are involved in the delivery of Your health care or the payment of Your health care. We will inform You if We do not agree to Your request. If We do agree with Your request, Our agreement will be in writing, and We will follow your request. Please be advised that We are allowed to terminate a restriction if We inform You of such termination. If We terminate a restriction, only medical information that was created or received after We notify You will be affected.

While We are not required to agree to Your requested restrictions, We will comply with Your requests to not disclose Your Health Records to Your health plan, or other payor, if the disclosure is for payment or health-care operations purposes, the Health Records pertain solely to items or services for which You have paid out of pocket in full, and the disclosure of the Health Records is not otherwise required by law. Even if We comply with Your request to not disclose Your Health Records, We may nevertheless use and/or disclose Your Health Records in certain situations, including: for emergency treatment, to the Secretary of the Department of Health and Human Services, and for uses and disclosures that do not require Your authorization. To make any such request, please consult the Section titled “Requests, Comments, and Complaints.”

Right to Accounting of Disclosures. You may request that We provide You with an accounting (i.e., a list) of certain disclosures of Your Health Records. Such accounting, however, will be limited to a period of six (6) years prior to the date of Your request. Please be advised that the accounting of disclosures will not include disclosures of Health Records made:

• for treatment, payment, and health-care operations purposes;
• to You, or an individual acting on Your behalf with Your authorization;
• as part of a limited data set which does not contain Health Records that could identify or trace You;
• to correctional institutions or law-enforcement officials; or
• pursuant to provisions of federal law not requiring Us to provide an accounting.

To make any such request, please consult the Section titled “Requests, Comments, and Complaints.”

Right to a Paper Copy of the Notice. You may request a paper copy of this Notice, even if You previously agreed to receive a copy of this Notice in an electronic format. We will make available a copy of this Notice to You no later than the date You first receive service from Us except for emergency services, in which case We will provide the Notice to You as soon as practicable. To make any such request, please consult the Section titled “Requests, Comments, and Complaints.”

Right to Notice of a Breach. To the extent there is an unauthorized disclosure or misuse of Your PHI (hereinafter, a “Breach”), You have a right to be informed of the Breach. We will comply with the requirements of applicable privacy laws related to notifying You in the event of the Breach. 

Uses and Disclosures of PHI

Without Your Prior Authorization. Unless otherwise prohibited by federal or state law, Skin Solutions Dermatology may use and disclose Your PHI as follows:

Mandatory Use and Disclosure. We must disclose Your PHI to You, or an individual having a legal right to act on Your behalf (e.g., personal representative, parent, or legal guardian), so as to administer or manage Your rights (and the exercise thereof) described in this Notice. We must also disclose Your PHI to the Secretary of the Department of Health and Human Services, as necessary, so as to ensure the privacy, safety, and security of Your PHI. 

For Treatment. We may use or disclose Your PHI to provide You with quality care, or to otherwise coordinate or manage Your treatment of health care and related services. For example, We may disclose Your PHI to other physicians, nurses, pharmacists, technicians, and/or other personnel involved in the delivery of Your health care. We may also disclose Your PHI to third-party entities, including hospital, pharmacies, health-care facilities, and/or agencies, for the purpose of facilitating the provision or delivery of health-care services, medications, equipment, and/or supplies. 

For Health-Care Operations. We may use or disclose Your PHI to facilitate and carry on the business and health-care operations of Skin Solutions Dermatology. For example, We may use Your PHI to perform internal investigations, audits, or quality-control reviews, to assess or promote patient safety, to provide training to SSD’s personnel, to assess and improve outcomes for health-care conditions, and for other purposes, including (without limitation): for licensure, certification, and/or accreditation; to establish and maintain computer systems, and to implement and maintain information security and data privacy; to assess and evaluate patient satisfaction; to comply and abide by federal and/or state laws and regulations; to determine whether SSD should, or can, offer additional health-related services; and all other business reasons that conform with federal and/or state law. 

For Billing and Payment. We may use or disclose Your PHI, for the purpose of billing and collecting payment for any health-care services rendered by Us for You. Often, Your PHI is used or disclosed to third parties, such as health plans or other payors, to collect payment, at least in part, for the health-care services rendered by Us for You. In some circumstances, You may seek prior authorization from Your health plan (e.g., insurance company) to ascertain if the services are covered by the insurer or payor; in this event, Your PHI may be disclosed to obtain authorization for such services before the services are rendered. The information on or accompanying any bill transmitted to You may include some of the following PHI: information that identifies You, as well as information about the services that were provided to You or the medications You are, or will be, taking. We may also disclose your PHI to other health-care providers or Covered Entities who may need it for their payment activities.

For Health-Related Programs or Products. Subject to limitations imposed by federal and/or state law, We may use or disclose Your PHI to provide You with information on health-related programs and products, such as alternative medical treatments and programs. 

For Contacting You or Providing Reminders. We may use or disclose You PHI to contact You, whether by physical mail, electronic mail, phone, or text message, for the purpose of: reminding You of an upcoming appointment; requesting to schedule a follow-up appoint; registering You for a procedure; providing You with laboratory or other test results; inquiring about insurance, billing, and/or payment; inquiring about the quality of Our care or health-care services rendered for You; advising You on any medications prescribed for You; and all other purposes necessary to facilitate Your care. 

Without Your Prior Authorization Under Certain Circumstances. Unless otherwise prohibited by federal or state law, Skin Solutions Dermatology may use and disclose Your PHI under certain circumstances as follows: 

For Communicating with Individuals Involved in Your Care. We may disclose Your PHI to a family member, other relative, or close personal friend—or any other individual You identify—that is directly relevant to that individual’s involvement in Your care, or payments related to Your care. In addition, We may disclose PHI to an individual legally authorized to act on Your behalf, including a parent, a legal guardian, or a designated “personal representative.” If an individual has the authority, by law, to make health-related decisions for You, SSD will generally regard that individual as a “personal representative,” treating that individual in the same manner in which SSD would treat You with respect to Your PHI. 

For Health Information Exchange. We may use or disclose Your PHI in certain HIEs in which We participate. We currently participate in the following HIEs: eClinicalWorks Electronic Health eXchange. You may restrict the HIE’s use and disclosure of Your PHI by contacting the HIE for guidance on how to opt out of the HIE. You may also contact Us to request a restriction on the use and disclosure of Your PHI through the HIE. Even if You issue a request of restriction on the use and disclosure of Your PHI, some of Your PHI may still remain available to certain health-care providers or entities, as permitted by law. Stated differently, opting out will not recall Your PHI disclosed with entities in the HIE nor will it prevent access to PHI about You by other means, e.g., request by Your individual health-care providers.  To make any such request, please consult the Section titled “Requests, Comments, and Complaints.”

For Business Associates. We may use or disclose Your PHI with Business Associates. Examples of services Our Business Associates perform include billing and payment services, copy services, software implementation and maintenance services, legal services, and other services necessary to facilitate Our operations, services, and care. Business Associates are required by contract and law to protect Your PHI and to only use and disclose PHI as necessary to perform their services for Us. 

For De-Identified Health Information. We may use or disclose Your PHI to create “de-identified” information, wherein all personally identifiable information is removed from the data set, so that the corresponding individual remains anonymous from identification or traceability. We may disclose Your PHI to a Business Associate for the purpose of creating de-identified information, regardless of whether We use, or will use, the de-identified information. 

For Limited Data Set. We may use or disclose Your PHI to create a “limited data set.” We may disclose Your PHI to a Business Associate for the purpose of creating the limited data set, regardless of whether We use, or will use, the limited data set. The limited data set may only be used and disclosed for research, public health, or health care operations purposes. Any individual or entity receiving the limited data set is generally required to sign an agreement, obliging it to protect and safeguard the PHI. 

For Fundraising Activities. We may use Your PHI to contact You to provide information about SSD-sponsored activities, including fundraising programs and events to support research or patient care at SSD. For this purpose, We may use Your contact information, such as Your name, address, phone number, the dates on which You received care at SSD, Your provider’s name, Your treatment outcome and Your payor (e.g., health plan or health insurance) status. To the extent We contact You for fundraising activities, You may elect to “opt out” of future communications regarding fundraising activities. We will provide instructions on how You may “opt out” of future communications regarding fundraising activities. 

For Research. We may use and disclose Your PHI to improve public-health processes and outcomes, as well as to develop or acquire new knowledge in the applicable field of medicine or health. For example, We may use Your PHI in preparing to conduct a research project or to see if You are eligible to participate in certain research activities. Prior to using or disclosing your PHI for research purposes, however, the research project must be approved through a specialized approval process, as required by law. Each research project is approved through a specialized process that balances the research needs with the patient’s need for privacy. We may also contact You to see if You are interested in participating in research; if however, You do not wish to be contacted for research purposes, or You are not interested in participating in a particular research project, please contact Us in accordance with the Section titled “Requests, Comments, and Complaints.”

Other Disclosures. We may use or disclose Your PHI in other circumstances as follows:

• to governmental authorities, such as social-service or protective-service agencies, for the purpose of reporting victims of abuse, neglect, or domestic violence of minors (e.g., children), elders, or other dependent or incompetent adults.
• for law-enforcement purposes, including the following reasons: to identify a suspect, witness, missing person, or fugitive; to investigate a death believed to have been caused by a crime; to investigate or to deter criminal conduct; to report a crime, a location of the crime, a name of victim(s) of the crime, a witness to the crime, or a name or location of person who committed the crime.
• to correctional institutions or law-enforcement officials, to the extent You are, or become, an inmate of a correctional institution or under the custody of a law-enforcement official.
• for health oversight and public-health reporting, such as disclosing PHI for audits, investigations (e.g., fraud, waste, or abuse), inspections, and licensing to agencies overseeing health organizations, as well as disclosing PHI for some of the following reasons: disease control and injury prevention; to report certain health-related events, such as birth and death; to report abuse or neglect of minors (e.g., children) elders, or other dependent or incompetent adults; to report reactions to medicines or defects with medical products; to inform patients or the public about recalls of any medical products used by the patients or the public; or other reasons authorized under federal or state law.
• for workers’ compensation, as authorized by, or the extent necessary to comply with, state workers’ compensation laws governing work-related injuries and/or illness.
• to coroners or medical examiners, for the purposes of identifying a deceased individual or to determine a cause of death, or to funeral directors, for the purpose of facilitating any arrangements for a deceased individual.
• for organ procurement, for organ, eye, or tissue transplantation, or for organ donation.
• to organizations assisting  in or administering disaster-relief activities, for the purpose of notifying and/or informing Your family (or authorized representatives) of Your medical or wellness condition and Your then-current location.
• to prevent or deter a serious threat to Your health and safety, the health and safety of a third-party individual, and/or the health and safety of the public.
• for specialized governmental functions, including military and veteran activities, as well as for intelligence, counterintelligence, protective services of the President of the United States of America, and other national-security activities authorized by law.
• when required by federal, state, or local law, or ordered by a court, a judicial body, an administrative tribunal, or governmental agency of competent jurisdiction, by and through a court order, discovery request, subpoena, warrant, summons, or other lawful instructions.
• for emergencies, to the extent an emergent situation has arisen and it is not possible to obtain Your consent to use or disclose Your PHI; provided, however, We will make every effort to obtain consent once the emergent situation is resolved or appropriately mitigated.
• With Your Prior Authorization. All other uses and disclosures of PHI not authorized by federal or state law, or not otherwise covered by this Notice, will be made only with Your written consent. Examples of circumstances in which You would need to provide authorization include: for marketing purposes, regardless of whether the marketing results in direct, or indirect, payment to SSD by a third-party individual or entity; the sale, or exchange of anything of value, for Your PHI; or the transfer of Your PHI to Your employer. If You provide Us authorization to use or disclose Your PHI, You may nevertheless revoke (or withdraw) that authorization, in writing, at any time. Please be advised, however, that uses and disclosures made before Your revocation are not affected by Your action, and We cannot claw-back, delete, or destroy disclosures We may have already made with Your prior authorization.

Information Security; Contacting SSD

Protective Measures; Internet Transmission. We have implemented physical, administrative, and technical measures designed to secure and protect Your PHI from unauthorized use and disclosure. Notwithstanding the foregoing, the safety and security of Your PHI also depends on You. If You choose to connect with SSD via electronic communications, such as email or text message, We may respond to You in the same manner in which the communication was received and to the email address or account from which You dispatched Your original communication. Unfortunately, the transmission of information via the Internet is not completely secure. Although We exercise best efforts to protect Your PHI, We cannot guarantee the security of Your PHI transmitted over the Internet. Any electronic transmission of PHI is at Your own risk. Please exercise caution in electronically transmitting Your PHI, especially if You are accessing the Internet via a Wi-Fi hotspot or public network. If You have reason to believe that PHI is no longer secure or protected, please immediately notify SSD of the issue in accordance with the section titled “Requests, Comments, and Complaints.”

Requests, Comments, and Complaints. If You believe that Your privacy rights have not been followed as directed by applicable law or as explained in this Notice, or You have questions regarding this Notice or Our other privacy policies, You may contact Us using the contact information below. To the extent You desire to file a complaint, You may file a complaint with Us or the Secretary of the U.S. Department of Health and Human Services. You will not be penalized, or retaliated against, for filing a complaint.

• E-Mail: patienthappiness@skinsolutionsderm.com
• Telephone: 615-771-7546
• U.S. Mail: Skin Solutions Dermatology, 200 Cool Springs Boulevard, Franklin, Tennessee 37067