Information Technology Security Incident

Click here for a notice about a data privacy incident at Capital Health.

Office Policies

Telephone calls

Routine needs such as test results, prescription refills, referral requests, medical questions or setting up appointments are handled most efficiently during office hours. No refills or referrals will be issued on nights and weekends.

Cancellation policy

If you are unable to keep your appointment, you must cancel at least 24 hours prior to an appointment to avoid a fee ($25 or the amount equal to your co-pay).

Payments

Please bring your insurance card(s) and photo ID with you to all appointments. Your payment is expected at the time of your appointment.

Prescriptions

For routine prescription refills, please contact your pharmacy and your pharmacy will request authorization from our office. Your refill will be ready at your pharmacy within 3 business days.

For mail order prescriptions or a prescription that cannot be refilled over the telephone, please call our main number and select option 3 to leave a message with your refill request. When leaving a message for a prescription please include: patients' name, date of birth, the name of the medication/s and a phone number where we can reach you. We ask that you call for your refills at least three days before your supply runs out. Please allow 48-72 hours for us to process your request.

Referrals

For primary care patients, most referrals originate in our office and must be approved by one of our physicians. The physician may ask to see you first before referring you to a specialist. 

We require at least 72 hours for non-emergency referrals. Please call the office with your request during regular office hours and have your insurance information available. If you fail to request a referral at least 72 hours in advance of your specialist appointment or test, you may have to reschedule your appointment. Most referrals are produced electronically and a paper copy is not needed to take with you to your appointment. If your specialist requires a paper copy, please notify our office at least 3 days in advance of your appointment so you may pick it up.

If a specialist requires any diagnostic tests, you may need to obtain a referral and authorization from our office. Be ready to provide us with the name and phone number of the specialist, number of visits required, and where the procedure is taking place. 

Referrals are valid for only a specific period of time. Please check with your insurance company for specific instructions regarding coverage.

Minor patient policy

In order for us to give your child the best care possible, it is essential that a parent or legal guardian accompany your child to office visits. If this is not possible, we need a letter signed and dated by the parent/legal guardian giving us permission to provide the child with care and/or immunizations.

Hospital affiliation

We are employed by Capital Health and utilize the medical services that are provided at the health system's two hospitals - Capital Health Regional Medical Center and Capital Health Medical Center - Hopewell. This provides our patients with access to the area's most advanced medical services, including neurosciences, digestive health, level II trauma care, Mercer County's only regional perinatal center (including the area's only level III Neonatal Intensive Care Unit), pediatric emergency services, oncology and much more.

Our affiliated hospitalist physicians will see you if you're admitted to one of our hospitals. This allows us to provide a better continuum of care from the time you're admitted until after you're discharged. The hospitalist will take care of you while you're at our hospitals and provide pertinent details of your hospital visit to your regular physician after you leave so that he or she can continue to provide your care on an outpatient basis.

Privacy policy

Federal law

HIPAA

The HIPAA Privacy Rule (45 CFR Parts 160 and 164) provides the "federal floor" of privacy protection for health information in the United States, while allowing more protective ("stringent") state laws to continue in force. Under the Privacy Rule, protected health information (PHI) is defined very broadly. PHI includes individually identifiable health information related to the past, present or future physical or mental health or condition, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. Even the fact that an individual received medical care is protected information under the regulation.

The Privacy Rule establishes a federal mandate for individual rights in health information, imposes restrictions on uses and disclosures of individually identifiable health information, and provides for civil and criminal penalties for violations. The complementary Security Rule includes standards for protection of health information in electronic form.

Rights under the Privacy Rule

The individual, who is the subject of Protected Health Information (PHI), has the following rights under the Privacy Rule:

  • Right to access, inspect and copy PHI held by hospitals, clinics, health plans and other "covered entities," with some exceptions
  • Right to request amendments to PHI held by "covered entities"
  • Right to request an accounting of disclosures that have been made without authorization to anyone other than the individual for purposes other than treatment, payment and health care operations
  • Right to receive a Notice of Privacy Practices from doctors, hospitals, health plans and others in the health care system
  • Right to request confidential communications of PHI, e.g., having PHI transmitted to a different address or a different telephone number
  • Right to request restrictions on uses or disclosures, although the "covered entity" receiving the request is not obligated to accept it
  • Right to complain about privacy practices to the "covered entity" and to the Secretary of Health and Human Services
  • Limits on uses and disclosures

"Covered entities" that hold PHI may use it without an individual's consent for the purposes of providing treatment to the individual, for payment activities such as claims adjudication and premium setting, and for operating their businesses. They are also permitted to use and disclose PHI as required or permitted by other laws, e.g., laws related to reporting of child or elder abuse, public health oversight and national security investigations. However, those who have PHI must obtain an individual's signed authorization for use of PHI in marketing, research, fundraising, or any other activities that are not part of treatment, payment, health care operations, and other categories specifically identified under the Privacy Rule. A few types of disclosures require that the individual be given an opportunity to agree or object to the disclosure, e.g., whether information should be included in a hospital directory or given to clergy. Based on the professional judgment of a health care professional, some disclosures may be made to friends and family who are involved in an individual's care if such disclosures are found to be in the best interest of the individual.
In addition to specific restrictions on uses and disclosures, the Privacy Rule imposes a general "minimum necessary" requirement on those who hold and use PHI. Except for disclosures to the individual who is the subject of PHI or disclosures for treatment purposes, organizations must limit their uses and disclosures to "minimum necessary" information required to perform a task. They must have policies and procedures that specify what PHI can be viewed by different classes of employees within their workforces, what PHI should be released in response to routine inquiries, and must have a process in place for deciding what PHI should be released in response to non-routine requests.

"Covered entities" must also have formal contracts with their business associates, which use PHI to perform functions on their behalf. Examples of business associates include law firms, accounting firms, accreditation organizations, credentialing services, billing services and third-party administrators. Business associate agreements must stipulate that the business associate will safeguard PHI and will assist the "covered entity" in complying with its obligations with regard to individual rights and oversight by the Secretary of Health and Human Services.

Penalties for violations of privacy

The Privacy Rule includes both civil and criminal penalties for violations of privacy. Generally, penalties are expected to be assessed in cases where organizations or individuals act with willful neglect or intent to cause harm. Civil penalties are specified at $100 per violation, not to exceed $25,000 per person per year for identical violations. Criminal penalties for wrongful disclosure of PHI can go up to $250,000 and/or 10 years imprisonment if the offense is committed with intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm.

Security standards

Requirements for safeguarding protected health information (PHI) are found in two separate but complementary Rules under HIPAA. The Privacy Rule requires "covered entities" to have in place "appropriate administrative, physical and technical measures" to safeguard PHI. This obligation must be passed on to business associates in business associate agreements and to researchers in limited data use agreements. The Security Rule, published in final form on February 20, 2003, contains considerably more detail about the meaning of appropriate safeguards.

Although the Privacy Rule applies to PHI in any form, including oral communication, the Security Rule applies only to PHI in electronic form. The standards are divided into three groups: administrative safeguards, physical safeguards, and technical safeguards. Administrative standards include risk analysis and management, assigning security responsibilities, policies and procedures, training of the workforce and contract requirements. Physical safeguards include access to facilities and workstations, as well as device and media controls. Technical safeguards include access controls and audits, authentication and transmission security.

The basic principles for security standards can be found in the HIPAA legislation. The law specifies, among other things, that standards must take into account technical capabilities of systems that contain PHI, cost of security measures and scalability issues, particularly as these might affect small and rural providers. The Department of Health and Human Services (HHS) translated these principles into regulation by creating standards (what must be done) and implementation specifications (how the standard can be met). Implementation specifications are further divided into two groups: those that are required (e.g., risk analysis) and those that are "addressable" (e.g., encryption for transmission of PHI). If an entity chooses not to implement an addressable specification, it must document its reasons why the specification would not be reasonable or appropriate, and implement alternative equivalent measures if reasonable and appropriate.

With the compliance date in April 2005, it is too early at this time to know how doctors, health plans and other entities will interpret and implement the Security Rule. The Rule does require that "covered entities" think about and document the risks they identify and measures they take to ensure protection of PHI. These records are likely to be used for both enforcement and legal actions.

Substance abuse confidentiality requirements

Information related to substance abuse and chemical dependency treatment is protected by section 543 of the Public Health Service Act, and its implementing regulation, 42 CFR, Part 2. This regulation, which supercedes both HIPAA and all more permissive state laws, requires that any disclosure of information related to substance abuse and chemical dependency treatment be accompanied by the individualÃŒs signed authorization. There are no exceptions for disclosures related to treatment, payment or health care operations. The only exception relates to movement of information between different components of the Armed Services, including Veterans Administration. Although the regulation applies only to "federally-assisted" specialized alcohol or drug abuse program, it is widely interpreted as applying to any federally conducted or funded program, any federally licensed or certified program, programs that are tax exempt, and programs that receive federal funds in any form, e.g., via the Medicaid program.

Other federal laws

In addition to being subject to HIPAA and Substance Abuse Confidentiality Requirements, health care organizations may be subject to several federal laws that touch in some way on privacy of health information. The Preamble to the Privacy Rule lists the following applicable laws: Privacy Act of 1974, Family Educational Rights and Privacy Act, Freedom of Information Act, Employee Retirement Income Security Act of 1974 (ERISA), Gramm-Leach-Bliley Act, federally funded health programs regulations, Food, Drug and Cosmetic Act, Clinical Laboratory Improvement Amendment, federal disability and non-discrimination laws, and U.S. Safe Harbor Privacy Principles (European Union Directive on Data Protection). In addition, many federal regulations require disclosure of specific PHI for specific purposes in specific circumstances.

In the Preamble to the Privacy Rule, HHS states that there should be few instances of conflict between HIPAA regulations and other federal laws because HIPAA permits but does not require many disclosures. Therefore, when disclosures are required under other federal law, PHI may be disclosed as required by other law. If a disclosure is not required but only permitted under other law, an entity must determine whether the disclosure is permissible under HIPAA and then follow HIPAA requirements for making such a disclosure. If another federal law prohibits disclosure that is permitted but not required under HIPAA, entities must comply with the other federal law.