Privacy Practices

What is Protected Health Information?

Protected Health Information (PHI) is:

1. Information about your mental or physical health, related health care services, or payment for health care services.

2. Information that is provided by you, created by us, or shared with us by related organizations.

3. Information that identifies you or could be used to identify you, such as demographic information, address and phone number, social security number, age, date of birth, dependents, and health history.

How Does Canopy Protect My PHI?

Except as described in this Notice or specified by law, we will not use or disclose your PHI. We will use reasonable efforts to request, use, and disclose the minimum amount of PHI necessary. Whenever possible, we will de-identify or encrypt your personal information so that you cannot be personally identified. We have put physical, electronic, and procedural safeguards in place to protect your PHI in order to comply with federal and state laws.

What Are My Rights Regarding My Protected Health Information?

You have the following rights with respect to your PHI:

Obtain a copy of this Notice.

You may obtain a copy of this Notice at any time. Even if you have agreed to receive the Notice electronically, you are still entitled to a paper copy.

Request restrictions.

You may ask us not to use or disclose any part of your PHI. Your request must be in writing and include what restriction(s) you want and to whom you want the restriction(s) to apply. This includes the right to restrict disclosures of PHI to health insurance companies when the services provided are paid for in full out of pocket. Any request to restrict specific disclosures to individuals or entities must be made in writing. We will review and grant reasonable requests, with respect to and within the limits of state and federal law. If you are not able to tell us your preference, for example, if you are unconscious, we may go ahead and share your information if we believe it is in your best interest. We may also share your information when needed to lessen a serious and imminent threat to health or safety.

Inspect and copy.

You have the right to inspect and get a copy of your PHI. You must put your request in writing. You can ask to see or copy an electronic or paper copy of your medical record and other health information we have about you. Ask us how to do this. We will provide a copy or a summary of your health information within a reasonable time. If you ask to see or receive a copy of your record for purposes of reviewing current medical care, we may not charge you a fee. (Minn. Stat. § 144.292 subd. 6). If you request copies of your patient records of past medical care, or for certain appeals, we may charge you specified fees (Minn. Stat. § 144.292 subd. 6). We do have the right to deny your request to inspect and copy. If you are denied access, you may ask us to review the denial.

Request amendment.

If you feel that your PHI is incomplete or incorrect, you may ask us to amend it. Your request must be in writing, and you must include a reason that supports your request. In certain cases, we may deny your request but we’ll tell you why in writing within 60 days. If we deny your request for amendment, you have the right to submit a statement of disagreement with our decision to be placed on file with your records.  

Receive a list (an accounting) of disclosures.

You have the right to receive a list of the disclosures (an accounting) that we have made on your PHI on or after April 14, 2003. The list will not include disclosures that we are not required to track, such as disclosures for the purposes of treatment, payment, or health care operations; disclosures that you have authorized us to make; disclosures made directly to you or to friends or family members involved in your care; or disclosures for notification purposes. Your right to receive a list of disclosures may also be subject to other exceptions, restrictions, and limitations. Your request for an accounting must be made in writing and state the time period for which you would like us to list the disclosures. We will not include disclosures made more than seven years prior to the date of your request, or disclosures made prior to April 14, 2003. You will not be charged for the first disclosure list that you request, but you may be charged for additional lists provided with the same 12-month period as the first.

Request confidential communication.

You may ask us to communicate with you using alternative means or alternative locations. For example, you may ask us to contact you about medical records only in writing or at a different address than the one in your file. Your request must be made in writing and state how and when you would like to be contacted. You do not have to tell us why you are making the request, but we may require you to make special arrangements for payment or other communications. We will review and grant reasonable requests, with respect to and within the limits of state and federal law.

Special Rules for Psychotherapy Notes.

Only psychotherapy notes collected by a psychotherapist during a counseling session are considered PHI. If those notes are kept separate from a client’s medical records, HIPAA requires that they be treated with higher standards or protection than other PHI.

Notification.

You have a right to be notified if your PHI is impermissibly released or disclosed due to a breach including theft, loss, or other form of disclosure. Canopy will attempt to contact all affected individuals in the event of a breach at their last known address or contact number.

Sale and Marketing of PHI.

Canopy may not sell your PHI without your written authorization for any reason. Canopy does not presently sell PHI of any of our patients for any reason. If this changes in the future, you will be notified in writing and be given the chance to opt out. We will never share your information unless you give us written permission.

When May Canopy Use and Disclose PHI?

Common reasons for our use and disclosure of PHI include:

Treatment.

To provide, coordinate, or manage health care and related services for you to make sure you are receiving appropriate and effective care. For example, we may contact you to provide appointment reminders, and information about treatment alternatives, or to refer you to other health-related benefits and services that may be of interest to you. Or we might contact another healthcare provider or third party to share information or consult with them about the services we are providing to you. Minnesota Law requires consent for disclosure of treatment, payment, or operations information (Minn. Stat. § 144.293 subd. 2) except to other providers within related healthcare entities when necessary for the current treatment of the patient (Minn. Stat. § 144.293 subd. 5).

Payment.

To obtain payment or reimbursement for services provided to you. For example, we may need to disclose PHI to determine eligibility for treatment or claims payment, only if we obtain your consent (Minn. Stat. § 144.293, subd. 2 and 5). If you pay for a service or health care item out-of-pocket in full, you can ask us not to share that information for the purpose of payment or our operations with your health insurer. We will say “yes” unless a law requires us to share that information.

Health Care Operations.

To assist in carrying out administrative, financial, legal, and quality improvement activities necessary to run our business and to support the core functions of treatment and payment. We are required to obtain your consent before we release your health records to other providers for their own healthcare operations (Minn. Stat. § 144.293, subd. 2 and 5).

Business Associates.

Our business associates perform some healthcare administration and operation activities for us. Examples of our business associates include our billing service and claims administrators. We may disclose PHI to our business associates so that they can perform the job we have asked them to do. We require our business associates to sign agreements that limit how they use and disclose PHI. In addition, business associates are required by law to comply with all HIPAA regulations and requirements regarding the use and protection of your PHI.

Health Plan Sponsor.

We may disclose PHI to a group health plan administrator, which may, in turn, disclose such PHI to the group health plan sponsor, solely for purposes of administering benefits provided by Canopy.

Individuals involved in your care or payment for your care.

We may disclose your PHI to a family member, other relative, close friend, or any person you identify, who is, based on your judgment, believed to be involved in your care or in payment related to your care.

To Improve Your Care.

Canopy may seek and acquire information from other healthcare systems using secure electronic means unless explicitly prohibited.

As required by law.

We must disclose PHI about you when required to do so by state and federal law, including with the Department of Health and Human Services if it wants to see that we’re complying with federal privacy law (Minn. Stat. § 144.293 subd. 2).

Other State Law.

We will never share any substance abuse treatment records without your written permission, unless required to do so by law (Minn. Stat. §§ 254A.09).

Less common reasons for our use and disclosure of PHI include:

We are allowed or required to share your information in other ways – usually in ways that contribute to the public good, such as public health and research. We have to meet many conditions in the law before we can share your information for these purposes. For more information see www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html

Legal proceedings.

We may disclose PHI for a judicial or administrative proceeding in response to a subpoena, court order, written notice, or protective order, although our preference is to obtain a properly completed release of information authorizing Canopy to do so.

To avert serious threats to public health and safety.

We may disclose PHI to avoid a serious and imminent threat to your health or safety or to the

health or safety of others.

Military or national security and intelligence activities.

We may disclose PHI to armed forces personnel under certain circumstances and to authorized federal officials for national security and intelligence activities, including protective services for the President and other Heads of State with your consent unless required by law (Minn. Stat. §144.293, subd. 2).

To provide reminders and benefits information to you.

Disclosures may be used to verify your eligibility for health care and enrollment in various health plans and to assist us in coordinating benefits for those who have other health insurance or eligibility for government benefit programs.

Worker’s compensation. 

We may disclose PHI to comply with worker’s compensation laws and other similarly legally-established programs.

Food and Drug Administration (FDA).

We may disclose PHI to a person or company required by the FDA to report adverse events or product defects or problems, track products, enable product recalls, make repairs or replacements, and monitor postmarketing as required.

Public Health.

We may disclose PHI to a public health authority that is permitted by law to receive the information for public health activities. This disclosure might be necessary to prevent or control

disease, injury, or disability.

Abuse or neglect.

We may make disclosures to government authorities or social service agencies as required by law in the reporting of abuse, neglect, or domestic violence.

Research.

We can use or share your information for health research if you do not object (Minn. Stat. §144.295 subd. 1).

To government agencies for compliance purposes.

We may use or disclose PHI to the Secretary of Health and Human Services to assist with a complaint investigation or compliance review

Correctional facility.

We may use or disclose PHI, as authorized by law if you are an inmate of a correctional facility.

Law enforcement.

We may disclose PHI to law enforcement officials for the purpose of identifying or locating a suspect, witness, or missing person, or to provide information about victims of crimes or with law enforcement officials with your consent, unless required by law (Minn. Stat. § 144.293, subd. 2).

Medical Examiner or Coroner.

We can share health information with a coroner and medical examiner when an individual dies. We need consent to share information with a funeral director (Minn. Stat. § 390.11 subd. 7 (a)).

Your Written Permission

We are required to get your written permission (authorization) before using or disclosing your PHI for purposes other than those provided above, or as otherwise permitted or required by law. If you do not want to authorize a specific request for disclosure, you may refuse to do so without fear of reprisal.

You May Withdraw Your Permission

If you do provide your written authorization and then later want to withdraw it, you may do so in writing at any time. As soon as we receive your written revocation, we will stop using or disclosing the PHI specified in your original authorization, except to the extent that we have already used it based on your written permission. 

You may file a complaint

If you believe your privacy rights have been violated, you can file a complaint with Canopy at: 6625 Lyndale Ave. S. Suite 440 Richfield, MN 55423 or with the United States Department of Health and Human Services at:

Medical Privacy Complaint Division
Office for Civil Rights
U.S. Department of Health & Human Services
200 Independence Avenue, SW
Room 509F, HHH Building
Washington, DC 20201
Phone: 1-877-696-6775
Website: https://www.hhs.gov/hipaa/filing-a-complaint/what-to-expect/index.html

Filing a complaint will in no way affect the care or services you receive from Canopy.

Data Privacy

Why do we ask for information?

We ask for information from you to determine what service or help you need, develop a service plan with you, and give you the services you want. The information may also be used to determine your charges for services or for collection of payment from insurance companies or other payment sources.

Do you have to give information to us?

There is no law that says you must give us any information. However, if you choose to not give us some information, it can limit our ability to serve you well.