Your privacy is important to Bluff.
We recognize that when you visit our Web site and provide us with personal information, you trust that that we will act responsibly and keep your information secure and confidential.
It’s subject to change over time, so please check back periodically for updates.
What information does BluffPlantation.com collect from site visitors?
You can visit BluffPlantation.com without telling us who you are or revealing any personal information. While we do log IP addresses (the Internet address of a computer) and use “cookie” technology to track user sessions and page views on our site. Tracking user sessions and page views helps us understand how visitors use our site, which areas are most popular, and how long visitors spend there. Bluff’s cookies do not collect personally identifiable information unless you’ve already previously registered or provided your information via one of our contact forms.
How is my email address or other personal information used?
Bluff uses email addresses submitted through our Web site to reply to your requests for information about our company, services, and other general information.
We will need certain details – such as your name, email address, postal address, or phone number in order to respond to your inquiries and provide you with more information on those services. We may also use your contact information to inform you of additional Bluff services that you might be interested in. You can elect not to receive such information by opting out by sending an email to info@BluffPlantation.com or by clicking on the opt-out links at the bottom of our emails and communications.
In certain instances, such as when you register for an event or subscribe to a publication or to respond to a specific marketing campaign, etc. you may be asked to provide more detailed information. This information is to help us gain a better understanding of how Bluff can best respond to your needs.
All information submitted through BluffPlantation.com’s contact forms for company information, services, investor relations, employment, partnerships, and media relations and press inquiries are treated as confidential by Bluff’s staff. We do not sell, rent, or loan our subscriber list to any third parties.
How do I remove my email address from email communications to which I previously subscribed?
Bluff offers a subscription-based e-mail to patients, clients, partners, investors, media representatives, and other interested parties, providing the latest company news, information, events, and trends. You will find instructions on how to unsubscribe from this communication at the bottom of every email. Or you can send an unsubscribe request to info@BluffPlantation.com.
In some instances, such as event registration, visitors may be asked to submit credit card information for payment. All credit card transactions initiated on our Web sites are handled independently by one of our payment processing partner companies. These firms maintain their own error and credit card transaction logs, and are responsible for creating and adhering to their own privacy policies.
In what instances may Bluff be obligated to provide information about its site visitors?
Bluff cooperates fully with law enforcement, other governmental agencies, and third parties to enforce laws, defend intellectual property, and protect other rights. To this end, we may disclose the personal information of our registered visitors if and when:
- We’re required to do so by law
- We believe that such disclosure is necessary to protect us from legal liability
- We believe that we need to do so to protect someone’s safety
At Bluff, we realize that you exercise caution when submitting personal information about yourself via the Internet. That’s why we are committed to maintaining your privacy and protecting the information that you share with us.
MARKETING UNDER HIPAA PRIVACY STANDARDS
To facilitate compliance with requirements of the Health Insurance Portability and Accountability Act (HIPAA) Standards for Privacy of Individually Identifiable Health Information (Privacy Standards), 45 CFR Part 164 and the sections that relate to uses and disclosures of protected health information (PHI) for marketing purposes, the Health Information Technology for Economic and Clinical Health Act (HITECH) component of the American Recovery and Reinvestment Act (ARRA), and applicable state laws.
An authorization signed by the patient or the patient’s Personal and/or Legal Representative (as defined in RiverMend’s Privacy & Security Program Policy) is required and must be obtained for any uses or disclosures of PHI for purposes of marketing under the HIPAA Privacy Standards. The patient shall be provided with clear notice of how the PHI will be used or shared. This policy applies to RiverMend Health Inc, and its affiliates and subsidiaries (“RiverMend”) and all members of the RiverMend workforce.
A “cookie” is a small text file that a website can place on your computer’s hard drive in order, for example, to collect information about your activities on the site or to make it possible for you to use an online “shopping cart” to keep track of items you wish to purchase. The cookie transmits this information back to the Web site’s computer, which, generally speaking, is the only computer that can read it. Most consumers do not know that “cookies” are being placed on their computers when they visit websites. If you want to know when this happens, or to prevent it from happening, you can set your browser to warn you when a website attempts to place a “cookie” on your computer.
As defined by The Federal Trade Commission.
1. PRIVACY & SECURITY PROGRAM
The Patient Privacy & Security Program is part of the overall Compliance Program at of RiverMend Health LLC and its affiliates (“RiverMend”).
This Privacy and Security Program will provide information for employees (and others defined below as workforce members) (“Associates”) about the privacy rights that patients have regarding the use and disclosure of their Protected Health Information (PHI).
This policy establishes general requirements and best practices under the Health Insurance Portability and Accountability Act (HIPAA) Standards for Privacy of Individually Identifiable Health Information (Privacy Standards), the Security Rule, the Health Information Technology for Economic and Clinical Health Act (HITECH) component of the American Recovery and Reinvestment Act of 2009 (ARRA), and any applicable state privacy laws.
RiverMend work to balance business needs and uses of PHI with patients’ rights outlined in the HIPAA Privacy & Security Standards.
2. MEDICAL RECORD DISCLOSURES
To establish guidelines for responses to requests for medical records and other uses and disclosures of PHI.
Healthcare information about a patient will not be disclosed to any person other than as outlined in this policy or as authorized by law (see “Request and Disclosure Table” ).In all other cases, PHI may be disclosed without the patient’s HIPAA compliant authorization only as permitted by law. Some examples are below:
1. Treatment, Payment & Operations: PHI may be disclosed to Health Care providers, health plans for purposes of their treatment, payment, or specified health care operations.
2. PHI may also be disclosed without a patient’s authorization when necessary to meet the following regulatory, public health, and other public purposes:
a. For billing, claims management, medical data processing, or other administrative purposes;
b. To committees engaged in reviewing the competence or qualifications of an RiverMend or any Health Care professional or reviewing health care services;
c. As otherwise authorized by law or for public health activities,
d. When needed to report victims of abuse, neglect or domestic violence
e. For judicial, administrative proceedings or law enforcement purposes,
f. To avert serious threat to health or safety, or assist in relief efforts;
g. When members of RiverMend’s workforce are victims of a crime.
For each public and public health purpose listed above, specific requirements must be met prior to the disclosure of PHI and such disclosure must be reviewed by the CPO and/or RiverMend’s legal counsel.
3. PATIENT PRIVACY RIGHTS
The purpose of this policy is to provide information to Associates about the privacy rights that patients have regarding the use and disclosure of PHI.
1. Notice of Privacy Practices
The “Notice of Privacy Practices” will be used to inform patients about how we may use and/or disclose their information. The “Notice of Privacy Practices” also describes the actions a patient may take, or request us to take, with regard to the use and/or disclosure their PHI. Patients may on intake or from time to time be asked to acknowle receipt of the “Notice of Privacy Practices” or be given a copy.
Nothing in this policy shall prevent RiverMend from changing its policies or the “Notice of Privacy Practices” at any time, provided that the changes in the policies or the “Notice of Privacy Practices” comply with state or federal law.
4. MINIMUM NECESSARY
To provide RiverMend guidance related to using and disclosing only the minimum amount of identifiable Protected Health Information (“PHI”) to fulfill the purpose of the use or disclosure, regardless of the extent of access provided. This policy covers uses and disclosures of PHI in any form including oral, written and/or electronic mediums. Each Associate is responsible for adhering to this policy by using only the minimum information necessary to perform his or her responsibilities, regardless of the extent of access provided or available.
RiverMend will make all reasonable efforts not to use or disclose more than the minimum amount of PHI necessary to accomplish the intended purpose of the use or disclosure. Only Associates with a legitimate “need to know” may access, use or disclose patient information. This includes all activities related to treatment, payment and health care operations of the facility. Each Associate may only access, use or disclose the minimum information necessary to perform his or her designated role regardless of the extent of access provided to him or her.
The minimum necessary requirement is not imposed in any of the following circumstances:
1. Disclosure to or a request by a health care provider for the purpose of treatment;
2. Uses or disclosures made to an individual who is the subject of the information, or the individual’s personal representative;
3. Use or disclosure made pursuant to a HIPAA compliant authorization;
4. Disclosure for complaint investigation, compliance review or enforcement;
5. Use or disclosure that is required by law; or
6. Uses or disclosures of de-identified information.
5. PRIVACY COMPLAINT PROCESS
The purpose of this policy is to provide information for handling privacy complaints.
Under the Privacy Standards and state laws governing privacy and confidentiality of health information, a patient may file a complaint with the RiverMend, as well as others if they believe their privacy rights have been violated. The CPO will be involved in all privacy related complaints as part of the overall complaint handling polices.
6. PATIENT’S RIGHT TO ACCESS
To ensure patients the right to inspect and/or obtain a copy of their protected health information (PHI) as required by federal and state law.
Patients, or the patient’s legal representative will be provided the right to inspect and/or obtain a copy of their protected health information that is contained within a designated record set. The facility may deny a request under certain circumstances. Some states have separate patient privacy laws that may apply additional legal requirements. Contact the CPO to identify and comply with any such additional legal mandates.
7. PATIENT’S RIGHT TO AN ACCOUNTING OF DISCLOSURES
To provide an Accounting of Disclosures of PHI to all individuals.
Individuals have the right to receive a list of certain disclosures that RiverMend has made of their PHI. Requests for an Accounting of Disclosures must be made in writing or the verbal request must be documented.
A system must be in place within each facility to accurately and completely track all disclosures and have such information available for a minimum of seven (7) years as required by the HIPAA Privacy Rule and applicable state laws.
8. PATIENT’S RIGHT TO AMEND
To ensure patients the right to amend PHI stored in a designated record set as required by state and federal laws.
Patients will be provided the right to request an amendment to their PHI that is contained within the designated record set for as long as the information is maintained by RiverMend
A RiverMend facility may deny a patient’s request for amendment, if it determines that the PHI that is the subject of the request: Was not created by the facility, and the patient is unable to show in writing that the creator of the PHI is no longer available to act on the requested amendment; Is not part of the designated record se or is accurate and complete; or Is not available to the patient for inspection.
If the request for amendment is denied, the CPO will provide the patient with a written denial letter that outlines the reason for the denial.
9. PATIENT’S RIGHT TO CONFIDENTIAL COMMUNICATIONS
To ensure patients the right to request Confidential Communications as required by state and federal laws.
Patients are permitted to request confidential communications if they can be produced in in a requested form and format.
All reasonable requests for Confidential Communications will be accommodated by the facility. Confidential Communications pertain to all future correspondence and communication related to the specific visit(s) stated in the request.
Acceptable alternate means of communication include mail, telephone, and in limited circumstances may include fax and encrypted e-mail. Any requests for communication via phone only must also include a mailing address (permanent or alternate) for purposes of billing and collections. Unacceptable means include unencrypted e-mail and Internet communications (as security of the transmission cannot be guaranteed).
10. PATIENT’S RIGHT TO PRIVACY RESTRICTIONS
To ensure patients the right to request privacy restrictions on the use or disclosure of their PHI as required by state and federal laws.
Patients will be provided the right request restrictions on certain use or disclosures of their PHI contained within the designated record set. A determination to restrict uses or disclosures must be made very carefully to ensure the request can be met.
RiverMend will endeavor to comply with a patient’s request to restrict or limit the disclosure of the individual’s PHI to a health plan if 1) the disclosure is for payment or healthcare operations (not treatment), 2) the PHI pertains solely to a health care item or service for which the patient has paid out of pocket and in full, and 3) RiverMend is not legally required to disclose such information.
11. SALE OF PHI
RiverMend will comply with restriction on the sale of PHI.
The “sale of PHI” refers to a disclosure of PHI by RiverMend or a Business Associate, if applicable, where RiverMend or the Business Associate directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI. However, the sale of PHI does not include disclosures:
a. For public health purposes;
b. For research purposes where the only payment is a reasonable to cover the costs
c. For the sale, transfer, merger, or consolidation of all or part of the organization and for related due diligence;
d. To a Business Associate for activities undertaken by the Business Associate on behalf of RiverMend when the only payment provided is by RiverMend to the Business Associate.
12. DE-IDENTIFICATION OF PHI
To provide specific guidance regarding the definition of, and the uses and disclosures of de-identified information, as required by the HIPAA Privacy Standards and or state privacy laws.
PHI may be used to create information that is not individually identifiable. Health information that does not identify an individual, and for which there is no reasonable basis to believe that it can be used to identify an individual, is not PHI and is no longer covered by the HIPAA Privacy Standards or state privacy laws.
13. CLINICAL RESEARCH
RiverMend is committed to conducting research in compliance with all applicable laws, regulations and policies. As part of this commitment RiverMend has adopted a policy to clearly define the circumstances under which PHI may and may not be used internally or disclosed externally in connection with research activities.
14. PATIENT AUTHORIZATION TO RELEASE MEDICAL RECORDS
For all uses and disclosures of an individual’s PHI other than those required by law or for treatment, payment and health care operations, HIPAA and applicable state laws require a covered entity to obtain an authorization.
For all uses and disclosures of an individual’s PHI, RiverMend will obtain a signed authorization from the individual, unless the use or disclosure is required by law, for treatment, payment or health care operations, or otherwise permitted without an authorization (the Privacy Rule) or applicable state law.
15. MARKETING UNDER HIPAA PRIVACY STANDARDS
To facilitate Marketing in compliance with requirements of HIPAA and applicable state laws.
An authorization signed by the patient or the patient’s Personal and/or Legal Representative is required and must be obtained for any uses or disclosures of PHI for purposes of marketing under the HIPAA Privacy Standards.
16. NOTICE OF PRIVACY PRACTICES
To ensure that each facility understands the requirement to provide a Notice of Privacy Practices to all patients.
Each facility will have and should provide a Notice of Privacy Practices (“Notice”) to all patients. Some states have laws that may apply additional legal requirements. Consult the CPO to identify and comply with any such additional legal mandates.
17. BUSINESS ASSOCIATES
To ensure that Associates understand their obligations with respect to engaging and sharing PHI with Business Associates.
RiverMend is permitted to disclose PHI to its Business Associates so the Business Associate may assist RiverMend with performing its treatment, payment, and/or health care operations activities. However, prior to disclosing PHI to its Business Associates, RiverMend must enter into Business Associate Agreements that contains, at a minimum, all provisions required by law.
RiverMend may in some instances act as a Business Associate of other entities. When acting as a Business Associate, RiverMend will use and disclose PHI only as permitted by the Business Associate Agreement it has entered into with the covered entity.
18. PHI BREACH NOTIFICATION
To facilitate compliance with HITECH and ARRA for breach notification of unsecured PHI as well as any other federal or state notification law.
In the case of a breach of unsecured PHI, the patient or their personal representative must be notified without unreasonable delay.
A breach is considered discovered as of the first day on which the breach is known by the business associate and/or the organization.
Centers in states with additional or more restrictive breach notification laws shall develop and implement policies and procedures addressing the state-specific requirements.
19. HIPAA VIOLATION SANCTIONS
To ensure that there are appropriate sanctions that will be applied to Associates who violate the requirements of the HIPAA Privacy Rule.
It is the policy of RiverMend to take appropriate disciplinary action against any Associate granted access to PHI that violates RiverMend’s privacy and security policies or state, or federal confidentiality laws or regulations, HIPAA.
1. Sanction Exemptions
Sanctions will not apply to an Associate if PHI disclosure meets the following elements:
a. Disclosure by Whistleblowers:
i. The Associate is acting in good faith on the belief that RiverMend has engaged in conduct that is unlawful or otherwise violates professional or clinical standards; or, that the care, services and conditions provided by RiverMend potentially endangers one (or more) of RiverMend’s patients, workers or a member of the general public;
ii. The disclosure is made to a federal or state health oversight agency or public health authority authorized by law to oversee the relevant conduct;
iii. The disclosure is made to an appropriate health care accreditation organization for the purpose of reporting the allegation of failure to meet professional standards or misconduct by RiverMend; or
iv. The disclosure is made to an attorney retained by or on behalf of the employee or Business Associate for the purpose of determining legal options regarding disclosure conduct.
b. Disclosure by Crime Victims:
i. A disclosure of PHI made by an Associate who is the victim of a criminal act to a law enforcement official (but only if the PHI disclosed is about the suspected perpetrator of the criminal act, and the disclosed PHI is limited to identification and location information).
2. Definition of Offense
a. Level 3 Breach: Carelessness, Unintentional – This level of breach occurs when an Associate unintentionally or carelessly accesses, reviews or reveals PHI to him/herself or others without a legitimate need to access the PHI. Examples include, but are not limited to: Associate discussing patient information in a public area; staff leaving a copy of patient medical information in a public area; staff leaving a computer unattended in an accessible area with medical record information unsecured.
b. Level 2 Breach: Intentional (no personal gain) – This level of breach occurs when an Associate intentionally accesses or discusses PHI for purposes other than the care of the patient or other authorized purposes but for reasons unrelated to personal gain.Examples include, but are not limited to: an Associate looks up birth dates, address of friends or relatives; an Associate accesses and reviews a record of a patient out of concern or curiosity; or an Associate reviews a public personality’s record.
c. Level 1 Breach: Personal gain or malice- This level of breach occurs when an Associate accesses, reviews or discusses PHI for personal gain or with malicious intent.Examples include but are not limited to: an Associate reviews a patient record to use information in a personal relationship; an associate compiles a mailing list for personal use or to be sold.
a. Level 3 offenses shall include, but are not limited to, the following sanctions:
i. Verbal reprimand;
ii. Written reprimand in Associate’s personnel file;
iii. Retraining on HIPAA Awareness;
v. Retraining on the proper use of internal forms and HIPAA required forms.
b. Level 2 offenses shall include, but are not limited to, the following sanctions:
i. Written reprimand in Associate’s personnel file;
ii. Retraining on HIPAA Awareness;
iv. (d) Retraining on the proper use of internal forms and HIPAA required forms; or
v. (e) Suspension of Associate (In reference to suspension period: minimum of one (1) day/ maximum of three (3) days).
c. Level 1 offenses shall include, but are not limited to, the following sanctions:
i. Termination of employment or working relationship;
ii. Civil penalties as provided under HIPAA or other applicable Federal/State/Local law; or
iii. Criminal penalties as provided under HIPAA or other applicable Federal/State/Local law.
20. ACCESS TO PHI BY ASSOCIATES
The purpose of this policy is to provide information to Associates of RiverMend regarding access to PHI to assure that they recognize the importance of maintaining the confidentiality, security and integrity of PHI.
Associates shall be granted access to PHI, whether written, electronic or verbal in nature, in accordance with HIPAA and other state and federal laws. Such access shall be limited to the minimum necessary amount of PHI the Associate needs to know in order to accomplish their job or task. In addition, communications between Associates, which involve PHI, shall also be considered confidential and should not take place in public areas. If it is absolutely necessary to conduct such conversations in public areas, reasonable steps shall be taken to assure the confidentiality of the PHI.