This notice of privacy practice describes how medical information about you may be used and disclosed and how you can get access to this information.
This policy adheres to the The HIPAA Privacy Rule. The Privacy Rule, a Federal law, gives you rights over your health information and sets rules and limits on who can look at and receive your health information. .
A. OUR POLICY REGARDING YOUR HEALTH INFORMATION
We are committed to preserving the privacy and confidentiality of your health information. This Privacy Notice describes how the Catholic Health System (“The System”) may use and disclose your protected health information according to applicable laws and regulations. It also describes your rights with respect to your protected health information. Your “protected health information” includes most information about your physical and mental health, such as symptoms, treatment, test results, and demographic data, which contains details that can be used to identify you, We are required by law to maintain the privacy of your “protected health information” and to provide you with this notice of your legal duties and privacy practices. The System’s many components will comply with this Notice, including the System’s hospitals, primary care, long term care, home care, ambulatory care, laboratories, chemical and physical rehabilitation, foundations and workforce members, including volunteers. Additionally, all health care providers who provide services for the System and within the System’s facilities will comply with this Notice and will share your protected health information for treatment, payment and healthcare operations (as defined herein.)
We reserve the right to change this notice and to make the revised notice effective for all protected health information that we maintain at that time and any information we may receive in the future. We will post a copy of the current notice in our facilities and we will make any revised notice available at the facilities for you to request a copy. We are required to abide by the terms of this notice while it remains in effect, as required or authorized by law.
B. USES AND DISCLOSURES WITH AND WITHOUT YOUR AUTHORIZATION
We must obtain your written permission or “authorization” to use or disclose your protected health information except in the limited situations listed below, which do not require your written authorization:
1. Treatment. We will use and disclose your protected health information to provide, coordinate and manage your health care and related services. We may disclose your protected health information to health care providers, including providers not affiliated with The System, so that they may provide you with treatment. For example, we may disclose your protected health information to a pharmacy to fill a prescription, to a laboratory to order a test, or a specialist for consultation.
2. Payment. We will use and disclose your protected health information, as needed, for the System to obtain payment for our health care services. For example, we may disclose protected health information to your health insurance company so we may obtain prior approval for a surgery, to determine whether you are eligible for benefits or to determine whether a particular service is covered under you plan. We may disclose your protected health information to other health care providers, health plans, and health care clearinghouses for their payment activities. For example, we may disclose protected health information to anesthesia care providers so that they may obtain payment for their services.
3. Health Care Operations: We will use and disclose your protected health information for our health care operations. For example, we may use your protected health information to evaluate the performance of the System’s personnel and to perform licensing, training, and accreditation activities. In certain situations, we may also disclose your protected health information to another health care provider, health plan, or health care clearinghouse who has or had a relationship with you, for the purpose of that entity’s health care operations, as long as the protected health information is related to your relationship with that entity. For example, the System may disclose your protected health information to allow another entity to conduct activities to determine whether they have provided quality services, to review the performance and qualifications of health care providers, to conduct training programs, and to perform accreditation, certification, licensing or credentialing activities.
4. Law Enforcement Purposes. We may disclose your protected health information to law enforcement officials under certain circumstances when we are required or permitted by law to disclose such information. For example, we may disclose your protected health information if we are required by law to report a certain type of wound or injury, such as a gun-shot wound. We may also disclose your protected health information pursuant to an order, warrant, subpoena or summons issued by a judicial officer. Under certain circumstances, we may disclose your protected health information pursuant to administrative requests related to law enforcement purposes. We may disclose limited protected health information to law enforcement officials upon their request to assist them in identifying or locating a suspect, fugitive, material witness or missing person.
Additionally, under certain circumstances we may disclose your protected health information to law enforcement official’s request about a victim of a crime or in order to report evidence of criminal conduct that occurred on our premises.
5. Public Health Activities. The System may disclose your protected health information to certain public health authorities and others according to specific rules that apply to public health activities. For example, the System may disclose your protected health information to public health authorities or other government authorities authorized by law to receive such information for purposes of preventing or controlling disease, injury, disability, or child abuse or neglect or for the conduct of public health surveillance, investigations and interventions. We may also disclose your protected health information to certain individuals subject to the jurisdiction of the Food and Drug Administration FDA-regulated products or activities, to certain individuals who may be at risk of contracting or spreading a disease or condition, and under certain circumstances to your employer if we have provided health care to you at your employer’s request.
6. Health Oversight Activities. The System may disclose your protected health information to a health oversight agency for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations, proceedings and actions; inspections; licensure or disciplinary actions; and other activities necessary for appropriate oversight of the health care system and oversight of certain programs and entities as authorized by law.
7. Judicial and Administrative Proceedings. We may disclose your protected health information in the course of any judicial or administrative proceeding in response to an order of a court or administrative tribunal as expressly authorized by such order. In certain circumstances, we may disclose your protected health information in response to a subpoena, discovery request or other lawful process to the extent authorized by state law if we receive satisfactory assurances from the party requesting your information that you have been notified of the request or that they have made reasonable efforts to obtain a qualified protective order. A qualified protected order is an order of a court or tribunal that prohibits the use or disclosure of your protected health information for any purpose other than the proceeding for which it was requested and which requires that your protected health information will be returned to the System at the end of the proceeding.
8. Specialized Government Functions. In certain circumstances, federal regulations authorize the System to use and/or disclose your protected health information for specialized government functions. If you are a member of the armed forces, the System may use and disclose your protected health information as directed by appropriate military authorities. We may disclose your protected health information to authorized federal officials for certain national security and intelligence activities and to protect the President of the United States and other dignitaries. The System may also disclose your protected health information to law enforcement personnel or to a correctional institution if such information is required for the health and safety of inmates, law enforcement personnel, individuals at the correctional institution, or individuals responsible for transporting inmates or if such information is required to maintain safety, law and order at a correctional institution.
9. Suspected Abuse, Neglect or Domestic Violence. The System will disclose medical information that reveals that you may be a victim of abuse, neglect or domestic violence to a government authority if the System is required by law to make such disclosure. For example, state law requires health care professionals to report cases of suspected, child abuse or maltreatment. If the System is authorized, but not required, by law to disclose evidence of suspected abuse, neglect or domestic violence, it will do so if it believes that the disclosure is necessary to prevent serious harm, or if you are incapacitated and government officials need such information for an immediate law enforcement activity.
10. To Avert Serious Threat to Health or Safety. The System may, consistent with applicable law and standards of ethical conduct, use or disclose protected health information if we believe, in good faith, that such use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public and the disclosure is made to an individual who is reasonably able to prevent or lessen the threat.
11. Research. We may use and disclose your protected health information for research as long as such research has been approved by an institutional review board or privacy board that has reviewed the research proposal and established protocols to preserve the privacy of your protected health information. For example, a research project may involve comparing the health of patients who received one treatment to those who received another treatment for the same condition. Before we use or disclose protected health information for research purposes, the research project will go through a special review and approval process. Even without special approval, however, we may permit researchers to review your protected health information if it is necessary to help them prepare for a research project, as long as they do not remove or take a copy of any protected health information.
12. Medical Examiners, Funeral Directors, and Organ Donation. The System may disclose your protected health information to a medical examiner for identification purposes, to determine the cause of death or for other purposes authorized by law. We may also disclose your protected health information to a funeral director, as authorized by law, to permit the funeral director to carry out his or her duties. Additional, the System may use and disclose your protected health information for the purpose of arranging for cadaveric organ, eye, or tissue donation and transplantation.
13. Worker’s Compensation. The facility may disclose your protected health information, as authorized by and in compliance with worker’s compensation laws.
14. Appointment Reminders. The System may, from time to time, use or disclose your protected health information to contact you to provide appointment reminders or information about treatment alternatives or other health-related benefits and services that we believe may be of interest to you. The System may remind you of appointments by mailing a postcard to you at the address provided by you or by telephoning your home and leaving a message on your answering machine or with the individual answering the phone. The System will not disclose any information with these appointment reminders except your name, your address and the time, date and location of your appointment.
15. Fundraising. The System may use limited protected health information for fundraising purposes and may disclose such information to its Business Associates and to institutionally related foundations for assistance in raising funds for the System. The System may contact you for the purpose of raising money for the System, but you have the right to opt out of receiving fundraising communications. Any fundraising communication sent will contain information on how recipients may opt out of future communication of this type.
16. De-identified Information. The System may de-identify your protected health information according to specific federal rules so that the information does not identify you and cannot be used to identify you. The System may use and disclose your de-identified information. The System may also partly de-identify your protected health information by removing your name, address, telephone number and many other identifying factors to create a “limited data set”, which may be used and disclosed for research purposes. Your protected health information will only be disclosed in the form of a “limited data set” to recipients who sign an agreement to use your protected health information for specific purposes according to law and who agree not to identify you.
17. Patient Directory. Unless you object, the System may use your name, location, general condition and religious affiliation to maintain the System’s patient directory and may disclose such information to: (a) members of the clergy and (b) except for religious affiliation, to individuals who ask for you by name.
18. Business Associates. The System may disclose your protected health information to a business associate of the System if we obtain satisfactory written assurance, in accordance with applicable law, that the business associate will appropriately safeguard your protected health information. A “business associate” is an entity that provides certain services to the System or assists the System in undertaking some functions, such as a billing company that assists the System in submitting claims for payment to insurance companies. Security provisions that legally apply to the System are also applied to our business associates.
19. Personal Representatives. The System may disclose your protected health information to or according to the direction of a person who, under applicable law, has the authority to represent you in making decisions related to your health. For example, we may disclose your protected health information to an agent who you authorized through a health care proxy form to make health care decisions for you in the event that you should become unable to make your own health care decisions.
20. Family and Friends: Under certain circumstances, the System may disclose to your family member, other relative, a close personal friend, or any other person identified by you, your protected health information directly relevant to such person’s involvement with your care or the payment for your care. The System may also use or disclose your protected health information to the previously named individuals as well as to a public or private entity authorized by law or by its charter to assist in disaster relief efforts to notify or assist in the notification (including identifying or locating) a family member, a personal representative, or another person responsible for your care, of your location, general condition or death. However, the following conditions will apply:
a. If you are present at or available prior to the use or disclosure of your protected health information, the System may use or disclose your protected health information if you agree, or if the System can reasonably infer from the circumstances, based on the exercise of its professional judgment, that you do not object to the use or disclosure.
b. If you are not present or are unable to agree or object to the use of disclosure because of incapacity or an emergency, the System will, in the exercise of professional judgment, determine whether the use or disclosure is in your best interests and, if so, disclose only the protected health information that is directly relevant to the person’s involvement with your care.
21. Required by Law. In addition to those uses and disclosures listed above, we may use and disclose your protected health information if and to the extent we are required by law.
C. YOUR RIGHTS: You have the following rights regarding your protected health information:
1. Right to Revoke an Authorization. You may revoke an Authorization in writing, at any time. To request a revocation, you must submit a written request to the System’s Privacy Officer, whose contact information is listed below.
2. Right to Request Restrictions on Uses and/or Disclosures. You may request restrictions on the use and/or disclosure of your protected health information for treatment, payment or health care operations. To request restrictions, you must submit a written request to the System’s Privacy Officer. In your written request, you must identify the specific restriction requested. Except in limited circumstances, the System is not obligated to agree to any of your requested restrictions. If the System agrees to your requested restriction, we may not use or disclose your protected health information in violation of that restriction unless it is needed to provide you with emergency treatment. Under certain circumstances, we may terminate our agreement to a restriction.
Requests submitted in writing for restriction of disclosure to a health plan for purposes of carrying out payment or healthcare operations will be honored provided the information pertains solely to a health care item or service paid for out-of-pocket by the individual unless prohibiting such disclosure is restricted by law.
3. Right to Request Confidential Communications. You may request to receive confidential communications of protected health information by alternative means or at alternative locations. You must make your request to the System’s Privacy Officer. The System will accommodate all reasonable requests. We may condition this accommodation on your providing us with information as to how payment will be handled or by specifying an alternative address or other method of contact. We will not require you to provide an explanation for your request.
4. Right to Inspect and Copy Information. According to federal regulations, you may generally inspect and obtain a copy of your protected health information that we maintain in a designated record set. A “designated record set” is a group of records that include medical and billing records or other records that the System uses for making decisions about you. Under federal regulations, however, you have no right to inspect or copy certain records, including psychotherapy notes, information complied in reasonable anticipation of litigation. Please note that New York State’s Mental Hygiene Laws and Public Health Law may provide you with independent rights to inspect and copy such information. If federal law does not allow you to inspect or copy certain information, such as psychotherapy notes, but State law allows you to inspect and copy such information, the System will respond to your request to access such information in accordance with New York State law. We may deny your request to inspect or copy your protected health information. Depending on the circumstances, you may or may not have a right to appeal our decision to deny your request. To inspect or copy your protected health information, you must submit a written request to the Health Information Management Department or Long Term Care Facility Administration. If you request a copy of your information, we may charge you a fee for the cost of copying and mailing your information and for other costs only as allowed by law.
If your protected health information is maintained in an Electronic Health Record (EHR), upon your written request, providing no other restrictions apply, you may obtain an electronic copy of such information and request that such a copy be transmitted directly to an entity or person designated by you. A fee may be charged for this service as allowed by law.
5. Right to Amend your Information. You may request that we amend your protected health information that we maintain in a designated record set. To request an amendment, you must submit a written request, along with a reason that supports your request to our Privacy Officer. In certain cases, we may deny your request for an amendment. If we deny your request for an amendment, you have the right to file a statement of disagreement with us. If you file such a statement, we may prepare a rebuttal to your statement and will provide you with a copy of any such rebuttal.
6. Right to Receive an Accounting. You may request an accounting of certain disclosures of your protected health information made by the System after April 14, 2003. We are not required to account for some disclosures, including those made for treatment, payment or health care operations. Additionally, we are not required to provide you with an accounting of disclosures that you authorize or with an accounting of some disclosures that we are permitted to make without your authorization. Your request for an accounting of disclosures must be submitted in writing to our Privacy Officer and must specify a time period to be covered by the accounting. You right to receive this information is subject to additional exceptions, restrictions and limitations.
7. Right to Receive a Copy of Notice. Upon your request, we will provide you with a paper copy of this Privacy Notice.
8. Right to Notification of an Unauthorized Unsecured Breach. In the case of a breach of unsecured protected health information, you or your next of kin (if individual is deceased) will be notified by mail or e-mail if the later is specified as preferred by you.
9. Right to Complain. You have the right to complain to the System or to the Secretary of the Department of Health and Human Services if you believe your privacy rights have been violated. You may complain to the System by contacting the System’s Privacy Officer, using the contact information below. You will not be retaliated against in any way for filing a complaint.
10. Right to Receive Lab Reports. Upon your request or your personal representative’s request, the laboratory may provide you or your personal representative, and those persons specified under 45 CFR 164.524(c)(3)(ii), as applicable, with access to completed test reports that, using the laboratory’s authentication process, can be identified as belonging to you.
C. PRIVACY CONTACT: The System’s contact person for all issues regarding patient privacy and your rights under the federal privacy standards is the Privacy Officer. Questions regarding matters covered by this Notice shall be directed to the Privacy Officer. You may contact the Privacy Officer at:
Kimberly E. Whistler, Esq., CHC
Chief Compliance Officer
Administrative & Regional Training Center, Legal Service, 6th Floor
144 Genesee Street
Buffalo, New York, 14203
(716) 862-1790