St. Paul's HIPAA Privacy Practices
Notice of Privacy Practices - HIPAA
This notice describes how information about you may be used and disclosed and how you can get access to this information. Please review it carefully
We respect the privacy of your personal health information and are committed to maintaining our residents' confidentiality. This notice applies to all information and records related to your care that our facility has received or created. It extends to information received or created by our employees, staff, volunteers and the medical director or employed physicians. This notice informs you about the possible uses and disclosures of your personal health information. It also describes your rights and our obligations regarding your personal health information.
We are required by law to:
- Maintain the privacy of your protected health information;
- Provide to you this detailed notice of our legal duties and privacy practices relating to your personal health information; and
- Abide by the terms of the notice that are currently in effect.
We may use and disclose your personal health information for treatment, payment, and health care operations without needing to obtain your consent
We may use and disclose your personal health information for purposes of treatment, payment and health care operations. We have described these uses and disclosures below and provide examples of the types of uses and disclosures we may make in each of these categories.
- For treatment. We will use and disclose your personal health information in providing you with treatment and services. We may disclose your personal health information to facility and non-facility personnel who may be involved in your care, such as physicians, nurses, nurse aides, and physical therapists. For example, a nurse caring for you will report any change in your condition to your physician. We also may disclose personal health information to individuals who will be involved in your care after you leave the facility.
- For payment. We may use and disclose your personal health information so that we can bill and receive payment for the treatment and services you receive at the facility. For billing and payment purposes, we may disclose your personal health information to your representative, insurance or managed care company, Medicare, Medicaid or another third party payor. For example, we may contact Medicare or your health plan to confirm your coverage or to request prior approval for a proposed treatment or service.
- For health care operations. We may use and disclose your personal health information for facility operations. These uses and disclosures are necessary to manage the facility and to monitor our quality of care. For example, we may use personal health information to evaluate our facility's services, including the performance of our staff.
- We may use and disclose personal health information about you for other specific purposes
- Facility directory. Unless you object, we will include certain limited information about you in our facility directory. This information may include your name, your location in the facility, your general condition and your religious affiliation. Our directory does not include specific medical information about you. We may release information in our directory, except for your religious affiliation, to people who ask for you by name. We may provide the directory information, including your religious affiliation, to any member of the clergy.
- Individuals involved in your care or payment for your care. Unless you object, we may disclose your personal health information to a family member or close personal friend, including clergy, who is involved in your care.
- Disaster relief. We may disclose your personal health information to an organization assisting in a disaster relief effort.
- As required by law. We will disclose your personal health information when required by law to do so.
- Public health activities. We may disclose your personal health information for public health activities. These activities may include, for example
- reporting to a public health or other government authority for preventing or controlling disease, injury or disability, or reporting child abuse or neglect;
- reporting to the federal food and drug administration (FDA) concerning adverse events or problems with products for tracking products in certain circumstances, to enable product recalls or to comply with other FDA
- To notify a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition or for certain purposes involving workplace illness or injuries.
- Reporting victims of abuse. Neglect or domestic violence. If we believe that you have been a victim of abuse, neglect or domestic violence, we may use and disclose your personal health information to notify a government authority if required or authorized by law, or if you agree to the report.
- Health oversight activities. We may disclose your personal health information to a health oversight agency for oversight activities authorized by law. These may include, for example, audits, investigations, inspections and licensure actions or other legal proceedings. These activities are necessary for government oversight of the health care system, government payment or regulatory programs, and compliance with civil rights laws.
- Judicial and administrative proceedings. We may disclose your personal health information in response to a court or administrative order. We also may disclose information in response to a subpoena, discovery request, or other lawful process; efforts will be made to contact you about the request or to give you an opportunity to obtain an order or agreement protecting the information.
- Law enforcement. We may disclose your personal health information for certain law enforcement purposes, including as required by law to comply with reporting requirements; to comply with a court order, warrant, subpoena, summons, investigative demand or similar legal process; to identify or locate a suspect, fugitive, material witness, or missing person; when information is requested about the victim of a crime if the individual agrees or under other limited circumstances; to report information about a suspicious death; to provide information about criminal conduct occurring at the facility; to report information in emergency circumstances about a crime; or where necessary to identify or apprehend an individual in relation to a violent crime or an escape from lawful custody.
- Coroners, medical examiners, funeral directors, organ procurement organizations. We may release your personal health information to a coroner, medical examiner, funeral director or, if you are an organ donor, to an organization involved in the donation of organs and tissue.
- To avert a serious threat to health or safety. We may use and disclose your personal health information when necessary to prevent a serious threat to your health or safety or the health or safety of the public or another person. However, any disclosure would be made only to someone able to help prevent the threat.
- Military and veterans. If you are a member of the armed forces, we may use and disclose your personal health information as required by military command authorities. We may also use and disclose personal health information about foreign military personnel as required by the appropriate foreign military authority.
- Workers' compensation. We may use or disclose your personal health information to comply with laws relating to workers' compensation or similar programs.
- National security and intelligence activities protective services for the president and others. We may disclose personal health information to authorized federal officials conducting national security and intelligence activities or as needed to provide protection to the president of the united states, certain other persons or foreign heads of states or to conduct certain special investigations.
- Fundraising activities. Unless you object, we may use certain personal health information to contact you in an effort to raise money for the facility and its operations. We may disclose personal health information to a foundation related to the facility so that the foundation may contact you in raising money for the facility. In doing so, we would only release contact information, such as your name, address and phone number and the dates you received treatment or services at the facility. Such fundraising communications shall provide, in a clear and conspicuous manner, the opportunity for you to opt out of receiving future fundraising communications.
- Appointment reminders. We may use or disclose personal health information to remind you about appointments.
- Treatment alternatives. We may use or disclose personal health information to inform you about treatment alternatives that may be of interest to you.
- Health related benefits and services. We may use or disclose personal health information to inform you about health related benefits and services that may be of interest to you.
- Marketing communications. Discussions between St. Paul’s and you concerning possible products and services offered by outside entities are considered “marketing communications.” For example, if an outside vendor requests that we recommend their product or service to you, or provide you with a pamphlet or other written brochures, a “marketing discussion” has occurred. Generally, speaking, before we can engage in these conversations with you, or provide you with the materials, we will need to receive your authorization. The only current exception to this process is for conversations that involve a drug or biologic that you are currently receiving, and so long as any payment received by us from the outside supplier in exchange for this communication is reasonable in amount.
- Sale of your information. St. Paul’s will never sell your information unless you give us written permission.
- Psychotherapy notes. St. Paul’s will never share your psychotherapy notes unless you give us written permission.
Requirements
Your authorization is required for all other uses of personal health information except as described in this notice or required by law, we will use and disclose personal health information only with your written authorization. You may revoke your authorization to use or disclose personal health information in writing, at any time. If you revoke your authorization, we will no longer use or disclose your personal health information for the purposes covered by the authorization, except where we have already relied on the authorization.
Your rights regarding your personal health information
You have the following rights regarding your personal health information at the facility:
- Right to request restrictions. You have the right to request restrictions on our use or disclosure of your personal health information for treatment, payment or health care operations. You also have the right to restrict the personal health information we disclose about you to a family member, friend or other person who is involved in your care or the payment for your care. We are not required to agree to your requested restriction, unless the disclosure is to a health plan for purposes of carrying out payment or health care operations and the information pertains solely to a health care item or service for which you have paid in full out of pocket. However, if we do agree to the restriction, then we must adhere to the restriction.
- Right of access to personal health information. You have the right to request, either orally or in writing, your medical or billing records or other written information that may be used to make decisions about your care. If we maintain your information in an electronic record, you may obtain from us a copy of such information in an electronic format and direct us to transmit such copy directly to an entity or person designated by you. We must allow you to inspect your records within 24 hours of your request. If you request copies of the records, we must provide you with copies within 2 days of that request. We may charge a reasonable fee for our costs in copying and mailing your requested information.
- Right to request amendment. You have the right to request the facility to amend any personal health information maintained by the facility for as long as the information is kept by or for the facility. You must make your request in writing and must state the reason for the requested amendment. We may deny your request for amendment if the information:
- Was not created by the facility, unless the originator of the information is no longer available to act on our request;
- Is not part of the personal health information maintained by or for the facility;
- Is not part of the information to which you have a right of access; or
- Is already accurate and complete, as determined by the facility.
- If we deny your request for amendment, we will give you a written denial including the reasons for the denial and the right to submit a written statement disagreeing with the denial.
- Right to an accounting of disclosures. You have the right to request an "accounting" of our disclosures of your personal health information. This is a listing of certain disclosures of your personal health information made by the facility or by others on our behalf, but generally does not include disclosures for treatment, payment and health care operations, disclosures made pursuant to a signed and dated authorization, or certain other exceptions. If, however, we implement the use of electronic health records, disclosures for treatment, payment and health care operations purposes will be included in an accounting requested by you. To request an accounting of disclosures, you must submit a request in writing, stating a time period beginning on or after April 14, 2003 that is within six years from the date of your request (or within three years if we implement the use of electronic health records). An accounting will include, if requested: the disclosure date; the name of the person or entity that received the information and address, if known; a brief description of the information disclosed; a brief statement of the purpose of the disclosure or a copy of the authorization or request; or certain summary information concerning multiple similar disclosures. The first accounting provided within a 12 month period will be free; for further requests, we may charge you our costs.
- Right to a paper copy of this notice. You have the right to obtain a paper copy of this notice, even if you have agreed to receive this notice electronically. You may request a copy of this notice at any time. You may also obtain a copy of this notice at our web site at www.sp1867.org
Duty to notify you of breach
- We are required to notify you in the event that your unsecured protected health information (phi) is breached. A “breach” is defined as the unauthorized acquisition, access, use, or disclosure of phi which compromises the security or privacy of the phi, but does not include unintentional acquisition, access or use of such information, inadvertent disclosure of such information within a facility, and disclosure to a person not reasonably able to retain it. “unsecured protected health information” refers to phi that is not secured through the use of a valid encryption process approved by the secretary of health and human services or the destruction of the media on which the phi is recorded or stored. Such encryption or destruction methods are not mandated on covered entities such as ours. We will evaluate the propriety of securing phi for our residents, and act using our own discretion. However, should any of your “unsecured” phi held by us be “breached,” then we will notify you in the manner discussed below.
- Timing and method of notification. We will notify you no later than 60 days after discovery of such breach via first-class mail or e-mail, if specified by you as your preference. If the breach involves the information of more than 500 individuals, we will also provide notice to prominent media outlets. We will also notify the secretary of health and human services of the breach (immediately if the breach involves the information of more than 500 individuals or in an annual notification for all other breaches).
- Contents of notification. Our notification to you will include:
- a brief description of what happened, including the date of breach and date of discovery (if known)
- a description of the types of phi that were involved in the breach
- any steps you should take to protect yourself from potential harm resulting from the breach
- a brief description of what we are doing to investigate the breach, mitigate harm to the resident, and protect against further breaches; and
- Contact procedures for you to ask questions or learn additional information, which must include a toll-free telephone number, an e-mail address, web site, or postal address.
- If you believe that your privacy rights have been violated, you may file a complaint in writing with the facility or with the office of civil rights in the US Department of Health and Human Services. To file a complaint with the facility, contact the privacy officer at St. Paul’s at (724)-588-7610. All complaints must be submitted in writing.
- We will not retaliate against you if you file a complaint.
- We will promptly revise and distribute this notice whenever there is a material change to the uses or disclosures, your individual rights, our legal duties, or other privacy practices stated in this notice. We reserve the right to change this notice and to make the revised or new notice provisions effective for all personal health information already received and maintained by the facility as well as for all personal health information we receive in the future. We will post a copy of the current notice in the facility. In addition, we will provide a copy of the revised notice to all residents.
Complaints
- If you believe that your privacy rights have been violated, you may file a complaint in writing with the facility or with the office of civil rights in the US Department of Health and Human Services. To file a complaint with the facility, contact the privacy officer at St. Paul’s at (724)-588-7610. All complaints must be submitted in writing.
- We will not retaliate against you if you file a complaint.
Changes to this notice
- We will promptly revise and distribute this notice whenever there is a material change to the uses or disclosures, your individual rights, our legal duties, or other privacy practices stated in this notice. We reserve the right to change this notice and to make the revised or new notice provisions effective for all personal health information already received and maintained by the facility as well as for all personal health information we receive in the future. We will post a copy of the current notice in the facility. In addition, we will provide a copy of the revised notice to all residents.
For further information
If you have any questions about this notice or would like further information concerning your privacy rights, please contact the privacy officer at St. Paul’s at 724-588-7610.