REVISED NOTICE OF PRIVACY PRACTICES
Alliance Citizens Health Association
Alliance Community Hospital
Alliance Visiting Nurses Association & Hospice
Caring Hands, Inc.
Alliance Medical Associates
Community Care Center
ACH Family Care - Urgent Care Center
Alliance Community Medical Foundation
Alliance Community Radiologists
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
Alliance Community Hospital and its affiliated health provider entities listed above (“we” or “our”) are committed to safeguarding the privacy and security of your Protected Health Information (“PHI”) in paper and electronic (computer) form. We have adopted practices that comply with HIPAA’s Privacy Rule (as amended) to protect the use and disclosure of your PHI. It is posted on our website: www.achosp.org. If you do not have a computer or internet access, or if you want a paper copy of this notice, you may request a paper copy at any time by calling (330) 596.6000.
Please read this notice and share it with your family or personal representative. Not every use or disclosure of PHI, with or without a signed authorization, may be listed. Uses or disclosures not specified in this notice generally will require an authorization. If you have questions, please call our Privacy Officer at 330.596.7161.
Use and Disclosure of PHI for Treatment, Health Care Operations, and Payment (TOP)
We will create, receive, or access your PHI, which we may use or disclose to other covered entities for treatment, Health Care Operations, and Payment (“TOP”) without your need to sign an authorization.
Covered entities include health care providers (e.g. hospitals, doctors, nurses, nursing homes, home health agencies, durable medical equipment suppliers, and other health care professionals and suppliers) and group health and plans.
Use means our accessing, sharing, employing, applying, utilizing, examining, or analyzing your PHI within the hospital and its affiliated health provider entities.
Disclose or Disclosure
Disclose means our releasing, transferring, providing access to, or divulging in any other manner your PHI to a third party outside of the hospital and its affiliated health provider entities.
Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, including referrals and consultations between providers. We will use your PHI for your treatment, which includes (but is not limited to) radiology, laboratory and other diagnostic tests, medical treatment, surgery and other procedures. We will disclose your PHI to other hospitals, doctors, pharmacies, health care professionals, and facilities that are involved in your treatment or to whom you are being referred as part of continuity of care. We will not disclose your PHI to persons who are not involved in your treatment, unless they are participating in health care operations, without your authorization. We have physical, technical, and administrative safeguards in place to protect against unauthorized access.
Health Care Operations
We will use PHI for health care operations, which include (but are not limited to) quality assurance, performance improvement, peer review, risk management, and compliance. Health care operations also include preventive, wellness, case management and related services.
We will use and disclose PHI when checking with your health plan or third-party payer about eligibility, coverage, pre-certification, or when billing and submitting claims for payment of treatment we provided. You may ask us not to submit a claim containing certain PHI to your health plan or third-party payer. We will honor your request if you pay your claim out-of-pocket in full.
HIPAA permits us to disclose information to collection agencies if you do not pay your bill. If you are injured in an accident, or if another party is responsible for paying for your medical care, we may be legally obligated to send our bill for treatment first to the responsible party’s commercial payer or to the responsible party if the commercial payer is not known. This also applies (without limitation) to our obligation under Medicare’s Secondary Payer Rules.
We may contract with outside persons or entities called business associates who access PHI to perform covered functions for us. Business associates, including their agents and subcontractors, must protect the privacy and security of your PHI to the same extent we do.
Except when PHI is used or disclosed for treatment, we will limit the use or disclosure of your PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request of PHI.
Communicating with You, Your Family, Personal Representative, and Persons Involved in Your Care
Communicating with You
We may contact you for scheduling or reminding you of appointments, giving you test results, or refill reminders. We may contact you by mail or telephone. If we call you, we will identify ourselves and ask to speak with you. If you are not available, we may leave a message for you to call us, but we will not disclose details about your medical condition or PHI in that message.
Services and Programs
We or a business associate may contact you about health care services, prescription refills, treatment alternatives or health-related benefits, services, case management, wellness and preventive care programs, such as smoking cessation, weight management, and education programs. We or a business associate also may contact you in follow-up to services regarding your satisfaction. We will not sell your PHI to third-parties for marketing. Any use or disclosure of your PHI for marketing will require your signed authorization. If you do not want to be contacted or receive information about these services and programs, you may opt out by contacting (330) 596.6000. Opting out will not affect any care, treatment, or services we provide to you.
We may contact you about fundraising. If you do not want to be contacted or receive fundraising materials, you may opt out by contacting (330) 596.6000. Opting out will not affect any care, treatment, or services we provide to you.
You May Request that we Contact You by Alternate Means
You may request us to contact you by alternate means or at a different telephone number, address, or email address from what you usually use. Let us know if you do not want us to send information to you at your home address, a particular email address, call you at home, or leave a message. You do not have to explain the reason for your request.
Family and Friends
We will include you in our patient directory, which may list your name, room number, general condition and religion. Directory information is available to family, friends, clergy and others who ask about you by name. You may request that we do not list you in the directory, or you may restrict access to certain persons whom you identify by notifying Patient Registration. If you are not listed in the directory, we will not disclose or confirm any information about you, including whether you are a patient.
Most patients allow us to discuss their PHI with family members, guardians, persons named in a health care power of attorney or advanced directive (living will), personal representatives, or others who are assisting in your care or helping you with your medical bills. This may include discussing or answering questions a family member (spouse, adult children, parents, guardians, or personal representatives) may have about your condition, treatment, medication and refills, or appointments. It also may include answering questions about your medical bill. We will assume that you will permit us to talk with family members and those assisting you, unless you direct us not to. We will communicate with family members or others involved in your care in emergencies, or if required by law.
Emancipated and Mature Minors
We usually will share the PHI of a minor (a person less than 18 years old) with the minor’s parent(s) or guardian. We will not share PHI with the parent(s) or guardian of an emancipated minor. A minor is considered emancipated if he or she: (1) does not live with his or her parent(s); (2) is not covered by parental health insurance; (3) is financially independent of parent(s); (4) is married; (5) has children; or (6) is in the military.
In some cases, if requested, we may not share PHI of a mature minor (over 14 but less than 18) with the minor’s parent(s), guardian, or health plan for certain conditions, including alcohol or substance abuse, obstetrical care, or STDs. We will encourage the minor to involve parent(s) or guardian.
We will disclose PHI of deceased patients to the probate court’s appointed executor or administrator of the deceased patient’s estate. We also may disclose PHI to the patient’s spouse, family, personal representative, or others involved in the patient’s care or management of the patient’s affairs, unless doing so is inconsistent with the patient’s expressed wishes known to us. We may disclose PHI of any deceased patient without an authorization after 50 years.
Use and Disclosure of PHI You Authorize and Your Right to Cancel Authorization
We will not use or disclose your PHI other than for treatment, health care operations, or payment (“TOP”) without your signed authorization, except as stated in this notice or otherwise required by law. We will not condition your treatment on your signing an authorization.
The date on your authorization generally should not be more than 30 days before your give it to us. We may ask you to sign a new authorization if the date is more than 60 days, or we have other questions. This is for your protection. You may fax a copy of your authorization to us at (330) 821.6471.
We will not disclose psychotherapy notes without a signed authorization unless required by law.
We will not disclose your PHI to your employer without your authorization. We will not release medical records if we are subpoenaed, unless you sign an authorization, or the lawyers sign a qualified protective order, or if we receive a court or administrative order.
You may authorize us to disclose PHI to persons who are not covered entities or business associates under HIPAA. Once that information is disclosed to a non-covered person, HIPAA no longer applies. A person or entity not covered by HIPAA may use or re-disclose medical information it receives in any way that is not prohibited by law.
You may cancel your authorization in writing at any time by notifying us in person or faxing us the written cancellation at (330) 821.6471. Once we receive your written cancellation, we no longer will disclose your PHI. We are not responsible for any use or disclosure of PHI according to the Authorization before we receive your written cancellation.
Use and Disclosure of Health Information Permitted or Required by Law
We may use or disclose PHI, without an Authorization, as permitted or Required by Law, including the following:
Workers’ Compensation. Ohio law permits us to disclose health information, without a separate Authorization, when an employee files a Workers’ Compensation Claim or seeks benefits for work-related injuries or illnesses.
Public Health Agencies. Ohio law requires us to disclose PHI to public health agencies for reporting births and deaths, to help control disease, injury or disability. The law requires us to report cases of suspected abuse, neglect, or domestic violence.
FDA and OSHA. Certain Federal laws from the FDA and OSHA require us to disclose PHI in reporting adverse events, product problems, and biological product deviations, so safety precautions, recalls and notifications can be conducted.
Regulatory Agencies. We will disclose PHI to certain Ohio and Federal governmental regulatory and health oversight agencies for purposes of their reviewing health care system, civil rights, privacy laws, and compliance with other governmental programs.
National and Homeland Security. We may disclose information concerning patients to authorized federal officials for intelligence and other national and homeland security purposes.
Protective Services for the President and Others. We may disclose medical information about you to authorized federal officials, so they may provide protection to the President, other authorized persons, or foreign heads of state and officials, or to conduct special investigations.
Red Cross and Armed Forces. We may disclose PHI to the Red Cross or armed forces to assist it in notifying the patient’s family member of the patient’s location, general condition, or death.
Coroners, Medical Examiners, and Funeral Directors. We may disclose PHI to coroners, medical examiners, or funeral directors for them to perform legally authorized responsibilities.
Law Enforcement. We may disclose PHI to law enforcement officials when it: (1) is limited to identification purposes; (2) applies to victims of crime; (3) involves a suspicion that injury or death has occurred because of criminal conduct; (4) is needed in a criminal investigation; (5) necessary to prevent or lessen the threat to the health or safety of a person or to the public; (6) in response to a valid court order; (7) to identify or locate a suspect, fugitive or missing person; (8) to report a crime on our premises; or (9) is Required by Law.
Emergency or Disaster. If the President declares an emergency or disaster, and the Secretary of HHS declares a public health emergency, the Secretary may waive our obligation to comply with any or all of the following Privacy requirements to: (1) obtain the patient’s agreement to speak to family members or friends involved in the patient’s care; (2) honor a request to opt out of the facility directory; (3) distribute a Notice of Privacy Practices; (4) patient’s right to request privacy restrictions; or (5) the patient’s right to request confidential communications. Waiver only applies if the Hospital is in the emergency area for the emergency period and for up to 72 hours until the Hospital implements its disaster protocol.
Prevent Threat of Serious Harm. We may disclose PHI if a reasonable belief exists that it may prevent or lessen a serious and imminent threat to the health or safety to you, another person, or the public, and disclosure is made to a person(s) reasonably able to prevent or lessen the threat, including the target of the threat.
Proof of Immunization. We may disclose PHI to schools for the limited purpose of showing proof of immunization of a student or prospective student, and the parent, guardian, person acting in loco parentis, or emancipated minor does not object.
Organ and Tissue Donation. If you are an organ or tissue donor, we may disclose medical information to the organizations that handle: (1) organ procurement; (2) organ, eye, or tissue transplantation; or (3) an organ donation bank, as applicable, to facilitate organ or tissue donation and transplantation.
Correctional Institution or Custody. If you are an inmate of a jail, prison, correctional institution, or under the custody of law enforcement officials, we may release medical information about you for purposes of: (1) the institution’s providing you with health care; (2) protecting your health and safety and the health and safety of others; and (3) protecting the safety and security of the correctional institution or custodial facility.
You have the Right to Request Restrictions on Certain Uses and Disclosures of PHI
You may request that we do not disclose certain PHI to family members, personal representatives, friends or others. HIPAA’s Privacy Rule gives hospitals and doctors the right to deny a patient’s request to restrict the use or disclosure of PHI when it is being used or disclosed to other covered entities for treatment purposes.
We will honor your request to restrict the use or disclosure of PHI when submitting a claim to insurance or health plan for reimbursement if you agree in writing to pay out-of-pocket the claim in full. We will consider all other requests for restricted use or disclosure of PHI on a case-by-case basis. If we cannot accommodate your request, we will let you know.
You have a Right to Access, Inspect, and Receive a Copy of Your Own PHI
Generally, you have the right to inspect and have a copy of your own PHI in our records maintained as a “designated record set.” There are exceptions. You may not have the right to inspect or copy psychotherapy notes or information compiled for civil, criminal or administrative proceedings. Your right may not extend to information covered by other laws or information obtained from someone other than another health care provider. We may deny access if, in our judgment, seeing that information could endanger the life or safety of you or another. We may charge you at the rate the law permits for copying records.
You may request access to your PHI in writing and giving or sending it to us. We will consider all requests according to our legal responsibilities under the privacy rule.
We usually will respond within 30 days from when we receive the request. Sometimes, it may take more than 30 days in which case we will act as soon as reasonably practical. If we grant your request, we will set up an appointment for you to inspect your PHI.
If you request access to PHI that is maintained in an electronic record or electronic designated data set, we will provide an electronic “machine readable copy” in a standard format enabling the ePHI to be processed and analyzed by a computer in a manner that accommodates Individual requests for specific formats.
Alternatively, you may ask for a written summary of your health information instead of inspecting or copying your records. We may charge you for a summary. If we are unable to grant your request, we will notify you in writing of the basis for the denial and your rights for review.
You have the Right to Amend Incorrect or Incomplete Facts in Your PHI
You may request that incorrect or incomplete PHI in your record be amended by contacting our Privacy Officer at (330) 596.7161, or mailing your request to us. We will respond to your request within 60 days from when we receive your written request.
We will grant your request if PHI that we created is incorrect or incomplete. We will not amend your health information if it is not part of a designated record set or was not created by us, if it would not be available for you to inspect, or if the information is accurate and complete.
If we grant your request, we will amend the PHI in the designated record set. We will inform you that we have made the amendment, and we will inform persons who have received and may have relied on PHI that it has been amended.
If we deny your request, we will: (1) tell you in writing the reason for denial; (2) inform you of your right to submit a written statement of disagreement, which we will keep with your record and will include with future disclosures; and (3) inform you of your right to file a complaint. If you file a statement of disagreement, we may prepare a written rebuttal. If you have questions about this right, please contact our Privacy Officer at (330) 596.7161.
You have a Right to Receive an Accounting of Disclosures of Health Information
You have a right to receive an accounting of disclosures we have made to others of your PHI up to six years prior to the date in which the request for an accounting is made. There are certain exceptions and limitations, including, but not limited to disclosures made: (1) for treatment, Health Care Operations, or Payment; (2) to the Individual (or Personal Representative) of his or her own PHI; and (3) according to a signed Authorization.
You may request an accounting of disclosures by contacting our Privacy Officer at (330) 596.7161. The first accounting you request within a 12-month period will be free. For additional accountings, we may charge you for the cost of preparing the list.
The accounting will include the date of disclosure of PHI; the name of the third-party to whom PHI was disclosed; if known, the address of the third-party; a brief description of the disclosed PHI; and a brief explanation of the purpose for disclosure.
Your Have a Right to Receive a Breach Notification
We will promptly notify you by first-class mail, at your last known address, if we discover a breach of Unsecured PHI, which includes the unauthorized acquisition, access, use, or disclosure of your PHI, unless we determine by Risk Assessment that a low probability exists that the compromise of your PHI would cause you financial, reputational, or other harm. We will include in the breach notification a brief description of what happened, a description of the types of unsecured PHI involved, steps you should take to protect yourself from potential harm, a brief description of what we are doing to investigate the breach and mitigate potential harm, as well as contact information for you to ask questions and learn additional information.
Health Information Exchange
We, along with other area hospitals, physicians, and health care providers may participate in a Health Information Exchange (HIE), which allows covered entities to share patient information electronically for treatment purposes. An HIE is considered a business associate and is required to safeguard the privacy and security of your PHI.
Only health care providers caring for you, or who may be involved in your care, may access PHI from the HIE. Administrative, physical and technical safeguards, such as password protection, encryption, audit and tracking capability, that comply with HIPAA and other privacy laws protect the privacy and security of your PHI in the HIE.
PATIENT CONCERN AND COMPLAINT RESOLUTION PROCEDURE
We are committed to protecting your PHI. Despite our best efforts, questions, concerns, or problems may arise. If you have a concern, or you believe that your privacy rights have been violated or breached, we encourage you to contact us immediately. You may send us a written complaint, or call our Privacy Officer at (330) 596.7161.
We take all concerns and complaints very seriously and will investigate each one promptly. If we made a mistake or learn of an unauthorized disclosure or breach, we will do what we can to correct it and take steps to prevent such mistakes or problems in the future. If we did not make a mistake, we will provide you with an explanation. Either way, we will make every effort to get back to you within 30 days.
We will never retaliate against you for expressing a concern or filing a complaint relating to your privacy rights. If you are not satisfied by our response, you may contact the Office for Civil Rights of the Department of Health and Human Services in Washington, D.C. in writing within 180 days of the suspected violation or breach.
Changes to this Notification of Privacy Practices
We reserve the right to change this notice at any time, which we may make effective for PHI we already used or disclosed, and/or for any PHI we may create, receive, use, or disclose in the future. We will make material amendments based on changes in the HIPAA laws.
We will post a current version of our Notice of Privacy Practices (with the effective date) on our website and at Alliance Community Hospital and its health provider affiliates listed above. You may request a paper copy of the notice whenever you come for treatment or at any time by calling 330-596-6000.
The effective date of this Notice of Privacy is September 23, 2013.