THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
University of Louisville Hospital/James Graham Brown Cancer Center (“Hospital”) values the privacy of your health information. In accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), our Notice of Privacy Practices (“Notice”) describes and gives examples of your rights and our obligations regarding the use and disclosure of your protected health information. The examples are not exhaustive. We may share your information in any manner that is consistent with the concepts described in this Notice or as otherwise permitted by federal, state or local health information privacy laws. This Notice is effective April 14, 2003.
The Hospital and certain independent health care providers who use the Hospital to treat their patients have adopted this Notice as a common statement of privacy practices. Generally, these providers are Hospital medical staff members and persons who work with them. A detailed list of entities and persons who participate in this arrangement is maintained in the Hospital’s medical staff office.
This Notice applies only to services performed in Hospital departments, such as mobile services or outpatient services located in buildings on the Hospital’s campus. This Notice does not apply to services that providers perform at their private physician clinics on the Hospital’s campus or at other locations. Each health care provider is separately responsible for its conduct and the services that it offers.
PERSONAL HEALTH INFORMATION WE MAY COLLECT
We may collect information about you from different sources, such as you, your family or designated representative, insurance companies, employers or other health care providers. The following are examples of information we may collect:
- Registration information, such as your name, address, birth date, social security number, medical and mental health history, payment sources, physicians’ names or how to contact your family or other persons involved in your care.
- Medical information, such as test results or health records of your treatment and diagnosis by physicians, nurses, therapists, mental health professionals or other health care providers.
USES AND DISCLOSURES REQUIRED BY HIPAA
Treatment, Payment and Health Care Operations: We may use and disclose your health and financial information to deliver treatment, obtain payment and conduct health care operations.
The following are examples of uses and disclosures for treatment:
- We may share your information with health care providers involved in your treatment, such as physicians, hospital staff or outside consultants (e.g. pathologists or radiologists).
- We may share your information with our departments to coordinate the different health care services that you may need, such as prescriptions, lab work or x-rays.
- We may share your information with other health care facilities to which you are transferred.
The following are examples of uses and disclosures for payment:
- We may share your information with your health plan as it relates to verifying your eligibility, reviewing services for medical necessity or other payment decisions.
Note: We submit claims to health plans based on information provided by patients or their representatives. Health plan statements are often sent to the policyholder, who may or may not be the patient.
- We may share your information with our business office to ensure costs were appropriate to the care or treatment that you received at our facility.
- We may share your information for the payment activities of another health care provider, such as an ambulance company that transports you to and from our facility.
The following are examples of uses and disclosures for health care operations:
- We may share your information to conduct our Academic Medical Center training programs, such as for physicians who are pursuing advanced training or faculty and students of the University of Louisville or other academic health affiliates.
- We may share your information to compile patient census data, conduct quality improvement programs or review the qualifications of health care professionals.
- We may share your information with manufacturer representatives. For example, technical advisors on new devices may be present during surgery to answer questions from the operating team.
- We may contact you as a reminder of an appointment you have for care or treatment at our facility.
Business Associates: We may share your information with our business associates who perform services on our behalf. We require our business associates to protect the privacy of your information.
Research: We may share your information for medical research when approved by an Institutional Review Board (IRB) or a Privacy Board. For example, we may compile research databases or create limited data sets permitted by federal regulations.
Health-Related Benefits and Services: We may contact you about treatment options, health-related benefits or other products or services that may be of interest to you. We may also contact you to conduct case management or care coordination.
Fundraising: We may contact you for fundraising efforts to support our educational and medical research mission.
Public Health: We may share your information with public health or other legal authorities charged with preventing or controlling disease, injury or disability. For example, we may notify the Kentucky Department for Public Health about certain diseases, such as active tuberculosis.
Food and Drug Administration: We may share your information with the Food and Drug Administration (FDA) to support activities related to the quality, safety or effectiveness of a product or activity.
Communicable Diseases: We may share your information with a person who may have been exposed to a communicable disease or may otherwise be at risk for contracting or spreading a disease or condition when permitted by law.
Health Oversight: We may share your information with a health oversight agency for activities authorized by law, such as audits, investigations or inspections. For example, we may share information with the state agency that issues our hospital license.
Coroners, Medical Examiners and Funeral Directors: We may share your information with coroners or medical examiners so they may perform their legal duties, such as making identifications or determining cause of death. We may also share your information with funeral directors so they may perform their duties.
Organ Donation: We may share your information with organ procurement organizations or other entities engaged in the procurement, banking or transplantation of organs to facilitate organ, eye or tissue donation and transplantation if you are an organ donor.
Workers Compensation: We may share your information as authorized under workers compensation laws or other similar programs established by law.
Inmates: We may share your information with an institution or law enforcement official as necessary for your health and the health and safety of other individuals if you are an inmate of a correctional institution or under the custody of a law enforcement official.
Required By Law: The following are examples of information we may share as required by law:
- Abuse or Neglect: We may share your information to report suspected abuse, neglect or domestic violence to public officials.
- Law Enforcement: We may share your information to respond to a warrant, subpoena or summons, to report certain types of wounds or to identify or locate suspects, witnesses or missing persons. We may also share your information if you are, or are suspected of being, a victim of a crime or to alert law enforcement officials when we believe a death may have resulted from criminal conduct, a crime occurred on our property or a medical emergency exists off our property and it is likely that a crime occurred.
- Legal Proceedings: We may share your information under a judicial or administrative proceeding and in response to a court order, subpoena, discovery request or other lawful process.
Threatening Activities: We may share your information if we believe it is necessary to prevent or lessen a serious or present threat to the health or safety of a person or the public. We may also share your information with law enforcement authorities to identify or apprehend an individual.
Military, National Security and Intelligence Activities: We may share your information as required by military command authorities if you are a member of the Armed Forces. We may also share your information with authorized federal officials to conduct intelligence, counter-intelligence or other national security activities, protect the President or other authorized persons or conduct special investigations.
USES AND DISCLOSURES TO WHICH YOU MAY AGREE OR OBJECT
You have the right to agree or object to the following uses and disclosures of your information. If you are not able to agree or object due to incapacity or an emergency treatment circumstance, we may share your information according to your prior expressed preference or if we determine it is in your best interest.
Facility Directories: We may share your name, your location in our facility and a general description of your condition. We may also share your religious affiliation with the clergy.
Individuals Involved In Your Health Care: We may share your information with your family, friends or other persons you identify. We may also share your information to notify or assist in notifying your family or other persons responsible for your care about your location, general condition or death.
Disaster Relief: We may disclose your information to a public or private entity authorized to assist in disaster relief efforts or to coordinate with your family or other persons involved in your care.
USES AND DISCLOSURES REQUIRING YOUR AUTHORIZATION
Except as described above, we will not use or disclose your information without authorization from you or your representative unless otherwise permitted or required by law. You may revoke an authorization at any time. The revocation will not apply to disclosures already made in reliance on your authorization. Your request for revocation must be made in writing to our Privacy Officer.*
Right to Restrictions: You may ask us to restrict how we use and disclose your information to carry out treatment, payment and health care operations to your family, friends or other persons you identify. We may agree to or deny your request. Your request for restrictions must be made in writing to our Privacy Officer.*
Right to Confidential Communications: You may receive confidential communications by different means and at different locations. We will make every attempt to accommodate reasonable requests. Your request for confidential communications must be made in writing to our Privacy Officer.*
Right to Amendment: You may ask that we amend your health information in a designated record set for as long as the information is maintained. We may agree to or deny your request. If we deny your request, you may submit a written statement of disagreement and we may prepare a written rebuttal. If you do not submit a statement of disagreement, you may ask us to include your request for amendment and our denial with future disclosures. Your request for amendment must be made in writing to our Privacy Officer.*
Right to an Accounting of Disclosures: You may receive an accounting of disclosures of your information made by us in the six (6) years prior to the date that you request the accounting. Among other exceptions, this right does not apply to treatment, payment and health care operations, persons involved in your care, national security or intelligence purposes, correctional institutions or law enforcement officials or disclosures that occurred before April 14, 2003. Your request for an accounting of disclosures must be made in writing to our Privacy Officer.*
Right to Inspect and Copy: You may inspect and obtain a copy of your protected health information contained in a designated record set for as long as the information is maintained. We may deny your request in certain circumstances and you may request a review of the denial. Your request to inspect and copy must be made in writing to our Medical Records Department.
Right to a Copy of this Notice: You have the right to a paper copy of this Notice at any time. You may obtain a copy of this Notice by making a written or verbal request to our Admissions Department.
* Please direct correspondence to our Privacy Officer at the address listed below.
We are required by law to maintain the privacy of your protected health information and to provide you with notice of our legal duties and privacy practices that affect your information. We are also required by law to abide by the terms of this Notice.
CHANGES TO THIS NOTICE
We reserve the right to change the terms of this Notice at any time and to make the new Notice provisions effective for all PHI that we maintain. You may obtain a copy of the new Notice by making a written or verbal request, by accessing our website at www.uoflhealthcare.org or at the time of your next visit.
If you believe your privacy rights have been violated, you may file a written complaint with our Privacy Officer at the address listed below or the Secretary of the U.S. Department of Health and Human Services. We will not retaliate against you for filing a complaint.
Please direct correspondence or questions to:
University of Louisville Hospital
530 South Jackson Street
Louisville, KY 40202-1675