JOINT NOTICE OF PRIVACY PRACTICES
1. THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GAIN ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
2. WE HAVE A LEGAL DUTY TO SAFEGUARD YOUR PROTECTED HEALTH INFORMATION (PHI)
We are legally required to protect the privacy of your health information. We call this information “protected health information” or “PHI” for short. PHI is information that can be used to identify you, which has been created or received about your past, present, or future health or condition, the provision of healthcare to you, or the payment for this health care. We are required to provide you with this notice about our privacy practices that explains how, when, and why we use and disclose your PHI. We are required to notify you in the event of a breach of your unsecured PHI. With some exceptions, we may not use or disclose any more of your PHI than is necessary to accomplish the purpose of the use or disclosure. We are legally required to follow the privacy practices that are described in this notice. However, we reserve the right to change the terms of this notice and our privacy policies at any time. Any changes will apply to the PHI we already have. Before we make an important change to our policies, we will promptly change this notice and post a new notice in a location clearly visible and accessible to all individuals who receive treatment or services at any Saint Agnes Health Care, Inc. facility. You can also request a copy of this notice from the Saint Agnes Health Care, Inc. HIPAA Privacy Office listed in Section 5 at any time and can view a copy of the notice on our website at www.stagnes.org.
3. HOW WE MAY USE AND DISCLOSE YOUR PROTECTED HEALTH INFORMATION
We use and disclose health information for many different reasons. For some of these uses or disclosures, we must obtain your written authorization. Below, we describe the different categories of our uses and disclosures and give you some examples of each.
3.1 Uses and Disclosures Relating to Treatment, Payment or Health Care Operations.
3.1.1 For treatment. We may disclose your PHI to physicians, nurses, medical students and other health care personnel who provide you with health care services or are involved in your care. For example, if you’re being treated for a knee injury, we may disclose your PHI to the physical therapy department to coordinate your care.
3.1.2 To obtain payment for treatment. We may use and disclose your PHI to bill and collect payment for the treatment and services provided to you. For example, we may provide portions of your PHI to our billing department and your health plan to get paid for the health care services we provided to you. We may also provide your PHI to our business associates, such as billing companies, claims processing companies, and others that process our health claims.
3.1.3 For health care operations. We may disclose your PHI to operate our hospital, clinics, and other health care service locations. For example, we may use your PHI to evaluate the quality of health care services that you received or evaluate the performance of the health care professionals who provided health care services to you. We may also provide your PHI to our accountants, attorneys, consultants, and others to make sure we are complying with the laws that affect us.
3.1.4 For education/training. On occasion, we participate in the education and training of health care professionals. We may use and disclose your medical information to current and prospective students, residents, and/or observers as part of the training and educational process. For example, your physician may allow a student or observer to monitor your treatment as a part of a learning experience.
3.2 Certain Other Uses and Disclosures That Do Not Require Your Consent
3.2.1 When disclosure is required by federal, state, or local law, judicial or administrative proceedings, or law enforcement. For example, we make disclosures when a law requires that we report information to government agencies and law enforcement personnel about victims of abuse, neglect, or domestic violence; when dealing with gunshot and other wounds, or when ordered in a judicial or administrative proceeding.
3.2.2 For public health activities. For example, we report information about births, deaths, and various diseases to government officials in charge of collecting that information, and we provide coroners, medical examiners, and funeral directors necessary information relating to an individual’s death.
3.2.3 For health oversight activities. For example, we will provide information to assist the government when it conducts an investigation or inspection of a health care provider or organization.
3.2.4 For purposes of organ donation. We may notify organ procurement organizations to assist them in organ, eye, or tissue donation or transplants.
3.2.5 For research purposes. In certain circumstances, we may provide PHI to conduct research.
3.2.6 To avoid harm. To avoid a serious threat to the health or safety of a person or the public, we may provide PHI to law enforcement personnel or persons able to prevent or lessen such harm.
3.2.7 For specific government functions. We may disclose PHI of military personnel and veterans in certain situations. We may also disclose PHI for national security purposes, such as protecting the President of the United States or conducting intelligence operations.
3.2.8 For workers’ compensation purposes. We may provide PHI to comply with workers’ compensation laws.
3.2.9 Appointment reminders and health-related benefits or services. We may use PHI to provide appointment reminders or give you information about treatment alternatives, or other health care services or benefits we offer.
3.2.10 Fundraising activities. We may use PHI to raise funds for our organization. The money raised through these activities is used to expand and support the health care services and educational programs we provide to the community. If you do not wish to be contacted as part of our fundraising efforts, you can opt out by notifying the Saint Agnes Health Care, Inc. Privacy Coordinator or the Foundation Office listed in Section 5.
3.2.11 Marketing. We must obtain your written authorization before we can use or disclose your PHI for marketing purposes, except for face to face communications made by us to you or a promotional gift of nominal value provided by us to you. We must also obtain your written authorization before we sell your PHI.
3.3 Uses and Disclosures to Which You Have an Opportunity to Object
3.3.1 Patient directories. We may include your name, location in this facility, general condition, and religious affiliation (if any) in our patient directory for use by clergy and visitors who ask for you by name, unless you object in whole or in part.
3.3.2 Disclosure to family, friends, or others. We may provide your PHI to a family member, friend, or other person that you indicate is involved in your care or the payment of your health care, unless you object in whole or in part.
3.3.3 Health Information Exchange
In an effort to provide the best care to you, St. Agnes Healthcare participates in arrangements between health care organizations that facilitate access to health care information that may be relevant to your care. For example, if you have an emergency and you cannot provide important information about your health, these arrangements will allow us to obtain information to treat you. Some St. Agnes Healthcare facilities participate in health information exchange organizations (“HIE”) that permit computer-based transfer of health information directly between healthcare providers at different locations and institutions to facilitate your care and treatment. Some facilities store information in a shared electronic medical record with other health care providers who participate in this regional arrangement. The participants may share your medical information with each other through the shared electronic medical record. You may opt out of the health exchanges St. Agnes participates in by letting your St. Agnes staff know. They can provide you instruction upon your request if you wish to opt out at this time or at any time in the future. Even if you opt-out of the health exchanges, public health reporting and Controlled Dangerous Substances information, as part of the Maryland Prescription Drug Monitoring Program (PDMP), will still be available to providers as permitted by law.
3.4 All Other Uses and Disclosures Require Your Prior Written Authorization. In any other situation not described in this section, we will ask for your written authorization before using or disclosing any of your PHI. If you choose to sign an authorization to disclose your PHI, you can later revoke that authorization in writing to stop any future uses and disclosures (to the extent that we haven’t taken any action relying on the authorization).
4. WHAT RIGHTS YOU HAVE REGARDING YOUR PHI
4.1 The Right to be Notified in the Event of a Breach of Your Unsecured PHI.
4.2 The Right to Request Restrictions on Uses and Disclosures of Your PHI. You have the right to ask that we restrict how we use and disclose your PHI. We are not required to agree to these requests, except for when you request that we not disclose information to your health plan about services for which you paid out-of-pocket in full. In those cases, we will honor your request, unless the disclosure is necessary for your treatment or is required by law.
4.3 The Right to Choose How We Send PHI to You. You have the right to ask that we send information to you at an alternate address (for example, to your work address rather than your home address) or by alternate means. We must agree to your request so long as we can easily provide it as you requested.
4.4 The Right to See and Get Copies of Your PHI. In most cases, you have the right to look at or get copies of your PHI that we have, but you must make the request in writing. If we don’t have your PHI but we know who does, we will tell you how to get it. We will respond to you within 21 days after receiving your written request. In certain situations, we may deny your request. If we do, we will tell you, in writing, our reasons for the denial and explain your right to have the denial reviewed. If you request copies of your PHI, we will charge you a reasonable cost-based fee. We do not charge a fee for sending copies of your PHI to another health care facility or provider where you are or will be receiving health care services.
4.5 The Right to Get a List of the Disclosures We Have Made. You have the right to get a list of instances in which we have disclosed your PHI. The list will not include any of the uses or disclosures listed in section 3.1, 3.3, and 3.4. The list also won’t include any uses or disclosures made before April 14, 2003. We will respond within 60 days of receiving your request. The list we will give you will include disclosures made in the last six years unless you request a shorter time. The list will include the date of the disclosure, to whom PHI was disclosed (including their address, if known), a description of the information disclosed, and the reason for the disclosure. We will provide the list to you at no charge, but if you make more than one request in the same year, we will charge you for the cost to provide you each additional request.
4.6 The Right to Correct or Update Your PHI. If you believe that there is a mistake in your PHI or that a piece of important information is missing, you have the right to request that we correct the existing information or add the missing information. You must provide the request and your reason for the request in writing. We will respond within 60 days of receiving your request. We may deny your request in writing if the PHI is (i) correct and complete, (ii) not created by us, (iii) not allowed to be disclosed, or (iv) not part of our records. Our written denial will state the reasons for the denial and explain your right to file a written statement of disagreement with the denial. If you don’t file one, you have the right to request that your request and our denial be attached to all future disclosures of your PHI. If we approve your request, we will make the change to your PHI, tell you that we have done it, and tell others that need to know about the change to your PHI.
4.7 The Right to Get This Notice electronically. You have the right to get a copy of this notice electronically. Even if you have agreed to receive notice electronically, you also have the right to request a paper copy of this notice.
4.8 The Right to Keep Your Mental Health Providers’ Private Notes Secure. We must obtain your written authorization before we may use or disclose your psychotherapy notes, except for: use by the originator of the psychotherapy notes for treatment; use or disclosure by the hospital for mental health training programs; or, use or disclosure by Saint Agnes Health Care, Inc. to defend itself in a legal action or other proceeding brought by you.
5. PERSON TO CONTACT FOR INFORMATION ABOUT THIS NOTICE OR TO COMPLAIN ABOUT OUR PRIVACY PRACTICES.
If you have questions about this notice or think that we may have violated your privacy rights, or you disagree with a decision we made about access to your PHI, please contact our Privacy Officer:
Saint Agnes Health Care, Inc.
900 Caton Ave.
Baltimore, MD 21229
For clarifications about fundraising:
Saint Agnes Health Care, Inc.
Fundraising Office, President
900 Caton Ave.
Baltimore, MD 21229
You also may send a written complaint to:
Secretary of the Department of Health and Human Services
200 Independence Avenue, SW
Washington, DC 20201
We will not take actions against you if you file a complaint about our privacy practices.
6. WHO WILL FOLLOW THIS NOTICE OF PRIVACY PRACTICES
This notice describes the practices of the employees, affiliates, staff, volunteers, departments and units of Saint Agnes Health Care, Inc.
Saint Agnes Health Care, Inc. contracts with certain independent physicians and groups of healthcare providers (for example, radiologists, anesthesiologists, pathologists, emergency room physicians etc.) who may provide services at some of our sites and locations even though Saint Agnes Health Care, Inc. does not directly employ them. Unless one of these contracted groups provides you with its own Notice of Privacy Practices, this Notice applies to their uses and disclosures of PHI and they have agreed to abide by the terms of this Notice.
All Saint Agnes Health Care, Inc. entities, sites, and locations follow the terms of this Notice. In addition, these Saint Agnes Health Care, Inc. entities, sites, and locations may share PHI with each other for purposes of treatment, payment, or hospital operations as described in this Notice.
7. EFFECTIVE DATE OF THIS NOTICE
The initial notice was effective on April 14, 2003
Revised October 11, 2011
Revised September 23, 2013
Revised August 7, 2015
Revised March 31, 2017
Revised February 27, 2018