HIPAA Notice of Privacy
Notice of Privacy Practices
Aviso de las Prácticas de Privacidado
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
We are required by law to maintain the privacy of your health information and to give you our Notice of Privacy Practices (this "Notice") that describes our privacy practices, legal duties and your rights concerning your medical information. Your health information includes your individually identifiable medical, insurance, demographic and medical payment information. For example, it includes information about your diagnosis, medications, insurance status, medical claims history, address, and policy or social security number.
WHO WILL FOLLOW THIS NOTICE
THE UNITYPOINT HEALTH AFFILIATED COVERED ENTITY. This Notice describes the privacy practices of the organizations listed in Appendix A ("Affiliates"), which form the UnityPoint Health Affiliated Covered Entity ("UnityPoint Health ACE") including hospitals, clinics and other health care providers that the organizations operate, as well as any health care facility or physician practice now or in the future controlled by or under common control by UnityPoint Health. The organizations are part of the UnityPoint Health Affiliated Covered Entity ("UnityPoint Health ACE.")
MEDICAL STAFF. This Notice also describes the privacy practices of the physicians, nurse practitioners and other health care professional on our medical staffs (collectively "Practitioners") and other health care providers that provide health care services in our hospitals, clinics and other sites. Legally this is called an "organized health care arrangement" or "OHCA" between the UnityPoint Health ACE and eligible providers on its Medical Staff. Because the UnityPoint Health ACE is a clinically- integrated care setting, our patients receive care from UnityPoint Health ACE staff and from independent practitioners on the Medical Staff. The UnityPoint Health ACE and its Medical Staff must be able to share your health information freely for treatment, payment and health care operations as described in this Notice. Because of this, the UnityPoint Health ACE and all eligible providers on the UnityPoint Health ACE's Medical Staff have entered into the OHCA under which the IHS ACE and the eligible providers will:
Use this Notice as a joint notice of privacy practices for all inpatient and outpatient visits and follow all information practices described in this notice
- Obtain a single signed acknowledgment of receipt
- Share health information from inpatient and outpatient hospital visits with eligible providers so that they can help the UnityPoint Health ACE with its health care operations
Accordingly, this Notice will be followed by (1) our workforce members and (2) the independent physicians and other Practitioners who are not employees, agents, servants, partners or joint ventures of UnityPoint Health or its Affiliates. All Practitioners are solely responsible for their judgment and conduct in treating or providing professional services to patients and for their compliance with state and federal laws. Nothing in this Notice is meant to imply or create an employment relationship between any independent physician or other Practitioner and us. We use a joint Notice of Privacy Practices and a joint Acknowledgement Form with independent physicians and other practitioners to reduce paperwork and make it easier to share information to improve your care. This Notice does not change or limit any consents for treatment or procedures the patient may sign during the time the patient receives care from any of us.
The OHCA does not cover the information practices of practitioners in their private offices or at other practice locations.
HOW WE MAY USE AND DISCLOSE YOUR HEALTH INFORMATION
The following are the types of uses and disclosures we may make of your health information without your permission. Where state or federal law restricts one of the described uses or disclosures, we follow the requirements of such state or federal law. These are general descriptions only. They do not cover every example of disclosure within a category.
TREATMENT. We will use and disclose your health information for treatment. For example, we will share health information about you with nurses, physicians, students and others who are involved in your care at a UnityPoint Health Affiliate. Our Affiliates enter and can view your health information in our electronic medical record system. We will also disclose your health information to your physician and other practitioners, providers and health care facilities that provide care for you at their sites, rather than at our sites, for their use in treating you in the future. For example, if you are transferred from one of our hospitals to a nursing facility, we will send health information about you to the nursing facility.
PAYMENT. We will use and disclose your health information for payment purposes. For example, we will use your health information to prepare your bill and we will send health information to your insurance company with your bill. We may also disclose health information about you to other health care providers, health plans and health care clearinghouses for their payment purposes. For example, if you are brought in by ambulance, the information collected will be given to the ambulance provider for its billing purposes. If state law requires, we will obtain your permission prior to disclosing to other providers or health insurance companies for payment purposes.
HEALTH CARE OPERATIONS. We may use or disclose your health information for our health care operations. For example, medical staff members or members of our workforce may review your health information to evaluate the treatment and services provided, and the performance of our staff in caring for you. In some cases, we will furnish other qualified parties with your health information for their health care operations. The ambulance company, for example, may also want information on your condition to help them know whether they have done an effective job of providing care. If state law requires, we will obtain your permission prior to disclosing your health information to other providers or health insurance companies for their health care operations.
APPOINTMENT REMINDERS. We may contact you as a reminder that you have an appointment for treatment or medical services.
TREATMENT ALTERNATIVES. We may contact you to provide information about treatment alternatives or other health-related benefits and services that may be of interest to you.
FUNDRAISING. We may contact you by writing, phone or other means as part of a fundraising effort for the purpose of raising money for one or more of our organizations listed in Appendix A, and you will have the right to opt out of receiving such communications with each solicitation. Please note that we will promptly process your request to be removed from our fundraising list, and we will honor your request unless we have already sent a communication prior to receiving notice of your election to opt out. We may also use and we may disclose to a business associate or to a foundation related to the UnityPoint Health ACE or one of its Affiliates certain health information about you, such as your name, address, phone number, e-mail information, dates you received treatment or services, treating physician, outcome information, and department of service (for example, cardiology or orthopedics), so that we or they may contact you to raise money on our behalf. The money raised will be used to expand and improve the services and programs we provide the community. You are free to opt out of fundraising solicitation, and your decision will have no impact on your treatment or payment for services by any of the entities covered by this Notice.
FACILITY DIRECTORY. While you are an inpatient at any UnityPoint Health hospital, your name, location in the facility, general condition (e.g., fair, serious, etc.) and religious affiliation may be included in a facility directory. This information may be provided to members of the clergy and, except for religious affiliation, to other people who ask for you by name. You have the right to request that your name not be included in the directory. We will not include your information in the facility directory if you object or if we are prohibited by state or federal law.
FAMILY, FRIENDS OR OTHERS. We may disclose your location or general condition to a family member, your personal representative or another person identified by you. If any of these individuals are involved in your care or payment for care, we may also disclose such health information as is directly relevant to their involvement. We will only release this information if you agree, are given the opportunity to object and do not, or if in our professional judgment, it would be in your best interest to allow the person to receive the information or act on your behalf. For example, we may allow a family member to pick up your prescriptions, medical supplies or X-rays. In addition, if you are unavailable, incapacitated or in an emergency situation, we may disclose limited information to these persons if we determine in our professional judgment that we believe it is in your best interest. We may also disclose your information to an entity assisting in disaster relief efforts so that your family or individual responsible for your care may be notified of your location and condition.
REQUIRED BY LAW. We will use and disclose your information as required by federal, state or local law, such as to report child or dependent adult abuse.
PUBLIC HEALTH ACTIVITIES. We may disclose health information about you for public health activities. These activities may include disclosures:
- to a public health authority authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury or disability
- to appropriate authorities authorized to receive reports of child abuse and neglect
- to FDA-regulated entities for purposes of monitoring or reporting the quality, safety or effectiveness of FDA-regulated products
- to notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition
- with parent or guardian permission, to send proof of required immunization(s) to a school
ABUSE, NEGLECT OR DOMESTIC VIOLENCE. We may notify the appropriate government authority if we believe an individual has been the victim of abuse, neglect or domestic violence. Unless such disclosure is required by law (for example, to report a particular type of injury), we will only make this disclosure if you agree or in other limited circumstances when such disclosure is authorized by law.
HEALTH OVERSIGHT ACTIVITIES. We may disclose health information to a health oversight agency for activities authorized by law. These oversight activities include, for example, audits, investigations, inspections and licensure. These activities are necessary for the government to monitor the health care system, government programs and compliance with civil rights laws.
LEGAL PROCEEDINGS. If you are involved in a lawsuit or a dispute, we may disclose health information about you in response to a court or administrative order. We may also disclose health information about you in response to a subpoena, discovery request or other lawful process by someone else involved in the dispute, but only if reasonable efforts have been made to notify you of the request or to obtain an order from the court protecting the information requested.
LAW ENFORCEMENT. We may release certain health information to law enforcement authorities for law enforcement purposes, such as:
- as required by law, including reporting certain wounds and physical injuries
- in response to a court order, subpoena, warrant, summons or similar process
- to identify or locate a suspect, fugitive, material witness or missing person
- about the victim of a crime if we obtain the individual's agreement or, under certain limited circumstances, if we are unable to obtain the individual's agreement
- to alert authorities of a death we believe may be the result of criminal conduct
- information we believe is evidence of criminal conduct occurring on our premises
- in emergency circumstances to report a crime; the location of the crime or victims or the identity, description or location of the person who committed the crime.
We must comply with federal and state laws in making such disclosures for law enforcement purposes.
DECEASED INDIVIDUALS. Following your death, we may disclose health information to a coroner or to a medical examiner as necessary for them to carry out their duties and to funeral directors as authorized by law. In addition, following your death, we may disclose health information to a personal representative (for example, the executor of your estate), and unless you have expressed a contrary preference, we may also release your health information to a family member or other person who acted as a personal representative or was involved in your care or payment for care before your death, if the health information is relevant to such person's involvement in your care or payment for care. We are required to apply safeguards to protect your health information for 50 years following your death.
ORGAN, EYE OR TISSUE DONATION. We may release health information to organ, eye or tissue procurement, transplantation or banking organizations or entities as necessary to facilitate organ, eye or tissue donation and transplantation.
RESEARCH. Under certain circumstances, we may use or disclose your health information for research, subject to certain safeguards. For example, we may disclose information to researchers when their research has been approved by a special committee that has reviewed the research proposal and established protocols to ensure the privacy of your health information. We may disclose health information about you to people preparing to conduct a research project, but the information will stay on site.
THREATS TO HEALTH OR SAFETY. Under certain circumstances, we may use or disclose your health information to prevent a serious and imminent threat to health and safety if we, in good faith, believe the use or disclosure is necessary to prevent or lessen the threat and the disclosure is to a person reasonably able to prevent or lessen the threat (including the target) or is necessary for law enforcement authorities to identify or apprehend an individual involved in a crime.
SPECIALIZED GOVERNMENT FUNCTIONS. We may use and disclose your health information for national security and intelligence activities authorized by law or for protective services of the President. If you are a military member, we may disclose to military authorities under certain circumstances. If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may disclose to the institution, its agents or the law enforcement official your health information necessary for your health and the health and safety of other individuals.
WORKERS' COMPENSATION. We may release health information about you as authorized by law for workers' compensation or similar programs that provide benefits for work-related injuries or illness.
INCIDENTAL USES AND DISCLOSURES. There are certain incidental uses or disclosures of your information that occur while we are providing service to you or conducting our business. For example, after surgery the nurse or doctor may need to use your name to identify family members that may be waiting for you in a waiting area. Other individuals waiting in the same area may hear your name called. We will make reasonable efforts to limit these incidental uses and disclosures.
HEALTH INFORMATION EXCHANGE. We participate in one or more electronic health information exchanges, which permits us to exchange health information about you with other participating providers (for example, doctors and hospitals) and their business associates. For example, we may permit a physician providing care to you to access our records in order to have current information with which to treat you. In all cases, the requesting provider must verify that they have or have had a treatment relationship with you, and, if required by law, we will ask the provider to obtain your consent before accessing your health information through the health information exchange. Participation in a health information exchange also lets us access health information from other participating providers and health plans for our treatment, payment and health care operations purposes. We may in the future allow other parties, for example, public health departments, that participate in the health information exchange, to access your protected health information for their limited uses in compliance with federal and state privacy laws, such as to conduct public health activities.
IOWA HEALTH INFORMATION NETWORK (IHIN). For patients who receive care in the state of Iowa, hospitals and clinics in our UnityPoint Health ACE may elect to participate in the Iowa Health Information Network ("IHIN"), which is the state health information exchange. Iowa law provides that health information, including mental health treatment records and HIV/AIDS testing, may be shared between providers through the IHIN for treatment purposes without patient consent. If you do not want to have your health information shared with providers through the IHIN, you may contact the Iowa Department of Public Health or any of our UnityPoint Health ACE privacy officers to obtain information on how you can opt out of the IHIN.
BUSINESS ASSOCIATES. Some of the activities described above are performed through contracts with outside vendors called business associates. We will disclose your health information to our business associates and allow them to create, use and disclose your health information to perform their services for us. For example, we may disclose your health information to an outside billing company who assists us in billing insurance companies. We require business associates to appropriately safeguard the privacy of your information.
ORGANIZED HEALTH CARE ARRANGEMENT. We offer clinically integrated care settings where patients receive care from Affiliates in the UnityPoint Health ACE and from independent doctors and other practitioners who provide care to patients at facilities in the UnityPoint Health ACE (collectively called "practitioners"). The Affiliates and these practitioners need to share health information freely to provide care to patients and to conduct Affiliates' health care operations. Therefore, the Affiliates and the practitioners have agreed to follow uniform information practices when using or disclosing health information related to inpatient or outpatient hospital services. This arrangement is called an "Organized Health Care Arrangement" and only covers information practices for services rendered through the Affiliates. It does not cover the information practices of the practitioners in their offices or at other care settings. It does not alter the independent status of the Affiliates and the practitioners or make them jointly responsible for the clinical services provided by them. The Affiliate(s) are not responsible for (1) the negligence (or mistakes) of the independent practitioners providing care at the Affiliate(s) or (2) any violations of your privacy rights by the independent practitioners.
USES AND DISCLOSURES REQUIRING YOUR AUTHORIZATION.
There are many uses and disclosures we will make only with your written authorization. These include:
- Uses and Disclosures Not Described Above. We will obtain your authorization for uses and disclosures of your health information that are not described in the Notice above.
- Psychotherapy Note. These are notes made by a mental health professional documenting conversations during private counseling sessions or in joint or group therapy. Many uses or disclosures of psychotherapy notes require your authorization.
- Marketing. We will not use or disclose your protected health information for marketing purposes without your authorization. Moreover, if we will receive any financial remuneration from a third party in connection with marketing, we will tell you that in the authorization form.
- Sale. We will not sell your protected health information to third parties without your authorization. Any such authorization will state that we will receive remuneration in the transaction.
If you provide authorization for the disclosure of your health information, you may revoke it at any time by giving us notice in accordance with our authorization policy and the instructions in our authorization form. Your revocation will not be effective for uses and disclosures made in reliance on your prior authorization.
ACCESS TO HEALTH INFORMATION. You may inspect and copy much of the health information we maintain about you, with some exceptions. If we maintain the information electronically and you ask for an electronic copy, we will provide the information to you in the form and format you requested, assuming it is readily producible. If we cannot readily produce the record in the form and format you request, we will produce it another readable electronic form we agree to. We may charge a cost-based fee for producing copies or, if you request one, a summary. If you direct us to transmit your health information to another person, we will do so, provided your signed, written direction clearly designates the recipient and location for delivery. We may charge a fee for the costs of copying, mailing, and other supplies or work associated with your request. We will respond to your requests to exercise any of the above rights on a timely basis in accordance with our policies and as required by law.
REQUEST FOR RESTRICTIONS. You have the right to request a restriction or limitation on the health information we use or disclose about you for treatment, payment or health care operations or to persons involved in your care or payment for your care. We are not required to agree to your request, with one exception explained in the next paragraph, but we will let you know whether we have agreed to your request.
We are required to agree to your request that we not disclose certain health information to your health plan for payment or health care operations purposes if (1) you pay out-of-pocket in full for all expenses related to that service either at the time of service or within timeframes specified by our written policies and (2) the disclosure is not otherwise required by law. Such a restriction will only apply to records that relate solely to the service for which you have paid in full. If we later receive an authorization from you dated after the date of your requested restriction which authorizes us to disclose all of your records to your health plan, we will assume you have withdrawn your request for restriction.
Several different covered entities listed at the start of this Notice use this Notice, including the entities listed in Attachment A that are a single covered entity known as the UnityPoint Health Affiliated Covered Entity (or UnityPoint Health ACE"), as well as physicians and other health care practitioners with permission to provide services at our sites who are independent of any UnityPoint Health Affiliate. You must make a separate request to each covered entity from whom you will receive services that are involved in your request for any type of restriction. Contact the UnityPoint Health ACE or Affiliate Privacy Officer at the contact information listed below if you have questions regarding which providers will be involved in your care.
AMENDMENT. You may request that we amend certain health information that we keep in your records if you believe that it is incorrect or incomplete. We may require you to give a reason to support your request. We are not required to make all requested amendments, but will give each request careful consideration. If we deny your request, we will provide you with a written explanation of the reasons and your rights.
ACCOUNTING. You have the right to receive a list of certain disclosures of your health information made by us or our business associates. You must state a time period for your request, which may not be longer than six years. The first list in any 12-month period will be provided to you for free; you may be charged a fee for each subsequent list you request within the same 12-month period. Your right to an accounting of disclosures does not include disclosures for treatment, payment or health care operations and certain other types of disclosures, for example, as part of a facility directory or disclosure in accordance with your authorization. Requests must be in writing. You may contact the Privacy Officer to obtain a form to request an accounting of disclosures.
CONFIDENTIAL COMMUNICATIONS. You have the right to request that we communicate with you about your health information in a different way or at a different place. We will agree to your request if it is reasonable and specifies the alternate means or location to contact you.
NOTICE IN THE CASE OF BREACH. You have the right to receive notice of an access, acquisition, use or disclosure of your health information that is not permitted by HIPAA, if such access, acquisition, use or disclosure compromises the security or privacy of your PHI (we refer to this as a breach). We will provide such notice to you without unreasonable delay but in no case later than 60 days after we discover the breach.
HOW TO EXERCISE THESE RIGHTS. All requests to exercise these rights must be in writing. We will follow written polices to handle requests and notify you of our decision or actions and your rights. Contact the Privacy Officer at 319-369-7211 located at 1026 A Ave NE, Cedar Rapids, IA 52402 for more information or to obtain request forms.
COMPLAINTS. If you have concerns about any of our privacy practices or believe that your privacy rights have been violated, you may file a complaint with the UnityPoint Health ACE using the contact information at the end of this Notice. You may also submit a written complaint to the U.S. Department of Health and Human Services. You will not be penalized or retaliated against for filing a complaint.
WHO WILL FOLLOW THESE PRIVACY PRACTICES?
The health care organizations that are a part of UnityPoint Health have collectively formed an Affiliated Covered Entity or "ACE" under the HIPAA regulations for purposes of HIPAA compliance. A full list of organizations in the UnityPoint Health ACE, called "Affiliates" are listed in Attachment A to this Notice. Our rules to protect your privacy will be followed by all workforce members of the site where you are being treated, as well as physicians and other health care practitioners with permission to provide services at our sites who are independent of any UnityPoint Health Affiliate (together called "the UnityPoint Health ACE" in this Notice).
WHAT HEALTH INFORMATION IS COVERED UNDER THIS NOTICE?
This Notice covers health information at the UnityPoint Health ACE that may be written (such as a hard copy medical record file), spoken (such as physicians discussing treatment options), or electronic (such as billing records kept on a computer).
HOW CAN WE USE YOUR HEALTH INFORMATION?
The law allows the UnityPoint Health ACE to use or share your health information for routine activities without requiring your permission, such as:
- For treatment
- For payment
- To run the hospital or physician group
- For appointment reminders and communications
The law also allows the UnityPoint Health ACE to use and share Health information without your permission for other limited reasons, including:
- Public health activities
- Some research activities
- Health and safety reasons
- Organ and tissue donation requests
- Workers' compensation requests
- Law enforcement requests
- Some fundraising activities
- Uses and sharing permitted or required by law
WHAT ACTIVITIES REQUIRE YOUR WRITTEN PERMISSION?
If the UnityPoint Health ACE needs to use or disclose your health information for other purposes not described in this frequently asked questions guide or the attached full Notice of Privacy Practices, we must ask for your written authorization.
WHAT ACTIVITIES DO YOU HAVE A RIGHT TO OBJECT TO?
In many circumstances, you may have the right to object before we do the following:
- Share information with your family members, friends or others involved in your care
WHAT ARE MY PRIVACY RIGHTS AS A PATIENT?
You have the right to:
- Get a copy of your medical and billing records. If we maintain your records electronically, we will provide you with an electronic copy of your records when you request one.
- Ask us to change your medical and billing records if you think there is a mistake.
- Request a preferred method of contact (for example, having calls go to your cell phone rather than to your home or work).
- Get a list of certain health information shared for reasons other than treatment, billing or our health care operations with other persons or organizations.
- Receive a paper copy of our Notice of Privacy Practices. This is your copy of the Notice. If you would like an additional copy, you may request one at any UnityPoint Health Affiliate registration desk.
- Ask us to limit the information we share. (Note that we may not be able to grant requests beyond what the law requires.)
- Request that we not share your health information with your health plan for payment or health care operations purposes, if you pay out- of-pocket in full for all expenses related to that service as specified by our policies and the disclosure is not otherwise required by law.
- Complain in writing to us if you believe your privacy rights have been violated.
ABOUT THIS NOTICE
We are required to follow the terms of the Notice currently in effect. We reserve the right to change our practices and the terms of this Notice and to make the new practices and notice provisions effective for all health information that we maintain. Before we make such changes effective, we will make available the revised Notice by posting it in physical locations where we deliver care, where copies will also be available. The revised Notice will also be posted on our website at www.unitypoint.org. You are entitled to receive this Notice in written form at any time. Please contact the Privacy Officer at the address listed below to obtain a written copy.
Questions. If you have questions about this Notice, please contact the Privacy Officer at 319-369-7211 located at 1026 A Ave NE, Cedar Rapids, IA 52402.
You may also contact the Privacy Officer for UnityPoint Health by sending written communications to: Privacy Officer, UnityPoint Health, 1776 West Lakes Parkway Suite 400, West Des Moines, IA 50266 or calling (515) 241-4652.
EFFECTIVE DATE OF NOTICE: June 1, 2013.
APPENDIX A: LIST OF PROVIDERS COVERED UNDER THIS NOTICE OF PRIVACY PRACTICES
ALLEN HEALTH SYSTEMS, INC.
- Allen Memorial Hospital Corporation
CENTRAL IOWA HEALTH SYSTEM Central Iowa Hospital Corporation, d/b/a:
- UnityPoint Health - Des Moines
- Iowa Lutheran Hospital
- Iowa Methodist Medical Center
- Blank Children's Hospital
- Methodist West Hospital
- John Stoddard Cancer Center
- Blank Health Providers
FINLEY TRI-STATES HEALTH GROUP, INC.
- The Finley Hospital
- The Dubuque Visiting Nurse Association
GRUNDY COUNTY MEMORIAL HOSPITAL
GUTTENBERG MUNICIPAL HOSPITAL
IOWA PHYSICIANS CLINIC MEDICAL FOUNDATION D/B/A
IOWA HEALTH SYSTEM D/B/A UNITYPOINT HEALTH
ST. LUKE'S HEALTHCARE
- St. Luke's Methodist Hospital
- St. Luke's/Jones Regional Medical Center d/b/a Jones Regional
- Cardiologists, L.C., d/b/a UnityPoint Cardiology
- Continuing Care Hospital at St. Luke's L.C.
- Anamosa Area Ambulance Service
- Medical Laboratories of Eastern Iowa, Inc.
ST. LUKE'S HEALTH SYSTEM, INC.
- Northwest Iowa Hospital Corporation, d/b/a St. Luke's Regional
Medical Center of Sioux City
- St. Luke's Health Resources, d/b/a UnityPoint Clinic
- Siouxland Pace, Inc.
TRINITY HEALTH SYSTEMS, INC.
- Trinity Regional Medical Center
- Trimark Physicians Group
- North Central Iowa Mental Health Center, Inc. d/b/a Berryhill Center
TRINITY REGIONAL HEALTH SYSTEM
- Trinity Medical Center
- Robert Young Center
- Trinity Health Enterprises, Inc.
- Unity HealthCare, d/b/a Trinity Muscatine
UNITYPOINT AT HOME D/B/A:
- Cass County Public Health
- Grundy County Public Health
- Paula J. Baber Hospice Home (IPU)
- Taylor House (IPU)
- UnityPoint Hospice