This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully. Effective date: 4.2003 Revised: 10.2020
CHI Mercy Health is a member of CommonSpirit Health, a large health system including Catholic Health Initiatives providers and Dignity Health providers across 21 states. All members of CommonSpirit Health participate in an Organized Health Care Arrangement (the CommonSpirit Health OHCA), so they can share health information within CommonSpirit Health for treatment, payment, and joint health care operations activities. Those joint operations activities may include quality improvement, risk management, financial and billing services, and health information exchanges. You can find a list of all the members of the OHCA here: https://home.catholichealth.net/go/OHCAlisting
Each CommonSpirit Health hospital, clinic, or health care service provider also will share health information with the doctors and many other health care providers who care for patients at the facility.
This notice uses the words “protected health information (PHI)” or “health information.” Those words are defined in the HIPAA regulations. In simple terms, your “protected health information” is information about you and your healthcare that we use and disclose for your treatment and payment for your care, and for our healthcare operational purposes. It includes basic identifying information like your name, address, age, race, phone number, as well as information in your medical records and billing records. PHI can be oral, or in paper or electronic formats.
WHO MUST FOLLOW THIS NOTICE?
We provide you, the patient, with health care by working with doctors and many other health care providers (referred to as we, our or us). This is a joint notice of our information privacy practices. The following people or groups will follow this notice:
- all CommonSpirit Health members, including hospitals, clinics, home health agencies, outpatient services, mobile units, hospice agencies, skilled nursing facilities, etc.
- any health care provider who comes to our locations to care for you. These professionals include doctors, nurses, technicians, physician assistants and others.
- all departments and units of our organization, including skilled nursing, home health, clinics, outpatient services, mobile units, hospice, rehab facilities, and emergency departments.
- our employees, students and volunteers, including those at regional support
- offices and affiliates.
OUR PLEDGE TO YOU
We understand that your protected health information is private and personal. We are committed to protecting it. Hospitals, clinics, doctors, home health and hospice staff, and other staff members make a record each time you visit. This notice applies to all the records of your care at the facility, whether created by staff members or your doctor. Your doctor and other health care providers may have different practices or notices about their use and sharing of protected health information in their own offices or clinics that are not affiliated with CommonSpirit Health. We will gladly explain this notice to you or your family member.
We are required by law to:
- keep your protected health information private.
- give you this notice describing our legal duties and privacy practices for your protected health information.
- notify you as outlined in state and federal law if a breach of your unsecured protected health information has occurred.
- follow the terms of the notice that is currently in effect. 8550116 (11/20)
HOW WE MAY USE AND SHARE YOUR PROTECTED HEALTH INFORMATION
This section of our notice tells how we may use and share your protected health information, including sharing electronically. In situations not covered by this notice or otherwise allowed by law and regulation, we will get a separate written permission from you before we use or share your protected health information. You can later cancel your permission by notifying us in writing.
We will protect your protected health information as much as we can under the law. Sometimes state law gives more protection to your information than federal law.
Sometimes federal law gives more protection than state law. In each case, we will apply the laws that protect your information the most.
Treatment: We will use and share your protected health information, both internally and externally, to provide you with health care treatment and to coordinate or manage your treatment with other health care providers. An example is sending medical information about you to your doctor or to a specialist as part of a referral. We may also share your information with other types of health care providers after you leave our facility, such as pharmacies, home health agencies, specialty hospitals, or long-term care facilities.
Payment: We will use and share your protected health information so we can be paid for treating you. An example is giving information about you to your health plan or to Medicare. We may also need to give information to your health plan to get approval for certain services or to find out if your plan will pay for certain treatment. We may also share your health information with other health care providers involved in your healthcare, such as your personal physician, anesthesiologist, ambulance services, so that they may receive payment for their services. We may also give your healthcare information to individuals who are responsible for payment for your health care, such as the named insured on your health insurance policy. For example, the person named may receive a copy of an explanation of benefits (EOB) related to your care.
Health Care Operations: We will use and share your medical information for our health care operations. A few examples are using information about you for:
- improving the quality of care we give you.
- disease management, wellness management, or population health programs.
- patient surveys.
- training students.
- business planning and administration.
- resolving patient complaints.
- getting or keeping our accreditation.
- compliance and legal services.
We may also share your protected health information with people or companies (called business associates) we use to help us with our operations.
Family Members, Personal Representatives, and Others Involved in Your Care: Unless you tell us otherwise, we may share your protected health information with your friends, family members, or others you have named who help with your care or who can make decisions on your behalf about your health care. Also, if you cannot agree due to an emergency, we may share needed protected health information about you with your family or friends who are involved in your care, based on professional judgment of what is in your best interest. In rare instances, even without your permission, we may share your information with others if the physician or health care provider feels it is in your best interest.
Electronic Sharing and Pooling of Your Information: We may take part in or make possible the electronic sharing or pooling of healthcare information. The most common way we do this is through local or regional health information exchanges (HIEs). Two other types of HIEs we participate in are described in the next two sections. HIEs help doctors, hospitals and other healthcare providers within a geographic area or community provide quality care to you. If you travel and need medical treatment, HIEs allow other doctors or hospitals to electronically contact us about you. All of this helps us manage your care when more than one doctor is involved. It also helps us to keep your health bills lower (avoid repeating lab tests). And finally, it helps us to improve the overall quality of care provided to you and others. We are involved in national health reform efforts and may use and share information as permitted to achieve regional or national goals, including regional or nationally approved population health management or wellness initiatives.
CommonSpirit Health’s Health Information Exchange: As a member of the CommonSpirit Health OHCA, this facility participates in the CommonSpirit Health Health Information Exchange (HIE). Your health information is stored electronically, and doctors employed by, or associated with CommonSpirit Health OHCA members may use and share your health information for treatment, payment, and health care operations.
State-Based Health Information Exchange. This facility may participate in statewide internet-based HIE. As permitted by law, your health information will be shared through the HIE to provide faster access, better coordination of care and to assist healthcare providers, health plans, and public health officials in making more informed decisions. To opt in or out of the HIE, you must notify the HIE yourself. To obtain the HIE contact information, please visit: https://www. catholichealthinitiatives.org or contact the facility privacy officer.
Facility Directory: The directory is available so your family, friends, and clergy can visit you and know how you are doing. Unless you tell us otherwise, we may list your name, location in the hospital, your general condition (good, fair, etc.) and your religion in our directory. We will give this information (except your religion) to anyone outside the organization who asks about you by name. An example is telling your hospital room number to a florist who is delivering flowers to you. Your religion will be given only to appropriate clergy members. If you do not want your name in the directory, please tell the registration personnel. If your name is not in the directory, we cannot tell members of the public or even your family or friends that you are in our facility.
Fund-raising Activities: We may use limited information to contact you for fundraising. We may also share such information with our fundraising foundations. You may choose to opt out of receiving fund-raising requests if you are contacted.
Research: We may use and share your protected health information for research projects, such as studying the effectiveness of a treatment you received. We will usually get your written permission to use or share your information for research. Under certain circumstances, we may share your protected health information without your written permission. These research projects, however, will be approved by a special committee that protects the confidentiality of your medical information.
Organ and Tissue Donation: We may share your protected health information with organizations that handle organ, eye or tissue donation or transplantation.
Appointment Reminders: We may contact you by phone, email or text messaging with appointment reminders.
Internet Based Products and Services: Working with third parties, we may share your health information so we can offer you internet-based products or services. Using the products or services, you can:
- schedule appointments.
- reduce wait times in our emergency rooms.
- find a physician or get access to your medical information through a portal.
Treatment Options and Health-Related Benefits and Services: We may contact you about possible treatment options, health-related benefits or services that we offer.
Health Education and Health Programs: We may send you newsletters or brochures or contact you about health- related information, disease management programs, wellness programs, or other local programs that you might want.
INFORMATION SHARING THAT IS REQUIRED OR PERMITTED BY LAW
We are required or permitted by federal, state, or local law to report or share your health information for various purposes. Some of these required or permitted purposes are:
Public Health Activities: We may share your protected health information as required or permitted by law to public health authorities or government agencies whose official activities include preventing or controlling disease, injury, or disability. For example, we must report certain information about births, deaths, and various diseases to government agencies. We may use your health information in order to report to monitoring agencies any reactions to medications or problems with medical devices. We may also share, when requested, your protected health information with public health agencies that track opioid usage, contagious diseases or that are involved with preventing epidemics.
Required by Law: We are sometimes required by law to report certain information. For example, we must report child and elder abuse and neglect, and in some states, spouse abuse or neglect. We are required to report certain types of injuries, such as injuries caused by firearms. We also must give information to your employer about work-related illness, injury or workplace-related medical surveillance. Another example is that we must share information about tumors with state tumor registries.
Public Safety: We may, and sometimes must, share your health information in order to prevent or lessen a serious threat to you or to the health or safety of a particular person or the general public.
Health Oversight Activities: We may share your health information with a health oversight agency when allowed by law for health oversight activities. Health oversight agencies include the agencies that run Medicare and Medicaid, and state medical or nursing licensing boards. Health oversight activities include audits, investigations, or inspections. The activities are necessary so the government can monitor health care treatment and spending, government programs and also compliance with civil rights laws.
Coroners, Medical Examiners and Funeral Directors: We may share health information about deceased patients with coroners, medical examiners and funeral directors to identify a deceased person, determine the cause of death, or other duties as permitted.
Military, Veterans, National Security and Other Government Agencies: We may use or share your health information for national security purposes, intelligence activities or for protective services for the President or certain other persons as allowed by law. We may share your health information with the military for military command purposes when you are a member of the armed forces. We may share medical information with the Secretary of the Department of Health and Human Services for investigating or determining our compliance with HIPAA.
Judicial or Administrative Proceedings: We may use or share your health information in response to court orders or subpoenas only when we have followed procedures required by law.
Law Enforcement: We may share your health information if law enforcement officials ask us to or if we have a legal obligation to notify the appropriate law enforcement or other agencies:
- in response to a court order, subpoena, warrant, summons or similar legal process.
- regarding a victim or death of a victim of a crime in limited circumstances.
- in emergency circumstances to report a crime, the location or victims of a crime, or the identity, description or location of a person who is alleged to have committed a crime, including crimes that may occur at our facility, such as theft, drug diversion, or attempts to obtain drugs illegally.
Disaster Relief Purposes: We may use or share your health information with public or private disaster organizations, like the American Red Cross, so that your family can be told of your location and condition in case of disaster or emergency. We may also use it to help in coordination of disaster relief efforts.
Workers’ Compensation: We may share your health information for workers’ compensation benefits or similar programs that provide benefits for work-related injuries or illnesses if you tell us that workers’ compensation is the payer for your visit(s). Your employer or workers’ compensation carrier may request the entire medical record for your workers’ compensation claim. This medical record may include details regarding your health history, current medications you are taking, and treatments.
Inmates: If you are an inmate of a correctional institution or in the custody of a law enforcement official, we may share your health information with the institution or law enforcement official. We may do this for the institution to provide you with health care, to protect your health and safety or the health and safety of others, or for the safety and security of the correctional institution.
OTHER USES AND DISCLOSURES OF YOUR HEALTH INFORMATION
Apart from what we say in this Notice, we will not use or share your health information unless we get your written permission. Under HIPAA, this permission is called an “authorization.” If you give us written permission to use or disclose your health information, you may revoke (take back) that permission in writing at any time. If you revoke your permission, we will no longer use or disclose your health information for the purpose involved. However, we cannot retrieve any disclosures that we already made based on your prior permission.
We will get your written permission to use and disclose your health information for these specific purposes when required by law:
Marketing: Marketing means to make a communication about a product or service that you may be interested in buying. If we send a marketing communication to you about a non-CommonSpirit Health service or product, or if we receive payment from a third party in order for us to promote a product or service to you, then we are required to get your written permission before we can use or disclose your health information.
We are not required to get your written permission to talk with you in person or send you information about the following:
- health care treatment options.
- health-related products and services that are provided by CommonSpirit Health.
- case management or care coordination services.
- recommended alternative treatments, therapies, providers, or settings of care.
- samples or promotional gifts of nominal value.
You have the right to revoke (take back) your marketing permission and we will honor the revocation. To find out who to contact for opting out of these communications, please contact the Privacy Officer.
Psychotherapy Notes: Psychotherapy notes are special notes by a mental health professional that document or analyze the contents of a conversation during a private counseling session or a group, joint, or family counseling session. Psychotherapy notes are kept separate from the rest of your health information, and they may not be used or disclosed without your written permission, except as may be required by law.
Sensitive Medical Information: We may obtain a written permission from you, when required by state and federal laws, to use or share sensitive medical information, such as mental health, substance abuse, or genetic testing information.
Sale of Health Information: We will obtain your authorization for any disclosure of your health information if we directly or indirectly receive remuneration (money or other valuable things) in exchange for the health information.
THIS NOTICE DOES NOT APPLY TO THE FOLLOWING HEALTH RELATED ACTIVITIES
Some activities may not be covered by this notice and are referred to as Hybrid activities under HIPAA. If you seek services at our wellness or health fairs, for occupational health services, employee health related services, research activities conducted by academic institutions after your information has been legitimately sent to them, or direct access lab services, this notice and HIPAA do not apply.
YOUR RIGHTS REGARDING YOUR HEALTH INFORMATION
Your rights are listed below. Some of the rights require a written request form. You can get the appropriate written request form from the departments outlined below.
Requesting Your Information (Access or Copy): In most cases, when you ask in writing, you can look at or get a copy of your protected health information in your medical records or applicable parts of your billing record in paper or electronic format. You may also request that we send electronic copies directly to a person or entity chosen by you. We will give you a form to fill out to make the request. You can look at medical information about you for free. If you request paper or electronic copies of the information, we may charge a fee to cover the cost of copying, mailing, and supplies. To request a copy of your information, contact the Medical Records/ Health Information Management department or physician practice administrator for the hospital, clinic, or facility.
If we say no to your request to look at the information or get a copy of it, we will tell you why in writing. Also, you may ask us in writing to review that decision. A health care professional will review your request and the decision. The person who makes the review will not be the same person who said no to your request. We will follow the outcome of the review.
Correcting Your Information (Amendment): If you believe that information about you is wrong or not complete, you can ask us in writing to correct the records (make an amendment). We will give you a form to fill out to make the request. We may say no to your request to correct a record if the information was not created or kept by us or if we believe the record is complete and correct. If we say no to your request, you can ask us in writing to review that denial.
Obtaining a List of Certain Disclosures (Accounting of Disclosures): You can ask to receive a list of certain disclosures we have made of your protected health information during the last six years. To get the list, ask for the Accounting of Disclosures Form from the Medical Records/Health Information Management department or the Privacy Officer. Your request must be in writing and state the time period (up to six years) for the listing. The first request in a 12-month period is free. We will charge you for any additional requests for our cost of producing the list. We will give you an estimate of the cost when you request the additional list.
Right to Ask for Confidential Communications: You have the right to ask us to communicate with you about health care matters in a certain way or at a certain address. For example, you can ask that we only contact you at a different location from your home address, such as work, or only contact you by mail instead of by phone. Your request must tell how or where you want to be contacted. We do not require a reason. We will agree to all reasonable requests.
Right to Ask for a Restriction: You can ask in writing that we limit our use or sharing of your protected health information for treatment, payment and operational purposes. We are not required to agree to most requests. Any time you make a written request, we will consider the request and tell you in writing of our decision to accept or deny your request. We are legally required to agree to only one type of restriction request: if you have paid us in full for a health procedure or item for which we would normally bill your health plan, we must agree to your request not to share information about that procedure or item with your health plan. For example, if you saw a counselor and paid in full for the services rather than submitting the expenses to your health plan, you may ask that your health information related to the counseling not be shared with your health plan.
Right to Receive Notice of a Privacy Breach: We will tell you if we discover a breach of your health information. Breach means that your health information was disclosed or shared in an unintended way and there is more than a low probability that it has been compromised. The notice will tell you about the breach, about steps we have taken to lessen any possible harm from the breach, and actions that you may need to take in response to the breach.
Right to a Paper Copy of This Notice: You have the right to a paper copy of this notice. If you have received this notice electronically, you still can have a paper copy of this notice. You may ask us to give you a copy of this notice at any time.
To ask questions about any of these rights, or to obtain a paper copy of this notice, contact the Privacy Officer. You may also obtain a copy of this notice at our website.
CHANGES TO THIS NOTICE
We may change our privacy practices from time to time. Changes will apply to current medical information, as well as new information after the change occurs. If we make an important change, we will change this notice. We will also post the new notice in our facilities and on our website. You can ask in writing for a copy of this notice at any time by contacting the facility’s Privacy Officer. If our notice has materially changed, we will give you a copy of the notice the next time you register for treatment.
DO YOU HAVE CONCERNS OR COMPLAINTS?
If you think your privacy rights may have been violated, you may contact us at PrivacyOffice@CommonSpirit.org, or call 1-800-845-4310, or contact the facility’s Privacy Officer. You may also send a written complaint to the U.S. Department of Health and Human Services, Office of Civil Rights at OCRComplaint@hhs.gov or Centralized Case Management Operations, U.S. Department of Health and Human Services, 200 Independence Avenue, S.W., Room 509F HHH Bldg., Washington, D.C. 20201. We will not take any action against you or change our treatment of you for filing a complaint.
CommonSpirit Health Division Privacy Officer, NW