Notice of HIPAA Privacy Practices
We are legally required to protect the privacy of health information that may reveal your identity. This information is commonly referred to as "protected health information," or "PHI" for short. It includes information that can be used to identify you that we have created or received about your past, present or future health or condition, the provision of health care to you, or the payment of this health care. We must provide you with this notice about our privacy practices that explains how, when and why we use and disclose your PHI.
With some exceptions, we may not use or disclose any more of your PHI than is necessary to accomplish the purpose of the use or disclosure. We are legally required to follow the privacy practices that are described in this notice.
Please note, however, that special privacy protections apply to HIV/AIDS related information, alcohol and substance abuse treatment information, mental health information and genetic information, which are not set forth in this Notice. These protections will be described in separate notices. To request copies of these notices, please contact the person listed in Section V.
We reserve the right to change the terms of this notice and our privacy policies at any time. Any changes will apply to the PHI we already have. Before we make an important change to our policies, we will promptly change this notice and post a new notice. You can also request a copy of this notice at any time from the contact person listed in Section V, by calling our office, at your next visit, or you can view a copy of the notice on our Web site at http://www.suny.edu.
This notice is effective as of April 14, 2003
How We May Use and Disclose Your Protected Health Information
We use and disclose health information for many different reasons. For some of these uses or disclosures, we need your prior consent or specific authorization. Below we describe the different categories of our uses and disclosures and give you some examples of each category.
During your intake, prior to receiving any health care services, you will be asked to sign a statement permitting SUNY and its medical staff to release your health information for purposes of Treatment, Payment and Health Care Operations. A description of each of these uses is described as follows.
- Uses and Disclosures Relating to Treatment, Payment or Health Care Operations. We may use and disclose your PHI for the following reasons:
- For treatment. We may disclose your PHI to physicians, nurses, medical students, and other health care personnel who provide you with health care services or are involved in your care. For example, if you're being treated for a knee injury, we may disclose your PHI to the physical therapy department in order to coordinate your care.
- To obtain payment for treatment. We may use and disclose your PHI in order to bill and collect payment for the treatment and services provided to you. For example, we may provide portions of your PHI to our billing department and your health plan to get paid for the health care services we provided to you. We may also provide your PHI to our business associates, such as billing companies, claims processing companies and others that process our health care claims or provide services on our behalf, or provide services directly to you.
- For health care operations. We may disclose your PHI in order to operate our health care delivery system. For example, we may use your PHI in order to evaluate the quality of health care services that you received or to evaluate the performance of the health care professionals who provided health care services to you. We may also provide your PHI to our accountants, attorneys, consultants and other in order to make sure we're complying with the laws that affect us. To the extent we are required to disclose your PHI to contractors, agents and other business associates who need the information in order to assist us with obtaining payment or carrying our out business operations, we will have a written contract to ensure that our business associate also protects the privacy of your PHI.
- Other Uses And Disclosures That Do Not Require Your Consent. We may use and disclose your PHI without your consent or authorization for the following reasons:
- When a disclosure is required by federal, state or local law, judicial or administrative proceedings or law enforcement. For example, we make disclosures when a law requires that we report information to government agencies and law enforcement personnel about victims of abuse, neglect or domestic violence; when dealing with gunshot and other wounds; or when ordered in a judicial or administrative proceeding.
- For public health activities. For example, we report information about births, deaths and various diseases to governmental official in charge of collecting that information.
- Victims of Abuse, Neglect or Domestic Violence. We may release your PHI to a public health authority that is authorized to receive reports of abuse, neglect or domestic violence. For example, we may report your information to government officials if we reasonably believe that you have been a victim of abuse, neglect or domestic violence. We will may every effort to obtain your permission before releasing this information, but in some cases we may be required or authorized to act without your permission.
- For health oversight activities. For example, we will provide information to assist the government when it conducts an investigation or inspection of a health care provider or organization.
- Emergency Situations. We may use or disclose your PHI if you need emergency treatment, but we are unable to obtain your consent. If this happens, we will try to obtain your consent as soon as we reasonably can after we treat you.
- Communication Barriers. We may use or disclose your PHI if we are unable to obtain your consent because of substantial communication barriers, and we believe you would want us to treat you if we could communicate with you.
- Product Monitoring, Repair and Recall. We may disclose your information to a person or company that is required by the Food and Drug Administration to: (1) report or track product defects or problems; (2) repair, replace or recall defective or dangerous products; or (3) monitor the performance of a product after it has been approved for use by the general public.
- Lawsuits and Disputes. We may disclose your PHI if we are ordered to do so by a court or administrative tribunal that is handling a lawsuit or other dispute.
- Law Enforcement.We may disclose your PHI to law enforcement officials for any of the following reasons:
- To comply with court orders or laws that we are required to follow;
- To assist law enforcement officers with identifying or locating a suspect, fugitive, witness or missing person;
- If you have been the victim of a crime and we determine that: (1) we have been unable to obtain your consent because of any emergency or your incapacity; (2) law enforcement officials need the information immediately to carry out their law enforcement duties; and (3) in our professional judgement disclosure to these officers is in your best interests;
- If we suspect a patient's death resulted from criminal conduct;
- If necessary to report a crime that occurred on our property; or
- If necessary to report a crime discovered during an off-site medical emergency (for example, by emergency medical technicians at the scene of a crime).
- Military and Veterans. If you are in the Armed Forces, we may disclose your PHI to appropriate military command authorities for activities they deem necessary to carry out their military mission. We may also release health information about foreign military personnel to the appropriate foreign military authority.
- Inmates and Correctional Institutions. If you are an inmate or you are detained by a law enforcement officer, we may disclose your PHI to the prison officers or law enforcement officers if necessary to provide you with health care, or to maintain safety, security and good order at the place where you are confined. This includes sharing information that is necessary to protect the health and safety of other inmates or persons involved in supervising or transporting inmates.
- Coroners, Medical Examiners and Funeral Directors. In the unfortunate event of your death, we may disclose your PHI to a coroner or medical examiner. This may be necessary, for example, to determine the cause of death. We may also release this information to funeral directors as necessary to carry out their duties.
- For purposes of organ donation. We may notify organ procurement organizations to assist them in organ, eye or tissue donation and transplants.
- For research purposes. In most cases, we will ask for your written authorization before using your PHI for research purposes. However, in certain, limited, circumstances, we may use and disclose your PHI without consent or authorization if we obtain approval through a special process to ensure that such research poses little risk to your privacy. In any case, we would never allow researchers to use or name or identity publicly. We may also release your health information without your written authorization to people who are preparing for a future research project, so long as no personally identifiable information leave our facility.
- To avoid harm. In order to avoid a serious threat to the health or safety of a person or the public, we may provide PHI to law enforcement personnel or persons able to prevent or lessen such harm.
- For specific government functions. We may disclose PHI of military personnel and veterans in certain situations. And we may disclose PHI for national security purposes, such as protecting the president of the United States or conducting intelligence operations.
- For workers' compensation purposes. We may provide PHI in order to comply with workers' compensation laws.
- Appointment reminders and health-related benefits or services. We may use PHI to provide appointment reminders or give you information about treatment alternatives or other health care services or benefits we offer and/or provide.
- Fundraising activities. We may use PHI to raise funds for our organization. The money raised through these activities is used to expand and support the health care services and educational programs we provide to the community. If you do not wish to be contacted as part of our fundraising efforts, please contact the person listed in section V below.
- Deidentified Information. We may also disclosure your PHI if it has been deidentified or unable for anyone to connect back to you. This might occur if you are participating in a research project.
- Incidental Disclosures. While we will take reasonable steps to safeguard the privacy of your PHI, certain disclosures of your PHI may occur during, or as an unavoidable result of our otherwise permissible uses or disclosures of your health information. For example, during the course of a treatment session, other patients in the treatment area may see, or overhear discussion of, your PHI.
- Two Uses and Disclosures Require You to Have the Opportunity to Object.
- Patient directories. We may include your name, location in our facility, general condition and religious affiliation, in our patient directory for use by clergy and visitors who ask for you by name, unless you object in whole or in part. The opportunity to consent may be obtained retroactively in emergency situations.
- Disclosures to family, friends or others. We may provide your PHI to a family member, friend or other person that you indicate is involved in your care or the payment for your health care, unless you object in whole or part. The opportunity to consent may be obtained retroactively in emergency situations.
- All Other Uses and Disclosures Require Your Prior Written Authorization. In any other situation not described in section IIA, B and C above, we will ask for your written authorization before using or disclosing any of your PHI. If you choose to sign an authorization to disclose your PHI, you can later revoke that authorization in writing to stop any future uses and disclosures (to the extent that we have not taken any actions relying on the authorization).
What Rights You Have Regarding Your PHI
You have the following rights with respect to your PHI:
- The Right to Request Limits on Uses and Disclosures of Your PHI. You have the right to ask that we limit how we use and disclose your PHI. We will consider your request, but are not legally required to accept it. If we accept your request, we will put any limits in writing and abide by them except in emergency situations. You may not limit the uses and disclosures that we are legally required or allowed to make.
- The Right to Choose How We Send PHI to You. You have the right to ask that we send information to you at an alternate address or by alternate means. We must agree to your request so long as we can easily provide it to the location and in the format you request.
- The Right to See and Get Copies of Your PHI.In most cases, you have the right to look at or get copies of your PHI that we have, but you must make the request in writing. If we don't have your PHI but we know who does, we will tell you how to get it. We will respond to you within 30 days after receiving your written request. In certain situations, we may deny your request. If we do, we will tell you, in writing, our reasons for the denial and explain your right to have the denial reviewed.
If you request copies of your PHI, we will charge you a fee for each page. Instead of providing the PHI you requested, we may provide you with a summary or explanation of the PHI as long as you agree to that and to the associated cost in advance.
The Right to Get a List of the Disclosures We Have Made. You have the right to get a list of instances in which we have disclosed your PHI. The list will not include uses or disclosures that you have already been informed of, such as those made for treatment, payment or health care operations, directly to you, to your family, or in our facility directory. The list also won't include uses and disclosures made for national security purposes, to corrections or law enforcement personnel or before April 14, 2003.
Your request must state a time period for the disclosures you want us to include. We will respond within 60 days of receiving your request. The list we will give you will include disclosures made in the last six years (with the oldest date being April 14, 2003) unless you request a shorter time. The list will include the date of the disclosure, to whom PHI was disclosed (including their address, if known), a description of the information disclosed and the reason for the disclosure. We will provide the list to you at no charge, but if you make more than one request in the same calendar year, we will charge you for each additional request.
The Right to Correct or Update Your PHI. If you believe that there is a mistake in your PHI or that a piece of important information is missing, you have the right to request that we correct the existing information or add the missing information. You must provide the request and your reason for the request in writing. We will respond within 60 days of receiving your request. We may deny your request in writing if the PHI is (i) correct and complete, (ii) not created by us, (iii) not allowed to be disclosed, or (iv) not part of our records. Our written denial will state the reasons for the denial and explain your right to file a written statement of disagreement with the denial. If you don't file one, you have the right to request that your request and our denial be attached to all future disclosures of you PHI. If we approve your request, we will make the change to your PHI, tell you that we have done it and tell others that need to know about the change to your PHI.
- The Right to Get This Notice by E-Mail. You have the right to get a copy of this notice by e-mail. Even if you have agreed to receive notice via e-mail, you also have the right to request a paper copy of this notice.
To invoke any of these rights, or for a campus specific Notice of Privacy Practices, please contact your local State University of New York campus. A complete listing can be viewed at the Campus Directory page. Clicking on your specific campus will take you to their Internet home page and provide you their specific Notice of Privacy Practices.
Person to Contact for Information About This Notice or to Complain About Our Privacy Practices
If you have any questions about this notice or any complaints about our privacy practices, or would like to know how to file a complaint with the Secretary of the Department of Health and Human Services, please contact us via e-mail at email@example.com or by writing:
University Privacy Officer
State University Plaza
Albany, New York 12243