HIPPA Privacy Statement
St. Mary’s Health System Notice of Privacy Practices
This notice revised 9/2013
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
St. Mary’s Health System is required by law to maintain the privacy of Protected Health Information and to give you this notice explaining our privacy practices with regard to that information. You have certain rights – and St. Mary’s has certain legal obligations – regarding the privacy of your Protected Health Information, and this Notice also explains your rights and St. Mary’s obligations. St. Mary’s is required to abide by the terms of the current version of this Notice.
We reserve the right to change this notice and to make the revised or changed notice effective for PHI we already have about you as well as any information we receive in the future. The first page of the notice contains the effective date and any dates of revisions to this document. We will
post a copy of the current notice in our facility.
“Protected Health Information” (“PHI”) is information that individually identifies you and that St. Mary’s creates or gets from you or another health care provider, health plan, your employer, or a healthcare clearing house and that realtes to (1) your past, present or future physical or mental
health or conditions, (2) the provision of health care to you, or (3) the past, present, or future
payment for your healthcare.
How We May Use and Disclose Your Protected Health Information.
Treatment: We may use your PHI to give you medical treatment and services. We may disclose your PHI to doctors, nurses, nursing assistants, medication aides, technicians, medical and nursing students, rehabilitation therapy specialists, or other personnel who
are involved in your health care. For example, your physician may order physical therapy services to improve your strength and walking abilities. Our nursing staff will need to talk with the physical therapist so that we can coordinate services and develop a plan of care. We also may disclose your PHI to people outside of our facility who may be involved in your health care, such as family members, social services, or home health agencies.
Except in emergency situations, we may not disclose PHI which shows you received mental health treatment services to anyone outside the office, practice or organizational affiliate of St.Mary’s without your written authorization. We may communicate with a pharmacist to permit dispensing of medication as needed.
Appointment reminders: We may use or disclose your PHI for purposes of contacting you to remind you of a health care appointment.
Treatment alternatives, health-related benefits and services. We may use or disclose your PHI for purposes of contacting you to inform you of treatment alternatives or health related benefits and services that may be of interest to you.
Payment. We may use or disclose your PHI so that we may bill and collect payment from you, an insurance company or another third party for the health care services you receive at our facility. For example, we may need to give information to your health plan regarding the services you received from our facility so that your health plan will pay us or reimburse you for the services. We also may tell your health plan about a treatment
you are going to receive in order to obtain prior approval for the services or to determine whether your health plan will cover the treatment.
Health care operations. We may use or disclose your PHI to perform certain functions within our facility. These uses or disclosures are necessary to operate our health system and to make sure that our patients receive quality care. For example, we may use your PHI to review our treatment and services and to evaluate the performance of our staff in caring for you. We may combine PHI about many of our patients to determine whether
certain services are effective or whether additional services should be provided. We may disclose your PHI to physicians, nurses, nursing assistants, medication aides, rehabilitation therapy specialists, technicians, medical and nursing students and other personnel for review and learning purposes. We also may combine PHI with information from other health care providers or facilities to compare how we are doing and see where
we can make improvements in the care and services offered to our residents. We may remove information that identifies you from this set of PHI so that others may use the information to study health care and health care delivery without learning the specific
identities of our residents.
Minors. We may disclose the PHI of minor children to their parents or guardians unless such disclosure is otherwise prohibited by law.
Public health activities. We may use or disclose your PHI to public health authorities that are authorized by law to receive and collect PHI for the purpose of preventing or controlling disease, injury or disability. We may use or disclose your PHI for the following purposes:
- To report births and deaths
- To report suspected or actual abuse, neglect, or domestic violence involving a child or an adult.
- To report adverse reactions to medications or problems with health care products.
- To notify individuals of product recalls.
- To notify an individual who may have been exposed to a disease or may be at risk for spreading or contracting a disease or condition.
Health oversight activities. We may use or disclose your PHI to a health oversight agency that is authorized by law to conduct health oversight activities. These oversight activities may include audits, investigations, inspections, or licensure and certification surveys. These activities are necessary for the government to monitor the persons or organizations that provide health care to individuals and to ensure compliance with
applicable state and federal laws and regulations.
Business Associates. We may disclose Protected Health Information to our business associates who perform functions on our behalf or provide us with services if the PHI is necessary for those functions or services. For example, we may use another company to do our billing, or to provide transcription or consulting services for us. All of our business associates are obligated, under contract with us, to protect the privacy and ensure the security of your Protected Health Information.
Abuse, Neglect or Domestic Violence. We may disclose Protected Health Information to the appropriate government authority if we believe a patient has been the victim of abuse, neglect or domestic violence and the patient agrees or we are required or authorized by law to make that disclosure.
Data Breach Notification Purposes. We may use or disclose your Protected Health Information to provide legally required notices of unauthorized access to or disclosure of your health information.
Lawsuits and disputes. We may use or disclose your PHI to courts or administrative agencies charged with the authority to hear and resolve lawsuits or disputes. We may disclose your PHI pursuant to a court order, a subpoena, a discovery request, or other lawful process issued by a judge or other person involved in the dispute, but only if efforts have been made to (i) notify you of the request for disclosure or (ii) obtain an order protecting your health information.
Worker’s Compensation. We may use or disclose your PHI to worker’s compensation programs when your health condition arises out of a work-related illness or injury.
Law Enforcement official. We may use or disclose your PHI in response to a request received from a law enforcement official for the following purposes:
- In response to a court order, subpoena, warrant, summons or similar lawful process if disclosure is authorized or required by statute.
- If necessary to protect public health or welfare if disclosure is authorized or required by law regarding a victim of a crime if, under certain limited circumstances, we are unable to obtain the person’s agreement.
- To report a death tat we believe may be the result of criminal conduct.
- To report a criminal conduct at our facility.
- In emergency situations, to report a crime – the location of the crime and possible victims; or the identity, description, or location of the individual who committed the crime.
Coroners, medical examiners, or funeral directors. We may use or disclose your PHI to a coroner or medical examiner for the purpose of identifying a deceased individual or to determine the cause of death. We may also use or disclose your PHI to a funeral director for the purpose of carrying out his/her necessary activities.
Organ procurement organizations or tissue banks. If you are an organ donor, we may use or disclose your PHI to organizations that handle organ procurement, transplantation or tissue banking for the purpose of facilitating organ or tissue donation or
Research. We may use or disclose your PHI for research purposes under certain limited circumstances. Because all research projects are subject to a special approval process, we will not use or disclose your PHI for research purposes until the particular research project for which your PHI may be used or disclosed has been approved through this special approval process. However, we may use or disclose your PHI to individuals preparing to conduct the research project in order to assist them in identifying patients with specific health care needs who may qualify to participate in the research project. Any use or disclosure of your PHI, which may be done for the purpose of identifying qualified participants, will be conducted onsite at our facility. In most instances, we will ask for your specific permission to use or disclose your PHI if the researcher will have access to your name, address or other identifying information.
To avert a serious threat to health or safety. We may use or disclose your PHI when necessary to prevent a serious threat to the health or safety of you or other individuals. Any such use or disclosure would be made solely to the individual(s) or organization(s) that have the ability and/or authority to assist in preventing the threat.
Military and veterans. If you are a member of the armed forces, we may use or disclose your PHI to provide a brief confirmation of general health status as required by military command authorities.
National security and intelligence activities. We may use or disclose your PHI to authorized federal officials for purposes of intelligence, counterintelligence and other national security activities, as authorized or required by law.
Inmates. If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may use or disclose your PHI to the correctional institution or to the law enforcement official as may be necessary to provide information about immunizations and/or a brief confirmation of general health status.
Uses or disclosures required by law. We may use or disclose your information where such uses or disclosures are required by federal, state or local law.
Uses and Disclosures That Require Us to Give You an Opportunity to Object and Opt Out
Fundraising activities. Unless you object, we may use a limited amount of your PHI for purposes of contacting you to raise money for our facility and its operations. We may disclose this PHI to a foundation related to the facility so that the foundation may contact you to raise money for our facility. The information, which we may use or disclose, will be limited to your name, address, phone number and dates for which you received
treatment or services at our facility.
If you do not want our facility or affiliated foundation to contact you for these fundraising purposes, you must notify St. Mary’s Health System Development Office in writing at:
St. Mary’s Health System Development Office
P.O. Box 7291, Lewiston, Me. 04243
Directory. Unless you object, we may use or disclose certain limited PHI about you in our facility phone and/or room directories while you are a patient. This information may include your name, your assigned unit and room number, your religious affiliation and a general description of your condition. Your religious affiliation may be given to a member of the clergy. The directory information, except for religious affiliation, may be
given to people who ask for you by name.
Individuals involved in your care. Unless you object, we may disclose your PHI to individuals, such as family and friends, who are involved in your care or who help pay for your care. We also may disclose your PHI to a person or organization assisting in disaster relief efforts for the purpose of notifying your family or friends involved in your care about your condition, status and location.
Disaster Relief. We may disclose your Protected Health Information to disaster relief organizations that seek your Protected Health Information to coordinate your care, or notify family and friends of your location or condition in a disaster. We will provide you with an opportunity to agree or object to such disclosure when we practicably can do so.
Uses or Disclosures That Require Your Written Authorization. We may use or disclose your PHI for purposes other than treatment, payment or health care operations or as described in this document and for purposes which are not required by law only after receiving your written authorization. This includes most uses and disclosures of psychotherapy notes, uses and disclosure of PHI for marketing purposes and disclosures that constitute a sale of your PHI. Release of information related to HIV, Alcohol and Substance Abuse, Mental Health and Genetics also require special authorization prior to disclosure.
Your Rights Regarding Your Health Information.
You have the right to revoke a written authorization at any time as long as your revocation is provided to us in writing. If you revoke your written authorization, we will no longer use or disclose your PHI for the purposes identified in the authorization. You understand that we are unable to retrieve any disclosures that we may have made pursuant to your authorization before its revocation. Some examples of uses or disclosures that may require your written authorization include a request to provide your PHI to an attorney for use in a civil litigation claim and/or for purposes of including you on a mailing list.
You have the following rights regarding your PHI that we create and/or maintain.
Right to inspect and copy. You have the right to inspect and copy PHI that may be used to make decisions about your care. Generally, this includes medical and billing records but does not include psychotherapy notes.
To inspect and copy your health information, you must submit your request in writing to:
(Your provider’s Name here)
P.O. Box 291
Lewiston, Maine 04243
If you request a copy of the information we will usually provide within 30 days of your request. We may charge a fee for the costs of copying. mailing or other costs associated with your request.
We may deny your request to inspect and copy your PHI in certain limited circumstances. If you are denied access to your health information, you may request that the denial be reviewed. Another licensed health care professional selected by our facility will review your request and the denial. The person conducting the review will not be the person who initially denied your request. We will comply with the outcome of this review.
Right to a Summary and Explanation. We can also provide you with a summary of your Protected Health Information, rather than the entire record, or we can provide you with an explanation of the PHI that has been provided to you, so long as you agree to this alternative form and agree to pay the associated fees. Request for a summary or explanation can be sent to the address above.
Right to an Electronic Copy of Electronic Medical Records. If your PHI is maintained in an electronic format (known as an electronic medical record or an electronic health record), you have the right to request that an electronic copy of your record be given to you or transmitted to another individual or entity. We will make every effort to provide access to your PHI in the form or format you request, if it is readily producible in such
form or format. If the PHI is not readily producible in the form or format you request your record will be provided in either our standard electronic format or if you do not want this form or format, a readable hard copy form. We may charge you a reasonable, cost based fee for the labor associated with transmitting the electronic medical record.
Right to request an amendment. If you feel that the PHI we have about you is incorrect or incomplete, you may ask us to amend the information. You have the right to request an amendment for as long as the information is kept by or for our facility.
To request an amendment, your request must be made in writing and submitted to:
(Your Provider’s Name here)
P.O. Box 291
Lewiston, Me. 04243
We may deny your request for an amendment if it is not in writing. In addition, we may deny your request if you ask us to amend information that is not part of the PHI kept by or for our facility and/or information which you would be permitted to inspect and copy.
Right to an accounting of disclosures. You have the right to request an accounting of the disclosures that we have made of your health information. This accounting will not include disclosures of PHI that we made for purposes of treatment, payment or health care operations or for disclosures we made that you authorized us to make.
To request an accounting of disclosures, you must submit your request in writing to:
(Your provider’s Name here)
P.O. Box 291
Lewiston, Me. 04243
Your request must state a time period that may not be longer than six (6) years before the date of your request and may not include dated before April 14, 2003. Your request should indicate in what form you want to receive the accounting (for example, on paper or via electronic means). The first accounting that you request within a twelve (12) month period will be free. For additional accountings, we may charge you for the costs of providing the accounting. We will notify you of the cost involved, and you may choose to withdraw or modify your request at that time before any costs are incurred.
Right to Get Notice of a Breach. You have the right to be notified upon a breach of any of your unsecured Protected Health Information
Right to request restrictions. You have the right to request a restriction or limitation on the PHI we use or disclose about you for treatment, payment, or health care operations. You also have the right to request a limit on the PHI we disclose about you to someone, such as a family member or friend, who is involved in your care or in the payment of your care. For example, you could ask that we not use or disclose information regarding
a particular treatment that you received.
We are not required to agree to your request. If we do agree, we will comply with your request unless the information is needed to provide emergency treatment to you.
To request restrictions, you must make your request in writing to:
(Your Provider’s Name here)
P.O. Box 291
Lewiston, Me. 04243
In your request, you must tell us:
What information you want to limit:
Whether you want to limit our use, disclosure or both; and:
To whom you want the limits to apply (for example, disclosures to a family member.)
Out-of-Pocket-Payments. If you paid out of pocket payments (or in other words, you have requested that we not bill your health plan) in full for a specific item or service, you have the right to ask that your PHI with respect to that item or service not be disclosed to a health plan for purposes of payment or healthcare operations, and we will honor that request.
Right to request confidential communications. You have the right to request that we communicate with you about your health care in a certain way or at a certain location. For example, you can ask that we only contact you at work or by mail.
To request confidential communications, you must make your request in writing to:
(Your Provider’s Name here:)
P.O. Box 291
Lewiston, Me. 04243
We will not ask you the reason for your request. We will accommodate all reasonable requests.
Your request must specify how and or where you wish to be contacted.
Right to a paper copy of this notice. You have the right to receive a paper copy of this notice. You may ask us to give you a copy of this notice at any time. Even if you have agreed to receive this notice electronically, you are still entitled to a paper copy of this notice.
You may obtain a copy of this notice at our Web Site:
To obtain a paper copy of this notice, contact your provider or mail a written request to:
(Your Provider’s Name here)
P.O. Box 291
Lewiston, Me. 04243
HealthInfoNet Notice of Privacy Practices
We participate in HealthInfoNet, the statewide health information exchange (HIE) designated by the State of Maine. The HIE is a secure computer system for health care providers to share your important health information to support treatment and continuity of care. For example, if you are
admitted to a health care facility not affiliated with St. Mary’s Regional Medical Center, health care providers there will be able to see important health information held in our electronic medical record systems.
Your record in the HIE includes medicines (prescriptions), lab and test results, imaging reports, conditions, diagnoses or health problems. To ensure your health information is entered into the correct record, also included are your full name, birth date and social security number. All information contained in the HIE is kept private and used in accordance with applicable state and federal laws and regulations. The information is accessible to participating providers to support treatment and healthcare operations such as mandated disease reporting to the Maine Centers for Disease Control and Prevention.
You do not have to participate in the HIE to receive care. For more information about HealthInfoNet and your choices regarding participation, visit www.hinfonet.org or call toll-free 1-866-592-4352.
If you believe your privacy rights have been violated, you may file a complaint in writing,with our Privacy Officer at:
Privacy Officer, PO Box 291, Lewiston, Me. 04240..
You may also file a complaint with the U.S. Department of Health and Human Services (“HHS”) at 200 Independence Avenue, S.W., Washington, D.C. 20201 . Call (202)619-0257 or toll free (877-696-6775 or go to the website of the Office for Civil rights, www.hhs.gov/ocr/hipaa/, for
ALL COMPLAINTS MUST BE SUBMITTED IN WRITING and should be submitted within 180 days of when you knew or should have known of the suspected violation.
You will NOT be penalized for filing a complaint.