REVISED NOTICE OF PRIVACY PRACTICES
Wooster Community Hospital and Bloomington Medical Services, LLC
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
Wooster Community Hospital and Bloomington Medical Services, LLC (“We” or “Our”) are committed to safeguarding the Privacy and Security of your Protected Health Information in paper and electronic (computer) form (“PHI”). We have adopted practices that comply with HIPAA’s Privacy Rule (as amended) to protect the Use and Disclosure of your PHI. If you do not have a computer and internet access, or if you want a paper copy of this Notice, you may request a paper copy at any time by calling Our Privacy Officer at (330) 263-8615.
Please take this Notice home, read it, and share it with your family or Personal Representative. Not every Use or Disclosure of PHI, with or without a signed Authorization, may be listed. Uses or Disclosures not specified in this Notice generally will require an Authorization. Capitalized terms used in this Notice have the same meaning as they are defined in HIPAA’s Privacy Rule. If you have questions, please call Our Privacy Officer at (330) 263-8615.
Use and Disclosure of PHI for Treatment, Payment, and Health Care Operations
We will create, receive, or access your PHI, which We may Use or Disclose to other Covered Entities for Treatment, Payment, and Health Care Operations, without the need for you or your Personal Representative to sign an Authorization.
Written permission signed by a patient or Personal Representative that allows Us to Use or Disclose PHI for purposes other than Treatment, Healthcare Operations, or Payment, or as Required by Law.
Protected Health Information
Protected Health Information (PHI) includes oral, written, or electronically generated Individually Identifiable Health Information. PHI excludes De-identified information that is individually Identifiable, which may be Used or Disclosed without a signed Authorization.
Covered Entities include Health Care Providers (e.g. hospitals, doctors, nurses, nursing homes, home health agencies, durable medical equipment suppliers, and other health care professionals and suppliers) and group health and plans.
Use means Our accessing, sharing, employing, applying, utilizing, examining, or analyzing your PHI within Wooster Community Hospital and Bloomington Medical Services, LLC, a clinically-integrated affiliate.
Disclose means Our releasing, transferring, providing access to, or divulging in any other manner your PHI to a third party outside of Wooster Community Hospital or Bloomington Medical Services, LLC.
Treatment means the provision, coordination, or management of health care and related services by one or more Health Care Providers, including referrals and consultations between providers. We will Use your PHI for Treatment, which includes (but is not limited to) radiology, laboratory and other diagnostic tests, medical treatment, surgery, and other procedures. We will Disclose your PHI to other hospitals, doctors, pharmacies, health care professionals, and facilities that are involved in your Treatment or to whom you are being referred as part of continuity of care. We will not Disclose your PHI to persons who are not involved in your Treatment, unless they are participating in Health Care Operations, without your Authorization. We have Physical, Technical, and Administrative Safeguards in place to protect against unauthorized access.
We will Use and Disclose PHI when checking with your health plan or third-party payer about eligibility, coverage, pre-certification, or when billing and submitting claims for Payment of Treatment We provided. You may ask Us not to submit a claim containing certain PHI to your health plan or third-party payer. We will honor your request if you pay your claim out-of-pocket in full.
HIPAA permits Us to Disclose information to collection agencies and their attorneys if you do not pay your bill. If you are injured in an accident, or if another party is responsible for paying for your medical care, We may be legally obligated to send Our bill for Treatment first to the responsible party’s commercial payer or to the responsible party if the commercial payer is not known. This also applies (without limitation) to Our obligation under Medicare’s Secondary Payer Rules.
Health Care Operations
We will Use PHI for Health Care Operations, which include (but are not limited to) quality assurance, performance improvement, peer review, risk management, and compliance. Health Care Operations also include preventive, wellness, case management, and related services.
We may contract with outside persons or entities called Business Associates who may receive, access, Use, Disclose, or transmit PHI to perform Covered Functions for Us. Business Associates, including their agents and Subcontractors, must protect the Privacy and Security of your PHI to the same extent We do.
Except when PHI is Used or Disclosed for Treatment, We will limit the Use or Disclose your PHI to the minimum necessary to accomplish the intended purpose for which the Use or Disclosure was needed or requested.
Designated Record Set
A Designated Record Set is a group of records created or maintained, Used, or Disclosed by the Hospital in the course of business that includes inpatient and outpatient medical records, billing records, and health plan records that may be utilized in whole or in part to make decisions about an Individual, including Treatment, Healthcare Operations (except that quality assurance, peer review, and incident reports are not part of the Designated Record Set), or Payment. Designated Record Set does not include Health Information created by unrelated Health Care Providers.
Communicating with You, Your Family, Personal Representative, and Persons Involved in Your Care
Communicating with You
We or Our Business Associates may contact you for scheduling or reminding you of appointments, giving you test results, or refill reminders. We or Our Business Associates may contact you by mail, telephone, or email. If We call you, We will identify Ourselves and ask to speak with you. If you are not available, We may leave a message for you to call Us, but We will not Disclose details about your medical condition or PHI in that message.
Services and Programs
We or a Business Associate may contact you about health care services, prescription refills, treatment alternatives or health-related benefits, services, case management, wellness and preventive care programs, such as smoking cessation, weight management, education programs and Senior Partners. We or a Business Associate also may contact you in follow-up to services regarding your satisfaction. We do not market or sell your PHI to third-parties. Any Use or Disclosure of your PHI for marketing or sale will require your signed Authorization. If you do not want to be contacted or receive information about these services and programs, you may opt out by contacting Our Privacy Officer at (330) 263-8615. Opting out will not affect any care, Treatment, or services We provide to you.
We or a Business Associate may contact you about Fundraising. If you do not want to be contacted or receive Fundraising materials, you may opt out by contacting Our Privacy Officer at (330) 263-8615. Opting out will not affect any care, Treatment, or services We provide to you.
You May Request that We Contact with You by Alternate Means
You may ask Us to contact you by alternate means or at a different telephone number, address, or email address from what you usually use. Contact Our Privacy Officer at (330) 263-8615 if you do not want Us to send information to you at your home address, a particular email address, call you at home, or leave a message. You do not have to explain the reason for your request.
We will include you in Our patient directory, which lists your name, room number, general condition and religion. Directory information is available to family, friends, clergy and others who ask about you by name. You may request that We do not list you in the directory, or you may restrict access to certain persons whom you identify by notifying Patient Admitting. If you are not listed in the directory, We will not Disclose any information about you.
Communicating With Your Family or Personal Representative
Most patients allow Us to discuss their PHI with family members, guardians, persons named in a health care power of attorney or advanced directive (living will), Personal Representatives, or others who are assisting in their care or helping with medical bills. This may include discussing or answering questions a family member (spouse, adult children, parents, guardians, or Personal Representatives) may have about your condition, Treatment, medication and refills, or appointments. It also may include answering questions about your medical bill. We will assume that you will permit Us to talk with family members and those assisting you, unless you direct Us not to by contacting Our Privacy Officer at (330) 263-8615. We will communicate with family members or others involved in your care in emergencies, or if Required by Law.
Emancipated and Mature Minors
We usually share the PHI of a minor (a person less than 18 years old) with the minor’s parents or guardian. We will not share PHI with the parent(s) or guardian of an emancipated minor. A minor is considered emancipated if he or she: (1) does not live with his or her parent(s); (2) is not covered by parental health insurance; (3) is financially independent of parent(s); (4) is married; (5) has children; or (6) is in the military.
In some cases, if requested, We may not share PHI of a mature minor (generally 14 but less than 18) with the minor’s parent(s), guardian, or health plan for certain conditions, including alcohol or substance abuse, obstetrical care, or STDs. We will encourage the minor to involve parent(s) or guardian.
We will Disclose PHI of deceased patients to the probate court’s appointed Executor or Administrator of the deceased patient’s estate. We also may Disclose PHI to the patient’s spouse, family, Personal Representative, or others involved in the patient’s care or management of the patient’s affairs, unless doing so would be contrary to the patient’s expressed wishes known to Us. We may Disclose PHI of any deceased patient without an Authorization after 50 years.
Use and Disclosure of PHI You Authorize and Your Right to Cancel Authorization
We will not Use or Disclose your PHI other than for Treatment, Payment, or Health Care Operations without a valid, signed Authorization, except as stated in this Notice or otherwise Required by Law. We will not condition your Treatment on your signing an Authorization.
The date on your Authorization generally should not be more than 60 days before you give it to Us. We may ask you to sign a new Authorization if the date is more than 60 days, or if We have questions. This is for your protection. You may fax a copy of your Authorization to Us at (330) 262-5427.
We will not Disclose Psychotherapy Notes without a signed Authorization unless Required by Law.
We will not Disclose your PHI to your employer without a signed Authorization. We will not release medical records if We are subpoenaed, unless you sign an Authorization, or the lawyers sign a Qualified Protective Order, or if We receive a valid, signed court or administrative order.
You may authorize Us to Disclose PHI to persons who are not Covered Entities or Business Associates. Once that information is Disclosed to a non-Covered person, HIPAA no longer applies. A person or entity not covered by HIPAA may use or re-disclose medical information it receives in any way that is not prohibited by law.
You may cancel your Authorization in writing at any time by faxing your cancellation to (330)262-5427 or delivering it in person to Our Medical Records Department. Once We receive your written cancellation, We no longer will Disclose your PHI. We are not responsible for any Use or Disclosure of PHI consistent with the Authorization before We receive your written cancellation.
Use and Disclosure of Health Information Permitted or Required by Law
We may Use or Disclose PHI, without an Authorization, as permitted or Required by Law, including the following:
Workers’ Compensation. Ohio law permits Us to Disclose health information, without a HIPAA Authorization, when an employee files a Workers’ Compensation Claim or seeks benefits for work-related injuries or illnesses.
Public Health Agencies. We may Disclose PHI to public health agencies for reporting births and deaths, to help control disease, injury or disability, or to report cases of suspected abuse, neglect, or domestic violence.
FDA and OSHA. The FDA and OSHA require Us to Disclose PHI in reporting adverse events, product problems, and biological product deviations, so safety precautions, recalls, and notifications can be conducted.
Regulatory Agencies. We may Disclose PHI to certain Ohio and Federal governmental regulatory and health oversight agencies for purposes of their reviewing health care system, civil rights, privacy laws, and compliance with other governmental programs.
National and Homeland Security. We may Disclose information concerning patients to authorized federal officials for intelligence and other National and Homeland Security purposes.
Protective Services for the President and Others. We may Disclose medical information about you to authorized federal officials, so they may provide protection to the President, other authorized persons and or foreign heads of state and officials, or to conduct special investigations.
Red Cross and Armed Forces. We may Disclose PHI to the Red Cross or Armed Forces to assist it in notifying the patient’s family member of the patient’s location, general condition, or death.
Coroners, Medical Examiners, and Funeral Directors. We may Disclose PHI to coroners, medical examiners, or funeral directors for them to perform legally authorized responsibilities.
Law Enforcement. We may Disclose PHI to law enforcement officials when it: (1) is limited to identification purposes; (2) applies to victims of crime; (3) involves a suspicion that injury or death has occurred because of criminal conduct; (4) is needed in a criminal investigation; (5) is necessary to prevent or lessen the threat to the health or safety of a person or to the public; (6) in response to a valid court order; (7) is needed to identify or locate a suspect, fugitive or missing person; (8) is to report a crime on Our premises; or (9) is otherwise Required by Law.
Emergency or Disaster. If the President declares an emergency or disaster, and the Secretary of HHS declares a public health emergency, the Secretary may waive Our obligation to comply with any or all of the following Privacy requirements to: (1) obtain the patient’s agreement to speak to family members or friends involved in the patient’s care; (2) honor a request to opt out of the facility directory; (3) distribute a Notice of Privacy Practices; (4) patient’s right to request privacy restrictions; or (5) the patient’s right to request confidential communications. Waiver only applies if the Hospital is in the emergency area for the emergency period and for up to 72 hours until the Hospital implements its disaster protocol.
Prevent Threat of Serious Harm. We may Disclose PHI if a reasonable belief exists that it may prevent or lessen a serious and imminent threat to the health or safety to you, another person, or the public, and Disclosure is made to a person(s) reasonably able to prevent or lessen the threat, including the target of the threat.
Proof of Immunization. We may Disclose PHI to schools for the limited purpose of showing proof of immunization of a student or prospective student, and the parent, guardian, person acting in loco parentis, or emancipated minor does not object.
Organ and Tissue Donation. If you are an organ or tissue donor, We may Disclose medical information to organ donation banks or organizations for purposes of organ procurement or organ, eye, or tissue transplantation.
Correction Institution or Custody. If you are an inmate of a jail, prison, correctional institution, or under the custody of law enforcement officials, We may release medical information about you for purposes of: (1) the institution’s providing you with health care; (2) protecting your health and safety and the health and safety of others; and (3) protecting the safety and security of the correctional institution or custodial facility.
You May Request Restrictions on Certain Uses and Disclosures of PHI
You may request that We do not Disclose certain PHI to family members, Personal Representatives, friends or others. HIPAA’s Privacy Rule gives hospitals and doctors the right to deny a patient’s request to restrict the Use or Disclosure of PHI when it is being Used or Disclosed to other Covered Entities for Treatment purposes.
We will honor your request to restrict the Use or Disclosure of PHI when submitting a claim to an insurance or a health plan for reimbursement if you agree in writing to pay the claim in full out-of-pocket. We will consider all other requests for restricted Use or Disclosure of PHI on a case-by-case basis. If We cannot accommodate your request, We will let you know.
You May Access, Inspect, and Receive a Copy of Your Own PHI
You have the general right to inspect and have a copy of your own PHI in a Designated Record Set. There are exceptions. You may not have the right to inspect or copy Psychotherapy Notes or information compiled for civil, criminal or administrative proceedings. Your right may not extend to information covered by other laws or information obtained from someone other than another Health Care Provider. We may deny access if, in Our judgment, seeing that information could endanger the life or safety of you or another. We may charge you at the rate the law permits for copying records.
You may request access to your PHI by contacting Medical Records (330) 263-8615. We will consider all requests according to Our legal responsibilities under the Privacy Rule.
We will try to respond within 30 days from when We receive the request. Sometimes, it may take more than 30 days in which case We will act as soon as reasonably practical. If We grant your request, We will set up an appointment for you to inspect your PHI. If you request access to PHI that is maintained in an electronic record or electronic Designated Data Set, We may provide an electronic “machine readable copy” in a standard format enabling the ePHI to be processed and analyzed by a computer in a manner that accommodates requests for specific formats.
Alternatively, you may ask for a written summary of your health information instead of inspecting or copying your records. We may charge you for a summary. If We are unable to grant your request, We will notify you in writing of the basis for the denial and your rights for review.
You May Amend Incorrect or Incomplete PHI
You may request in writing that incorrect or incomplete PHI in your record be amended delivering it in person, mailing it, or faxing it to the Medical Records Department at (330)262-5427. We usually will respond to your request within 60 days from when We receive your written request.
We will grant your request if PHI that We created or maintain in a Designated Record Set is incorrect or incomplete. For example, if the medical record states that you were treated for a broken left leg, when it was your right leg, you may amend the incorrect information. We will not amend your health information if it is not part of a Designated Record Set or was not created by Us, if it would not be available for you to inspect, or if the information is accurate and complete. For example, if you wanted to delete information about your medical history from your medical record, because it is embarrassing, We cannot amend that information if it is correct and part of the medical record.
If We grant your request, We will amend PHI in the Designated Record Set. We will inform you that We have made the amendment. We will inform persons who have received and may have relied on PHI that it has been amended.
If We deny your request, We will: (1) tell you in writing the reason for denial; (2) inform you of your right to submit a written statement of disagreement, which We will keep with your record and will include with future disclosures; and (3) inform you of your right to file a Complaint. If you file a statement of disagreement, We may prepare a written rebuttal. If you have questions about this right, please contact Our Privacy Officer at (330) 263-8615.
You May Receive an Accounting of Disclosures of Health Information
You have a right to receive an Accounting of Disclosures We have made to others of your PHI up to six years prior to the date in which the request for an Accounting is made. There are certain exceptions and limitations, including, but not limited to Disclosures made: (1) for Treatment, Payment, and Health Care Operations; (2) to the Individual or Personal Representative of the Individuals own PHI; and (3) according to a signed Authorization.
You may request an Accounting of Disclosures in writing at the Medical Records Department. The first Accounting you request within a 12-month period will be free. For additional Accountings, We may charge you for the cost of preparing the list.
Your have a Right to Receive a Breach Notification
We will promptly notify you by first-class mail, at your last known address, or by email (if you prefer) if We Discover a Breach of Unsecured PHI, which includes the unauthorized acquisition, access, Use, or Disclosure of your PHI, unless We determine that a low probability exists that the compromise of your PHI would cause you financial, reputational, or other harm by conducting a Risk Assessment. We will include in the Breach Notice a brief description of what happened, a description of the types of Unsecured PHI involved, steps you should take to protect yourself from potential harm, a description of what We are doing to investigate the Breach and mitigate potential harm, and contact information for you to ask questions and learn additional information.
Health Information Exchange
Wooster Community Hospital and Bloomington Medical Services endorses, supports, and participates in electronic Health Information Exchange (HIE) as a means to improve the quality of your health and healthcare experience. HIE provides us with a way to securely and efficiently share patients’ clinical information electronically with other physicians and health care providers that participate in the HIE network. Using HIE helps your health care providers to more effectively share information and provide you with better care. The HIE also enables emergency medical personnel and other providers who are treating you to have immediate access to your medical data that may be critical for your care. Making your health information available to your health care providers through the HIE can also help reduce your costs by eliminating unnecessary duplication of tests and procedures. However, you may choose to opt-out of participation in the CliniSync HIE, or cancel an opt-out choice, at any time.
PATIENT CONCERN AND COMPLAINT RESOLUTION PROCEDURE
We are committed to protecting your PHI. Despite Our best efforts, questions, concerns, or problems may arise. If you have a concern, or you believe that your Privacy rights have been violated or Breached, We encourage you to contact Us immediately. You may do so by filling out a complaint form, contacting Our website (www.woosterhospital.org), or calling Our Privacy Officer at (330) 263-8615.
We take all concerns and complaints very seriously and will investigate each one promptly. If We made a mistake or learn of unauthorized Disclosure or Breach, We will do what We can to correct it and take steps to prevent such mistakes or problems in the future. If We did not make a mistake, We will provide you with an explanation. We will make every effort to get back to you within 30 days.
Under no circumstances will We retaliate against you for expressing a concern or filing a complaint relating to your Privacy rights. If you are not satisfied by Our response, or if you choose not to send a complaint to Us first, you may contact the Office for Civil Rights for the Department of Health and Human Services in Washington, D.C. in writing within 180 days of the suspected violation or Breach.
Changes to this Notification of Privacy Practices
We reserve the right to change this Notice at any time, which We may make effective for PHI We already Used or Disclosed, or for any PHI We may create, receive, Use, or Disclose in the future. We will make material changes based on changes in the HIPAA laws.
We will post a current version of Our Notice of Privacy Practices (with the effective date) on Our website (www.woosterhospital.org) and will make it available at Wooster Community Hospital, including HealthPoint, the Wound Center and any other Hospital outpatient facility or location, and at the offices of Bloomington Medical Services physician practices. We will offer to give you a copy of Our most current Notice whenever you come for Treatment. You may request a paper copy of Our current Notice at any time.
Original Effective Date: April 14, 2003
Revised Effective Dates: October 25, 2010, January 18, 2011
Current Revision and Effective Date: September 23, 2013
Current Revision and Effective Date: July 23, 2014