This Notice describes how your Protected Health Information (PHI) may be used or disclosed, how you may access PHI, and your legal rights. Please read carefully.
Our privacy practices follow HIPAA’s Privacy Rule, which protects the use and disclosure of PHI. HIPAA’s definitions are on our website (www.woosterhospital.org). If you do not have a computer, ask for a paper copy. Please take this Notice of Privacy Practices home, read it, and share it with family. If you have questions, call our Privacy Officer at (330) 263-8615.
We will use and disclose your PHI to other Covered Entities for Treatment, Payment and Health Care Operations. You do not need to sign an Authorization.
Covered Entities include health care providers (hospitals, doctors, other health care professionals and suppliers) and group health plans.
Treatment includes diagnostic tests, medical treatment and surgical procedures. We will share your PHI with other hospitals, doctors and health care professionals treating you. We will not disclose your PHI to persons not involved in your treatment without your Authorization. We have safeguards to protect against unauthorized access.
We will use and disclose PHI when checking with your health plan about eligibility, coverage and pre-certification or when submitting a claim for payment of Treatment we provided. You may ask us not to submit a claim containing certain PHI to your health plan. We will honor the request if you pay your claim in full. HIPAA permits us to disclose information to collection agencies if you do not pay your bill. If you are injured in an accident or if another party is responsible for paying for your medical care, we may be legally obligated to submit our claim for services first to the responsible party’s commercial payer or to the responsible party if its commercial payer is not known. This applies (without limitation) to our obligation under Medicare’s Secondary Payer Rules.
We will use PHI for Health Care Operations for performance improvement, peer review, risk management and compliance. Health Care Operations also includes preventive, wellness, and case management services.
We may use outside persons called Business Associates who access PHI to perform services for us. We have contracts with Business Associates to assure they protect the Privacy and Security of your PHI.
Communicating with You
We may contact you for scheduling or reminding you of appointments or giving you test results. We may contact you by mail, telephone, or email. If we call you, we will identify ourselves and ask to speak with you. If you are not available, we may leave a message for you to call us. We will not give details.
We may contact you about health care services, treatment alternatives or health-related benefits, services, case management, wellness and preventive care programs, such as smoking cessation, weight management, education programs and Senior Partners. You may opt out if you do not want to be contacted.
We may contact you about fundraising, but you may opt out if you do not want to be contacted.
Your Right to Request that We Contact You by Alternate Means
You may ask us to contact you by alternate means or at a different telephone number or address from what you usually use. Let us know if you do not want us to mail information to you at your home address, call you at home, or leave a message. You do not have to explain the reason for your request.
Family and Friends
We will include you in our inpatient directory, which lists your name, room number, general condition and religion. Directory information is available to family, friends, clergy and others who ask about you by name. You may ask not to be listed in the directory, or you may restrict access to certain persons whom you identify. If you are not listed in the directory, we will not disclose or confirm any information about you, including whether you are a patient.
Most patients allow us to discuss their PHI with family members or others who are assisting in their care or helping with their medical bills. This may include discussing or answering questions a family member (spouse, adult children, parents or guardians) may have about your condition, medication or treatment. It also may include answering questions about a medical bill. We will assume we may talk to family members, unless you ask us not to. We may need to communicate with family members or others involved in your care in emergencies, or if the law requires.
Emancipated and Mature Minors
We usually will share the PHI of a minor (a person less than 18 years old) with the minor’s parent(s) or guardian. We will not share PHI with the parent(s) or guardian of an emancipated minor. A minor is considered emancipated if he or she: (1) does not live with his or her parents; (2) is not covered by parental health insurance; (3) is financially independent of parents; (4) is married; (5) has children; or (6) is in the military.
In some cases, if requested, we may not share PHI of a mature minor (over 14 but less than 18) with the minor’s parents, guardian, or health plan for certain conditions, including alcohol or substance abuse, obstetrical care or STDs. We will encourage the minor to involve parents or guardian.
We will not use or disclose your PHI other than for Treatment, Payment, or Health Care Operations (unless the law requires) without your signed Authorization. We will not disclose psychotherapy notes without an Authorization. The date on your Authorization generally should not be more than 60 days before you give it to us. You may fax or email the Authorization to us.
We will not give PHI to your employer without your Authorization. We will not release medical records if we are subpoenaed, unless you sign an Authorization, or the lawyers sign a Qualified Protective Order, or we receive a court order.
You may authorize us to disclose PHI to persons who are not Covered Entities under HIPAA. Once that information is disclosed to a non-Covered person, HIPAA no longer protects it. A person or entity not covered by HIPAA may use or re-disclose information it receives in any way that is not prohibited by law.
You may cancel the Authorization in writing at any time. Once we receive your written cancellation, we no longer will disclose your PHI. We are not responsible for any use or disclosure of PHI according to the Authorization before we receive your written cancellation.
We may use or disclose PHI, without an Authorization, as permitted or required by law, including the following:
Workers’ Compensation. Ohio law permits us to disclose health information, without a separate Authorization, when an employee files a Workers’ Compensation Claim or seeks benefits under other State programs.
Public Health Agencies. Ohio law requires us to disclose PHI to public health agencies to help control disease, injury or disability. The law requires us to report cases of suspected abuse or neglect.
FDA and OSHA. Certain Federal laws from the FDA and OSHA require us to report adverse events, product problems, and biological product deviations, so safety precautions, recalls and notifications can be conducted.
Regulatory Agencies. Certain Ohio and Federal governmental regulatory agencies require us to disclose PHI for monitoring compliance.
National and Homeland Security. We may disclose information concerning patients National and Homeland Security purposes.
Red Cross and Armed Forces. We may disclose PHI to the Red Cross or Armed Forces to assist it in notifying the patient’s family member of the patient’s location, general condition, or death.
Coroner and Funeral Directors. We may disclose PHI to the Coroner or a funeral director to perform legally authorized responsibilities.
Law Enforcement. We may disclose PHI to law enforcement officials when it: (1) is limited to identification purposes; (2) applies to victims of crime; (3) involves a suspicion that injury or death has occurred because of criminal conduct; (4) is needed in a criminal investigation; (5) necessary to prevent or lessen the threat to the health or safety of a person or to the public; or (6) is otherwise required by law.
Emergency or Disaster. If the President declares an emergency or disaster, and the Secretary of HHS declares a public health emergency, the Secretary may waive our obligation to comply with any or all of the following Privacy requirements to: (1) obtain the patient’s agreement to speak to family members or friends involved in the patient’s care; (2) honor a request to opt out of the facility directory; (3) distribute a Notice of Privacy Practices; (4) patient’s right to request privacy restrictions; or (5) the patient’s right to request confidential communications. Waiver only applies if the Hospital is in the emergency area for the emergency period and for up to 72 hours until the Hospital implements its disaster protocol.
Threat of Serious Harm. We may use or disclose PHI if reasonable belief exists that it may prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and disclosure is made to a person(s) reasonably able to prevent or lessen the threat, including the target of the threat.
You have the Right to Request Restrictions on Certain Uses and Disclosures of PHI
You may request that we do not disclose PHI to family members, friends or others. HIPAA’s Privacy Rule gives hospitals and doctors the right to deny a patient’s request to restrict the use or disclosure of PHI for Treatment. We will honor your request to restrict the use or disclosure of PHI when submitting a claim to insurance or health plan for reimbursement if you agree in writing to pay the claim in full. We will consider all other requests for restricted use or disclosure of PHI on a case-by-case basis. If we cannot agree to your request, we will let you know.
You have a Right to Access, Inspect, and Copy Your Own PHI
Generally, you have the right to inspect and copy your own PHI in our hospital records (“designated record set”). There are exceptions. You do not have the right to inspect or copy psychotherapy notes or information compiled for civil, criminal or administrative proceedings. Your right may not extend to information covered by other laws or information obtained from someone other than another health care provider. We may deny access if, in our judgment, seeing that information could endanger the life or safety of you or another. We may charge you at the rate the law permits for copying records.
You may request access to your PHI by completing the Request for Access form and giving or sending it to us. We will consider all requests according to our legal responsibilities under the Privacy Rule.
We usually will respond within 30 days from when we receive the request. Sometimes, it may take more than 30 days in which case we will act as soon as reasonably practical. If we grant your request, we will set up an appointment for you to inspect your PHI.
Alternatively, you may ask for a written summary of your health information instead of inspecting or copying your records. We may charge you a reasonable fee for a summary. If we are unable to grant your request, we will notify you in writing of the basis for the denial and your rights for review.
You have the Right to Amend Incorrect or Incomplete Facts in Your PHI
You may request that incorrect or incomplete PHI in your record be amended by completing our written request and giving or mailing it to us. We will respond to your request within 60 days from when we receive your completed form.
We will grant your request if PHI that we created is incorrect or incomplete. We will not amend your health information if it is not part of a designated record set, if it would not be available for you to inspect, or if the information is accurate and complete.
If we grant your request, we will amend the health information in the designated record set. We will inform you that we have made the amendment, and we will inform persons who have received and may have relied on health information that it has been amended.
If we deny your request, we will: (1) tell you in writing the reason for denial; (2) inform you of your right to submit a written statement of disagreement and provide you with the appropriate form, which we will keep with your record and will include with future disclosures; and (3) inform you of your right to file a complaint. If you file a statement of disagreement, we may prepare a written rebuttal. If you have questions about this right, ask our Privacy Officer.
You have a Right to Receive an Accounting of Disclosures of Health Information
You have a right to receive an accounting of disclosures we have made to others of your PHI, with certain exceptions and limitations. To request an accounting, please complete the Request for an Accounting form.
Wooster Community Hospital and other area hospitals and health care providers participate in a Health Information Exchange (HIE), which allows them to share patient information electronically.
Only health care providers caring for you, or who may be involved in your care, may access PHI from the HIE. Safeguards, such as password protection, encryption, audit and tracking capability, that comply with HIPAA and other privacy laws protect the privacy and security of your PHI in the HIE.
To participate in the HIE, you must sign a consent form to Opt-In. The Opt-in option allows healthcare providers to access your personal health information for treatment purposes. You may choose not to participate in the HIE. Your participation in the HIE is not a condition to your receiving care. If you do not want to participate, you may request an opt-out form.
We are committed to protecting your PHI. Despite our efforts, questions, concerns, or problems can arise. If you have a concern, or believe that your Privacy rights have been violated or breached, we encourage you contact us immediately. You may do so by filling out a complaint form, contacting our website (http://www.woosterhospital.org), or calling our Privacy Officer at (330) 263-8615.
We take all concerns and complaints very seriously and will investigate each one promptly. If we made a mistake, we will do what we can to correct it and take steps to prevent such mistakes in the future. If we did not make a mistake, we will provide you with an explanation. We will make every effort to get back to you within 30 days.
Under no circumstances will we “retaliate” against you for expressing a concern or filing a complaint relating to your Privacy rights. If you are not satisfied by our response, you may contact the Office for Civil Rights for the Department of Health and Human Services or the Ohio Attorney General.
Effective Date: April 14, 2003
Revised: October 25, 2010, January 18, 2011, June 23, 2011