HIPAA Notice of Privacy Practices in English

Our Legal Responsibility

As your health care provider, we are legally required to protect the privacy of your health information, and to give you this Notice about our legal duties, privacy practices, and your rights with respect to your health information. University of Iowa Health Care includes University of Iowa Health Care Medical Center, University of Iowa Health Care Medical Center Downtown, Roy J. and Lucille A. Carver College of Medicine, and University of Iowa Physicians. Student Health Services offers health services to University of Iowa students. This Notice applies to health information held by both entities.

Your Protected Health Information

Throughout this Notice we will refer to your protected health information as PHI. Your PHI includes data that identifies
you and reports about the care and services you get at the hospitals, in the clinics, or at Student Health Services. Examples of PHI include information about your diagnosis, medications, insurance status and policy number, payment information, social security number, address, and other demographic information.

This Notice about our privacy practices states how, when, and why we use and share your PHI. We may not use or disclose any more of your PHI than is needed for the purpose of the use or disclosure, with some exceptions.

Changes to this Notice

We are required to follow the terms of the Notice currently in effect. We have the right to change the terms of this Notice and our privacy policies and practices. Any changes will apply to your past, current, or future PHI. When we make a change to our policies, we will change this Notice and post a new Notice on our website (uihc.org). We will post the Notice as required by law and will have a copy of the revised Notice in the places where we offer medical services. The Notice will have the effective date on the last page. You may also ask for a copy of our current Notice at any time from the University of Iowa Health Care and Student Health Registration Desks.

Uses and Disclosures of Protected Health Information Without Your Authorization

We are allowed by law to use and share your health information with others without your authorization for many reasons. These examples describe the categories of our uses and disclosures we may make without your authorization. Please note that not each use or disclosure in each category is listed and these are general descriptions only. Where state or federal law restricts one of the described uses or disclosures, we follow the requirements of such law.

• Treatment – We may use and disclose medical information about you to physicians, nurses, technicians, physicians in training, or other health care professionals who are involved in your care. For example, if you  are being treated for a knee injury, we may disclose your PHI to the Department of Rehabilitation Therapies. Different health care professionals, such as pharmacists, lab technicians, and x-ray technicians, also may share information about you to coordinate your care. Also, we may send information to the physician who referred you to University of Iowa Health Care, or other health care providers not affiliated with UI Health Care or Student Health who are involved in your care.
  Payment – We may use and disclose your PHI to bill and collect payment for the treatment and services we provided to you. For examples we may provide PHI to a payor to get approval for treatment or admission to the hospital. We may also share your health information with another provider that has treated you so that they can bill you.
• Health care operations – We may use and disclose your PHI as part of our operations. For example, we may use your PHI to evaluate the quality of health care services you received or to evaluate the performance
  of health care professionals who cared for you. We may also disclose information to physicians, nurses, technicians, medical, nursing, and other health professional students, and other hospital personnel as part of our educational mission. In some cases, we will furnish other qualified parties with your medical information for their health care operations.
• Business associates – We may share your health information with others called “business associates,” who perform services on our behalf. The business associate must agree in writing to protect the confidentiality of the information. For example, we may share your health information with a billing company that bills for the services we offer.
• Appointment reminders and health-related benefits or services – We may use your PHI to give you appointment reminders or information about treatment alternatives or other health care services. If you give   us your mobile telephone number, we may contact you by phone or text message at that number for treatment and quality-related purposes such as appointment reminders, wellness checks, registration instructions, etc.
  We will identify UI Health Care or Student Health Services as the sender of the communication and offer you with a way to “opt out” and not get further communication in this manner.
• Public health activities – We may disclose medical information about you for public health activities. These activities may be disclosures:
  • To public health authority authorized by law to collect or get such information for the purpose of preventing or controlling disease, injury, or disability;
  • To appropriate authorities authorized to get reports of child or dependent adult abuse and neglect;
  • To FDA-regulated entities for purposes of monitoring or reporting the quality, safety, or effectiveness of FDA-regulated products;
  • To notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition; and
  • With parent or guardian permission, to send proof of required immunization to a school.
• Law enforcement – We may disclose certain medical information to law enforcement authorities for law enforcement purposes, for example:
  • As required by law, like reporting certain wounds and physical injuries;
  • In response to a court order, subpoena, warrant, summons, or similar process;
  • To identify or locate a suspect, fugitive, material witness, or missing person;
  • About the victim of a crime if we have the individual’s agreement, or under certain limited circumstances, if we are not able to get the individual’s agreement;
  • To alert authorities of a death we believe may be the result of criminal conduct;
  • Information we believe is evidence of criminal conduct occurring on our premises; and
  • In emergency circumstances to report a crime; the location of the crime or victims or the identity, description, or location of the person who committed the crime.
• Threats to health or safety – Under certain circumstances, we may use or disclose your medical information to avert a serious threat to health and safety if we, in good faith, believe the use or disclosure is needed to prevent or lessen the threat and is to a person reasonably able to prevent or lessen the threat (such as the target) or is needed for law enforcement authorities to identify or apprehend an individual involved in a crime.
• Abuse, neglect, or domestic violence – We may notify the appropriate government authority if we believe you have been the victim of abuse, neglect, or domestic violence. Unless such disclosure is required by law (for example, to report a particular type of injury), we will only make this disclosure if you agree.
• Judicial and administrative proceedings – If you are involved in a lawsuit or a dispute, we may disclose medical information about you due to a court or administrative order. We may also disclose medical information about you due to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if reasonable efforts have been made to notify you of the request or to get an order from the court protecting the information requested.
• Health oversight activities – We may disclose PHI to a health oversight agency for audits, investigations, inspections, licensure, and other activities, as authorized by law. For example, we may disclose PHI to the Food and Drug Administration, state Medicaid fraud control, or the U.S. Department of Health and Human Service Office for Civil Rights.
• Research studies – Under certain circumstances, we may disclose your PHI to help conduct research, subject to certain safeguards. Research may involve finding a cure for an illness or helping to find out the effectiveness of treatments. In research studies, a Privacy Board or Institutional Review Board ensures that measures are in place to protect your identity from disclosure to organizations outside of University of Iowa Health Care. We may disclose medical information about you to people starting a research project, but the information will stay on site.
• Organ or tissue donation – We may use your PHI to notify organ donation organizations, and to help them in organ, eye, or tissue donation and transplants.
• Deceased individuals – We are required to have safeguards to protect your medical information for 50 years after your death. After your death we may disclose medical information to a coroner, medical examiner, or funeral director as needed for them to carry out their duties and to a personal representative (for example, the executor of your estate). We may also release your medical information to a family member or other person who acted as personal representative or was involved in your care or payment for care before your death, if relevant to such person’s involvement, unless you have stated a different preference.
• Workers’ compensation purposes – We may disclose PHI about you to your employer or others as authorized
  by law for workers’ compensation or other programs that offer benefits for work-related injuries or illness.
• National security and intelligence activities – We may release PHI to authorized federal officials when required by law. This information may be used to protect the president, other authorized persons, or foreign heads of state, to conduct special investigations, for intelligence and other national security activities authorized by law.
• Incidental uses and disclosures – There are certain incidental uses or disclosures of your information that happen while we are providing service to you or conducting our business. For example, after surgery the nurse or doctor may need to use your name to find family members that may be waiting for you in a waiting area. Other individuals waiting in the same place may hear your name called. We will make reasonable efforts to limit these incidental uses and disclosures.
• Required by law – We will use and disclose your information as required by federal, state, or local law.
• Disaster relief – We may also share medical information about you with an organization helping in a disaster relief effort.

Uses and Disclosures for which you have the Opportunity to Object

• Hospital directory – We will use your name, the location at which you are getting care, your general condition, and your religious affiliation for directory purposes. All this information, except religious affiliation, will be disclosed to people who ask for you by name. If you object to this use, we will not put this information in the directory and will not share it. To object, please tell us at registration or tell your nursing staff.
• Health care affiliates/alliances – We are part of electronic health information data sharing agreements with other health care providers, public health organizations, and payors. These data sharing arrangements are to help treatment, improve health care operations, and allow for an analysis of care in all settings. These data sharing arrangements are designed to make sure appropriate protections are in place and stop the inappropriate release of your PHI. If you do not wish to be in these data sharing arrangements, please tell our Privacy Officer at the contact information listed at the end of this Notice.
• Fundraising – We may use your PHI in efforts to raise money for University of Iowa Health Care. We may give your PHI to the University of Iowa Center for Advancement for this purpose. If you do not want University of Iowa Health Care to reach out for fundraising efforts, please tell our Privacy Officer at the contact information listed at the end of this Notice or respond to any opt out process offered with each fundraising communication.
• Disclosures to family, friends, or others – We may give your PHI to a family member, friend, or other person you tell us is involved in your care or involved in the payment of your health care, unless you object in whole or in part. If you are not able to agree or object to such a disclosure, we may disclose such information as needed if we decide that it is in your best interest. This could be sharing information with your family or friend so they can pick up a prescription or a medical supply.

Users and Disclosures Requiring your Authorization

There are many uses and disclosures we will make only with your written authorization. These are:

• Uses and disclosures not described above – We will get your authorization for any use of disclosure of your medical information that is not described in the earlier examples.
• Psychotherapy notes – Notes made by a mental health professional documenting conversation during private counseling sessions or in joint or group therapy that are kept separate from our electronic medical record require your authorization.
• Marketing – We will not use or disclose your medical information for marketing purposes without your authorization. If we will get any financial remuneration from a third party in connection with marketing, we will tell you that in the authorization form.
• Sale of medical information – We will not sell your medical information to third parties without your authorization. Any such authorization will state that we will get remuneration in the transaction.

If you give authorization, you may change it at any time by giving us notice following our authorization policy and the instructions in our authorization form. Your revocation will not be effective for uses and disclosures made in reliance on your prior authorization.
 

Your Rights Regarding PHI

You have the right to:

• Request restrictions – You can ask us not to use or share certain PHI for treatment, payment, or health care operations purposes. For example, when you have paid for your services out of pocket in full, at your request  we will not share information about those services with your payor (the organization that pays for your medical care), as long as such disclosure is not required by law. For all other requests, we will consider your request,   but we are not legally required to accept it. If we accept your request, we will document any limits in writing   and follow them except in emergency situations. You may not limit the uses and disclosures that we are legally required or allowed to make. To request a restriction, write to the Privacy Officer listed at the end of this Notice.
• Request confidential communications – You can ask that we send PHI to you at a different address or contact you about your health information in a certain way. For example, you may wish to have appointment
  reminders and test results sent to a PO Box or a different address than your home address. We will say “yes” to reasonable requests that give specific directions of the alternative. To make a request, tell the Privacy Officer at the address listed at the end of this Notice. You do not need to give a reason for your request.
• Inspect and copy – You have the right to inspect and get a copy of much of the medical information that   we maintain about you, with some exceptions. Normally, this information has the medical record and billing records. There are certain conditions on which we may deny your request. If we maintain the medical information electronically and you ask for an electronic copy, we will give the information to you in the form
  and format you request if it is readily producible. If we cannot readily get the record in the form and format you request, we will give it in another readable electronic format or paper copy, we both agree to. If you direct us to send your medical information to another person, we will do so if your signed, written direction clearly states  the recipient and location for delivery. To see or get a copy of medical or billing information, please send your request in writing to either:
  • Release of Information, for medical information; or
  • Patient Financial Services, for billing, both listed at the end of this Notice. We will normally respond to your request within 30 days but may need longer in certain cases. You may be charged a fee as allowed by law to cover certain costs needed with your request.
• Accounting of disclosures – You have the right to get a list of certain instances in which we have disclosed your PHI. You may ask for this list for the prior 6 years. We will give the times we have shared your PHI, who we shared it with, and why. The list will not have uses or disclosures that you have specifically authorized   in writing, for example, copies of records to your attorney or to your employer, or disclosures for treatment,
  payment, or health care operations and certain other types of disclosures. Please send your request in writing to the Privacy Officer listed at the end of this Notice. We will offer one list a year for free but will charge a reasonable cost-based fee if you ask for another list within 12 months.
• Amendment – You have the right to ask us to change certain medical information that we keep in your records if you think that information is not correct or incomplete. You may ask for an amendment for as long as that record is maintained. You may submit a written request for an amendment to Release of Information listed at the end of this Notice. University of Iowa Health Care may say “no” to certain requests, but we will tell you in writing within 30 days why we denied your request.
• Paper copy of this Notice – You can ask for a paper copy of this Notice at any time, even if you have asked to get it electronically. You may pick up a copy at any check-in point throughout the hospital and clinics, at the Registration Desk, at Student Health Service, or ask that a copy be sent to you.
• Notification in the case of breach – We are required by law to notify you of a breach of your unsecured medical information. We will give such notification to you without unreasonable delay but in no case later than 60 days after we discover the breach.
• How to exercise these rights – All requests to exercise these rights must be in writing. We will respond to your request on a timely basis following our written policies and as required by law. Contact the offices noted below in this Notice to get request forms or ask questions.

Sharing and Joint Use of your Information

While providing care to you, UI Health Care will share your PHI with our medical staff who have agreed to abide by the terms described below:

The medical staff and UI Health Care participate together in an organized health care arrangement to deliver health care to you at UI Health Care Medical Center Downtown. Both UI Health Care Medical Center Downtown and its medical staff have agreed to abide by the terms of this Notice with respect to PHI created or received as part of delivery of health care to you at UI Health Care Medical Center Downtown. UI Health Care Medical Center Downtown medical staff will have access to and use your PHI for treatment, payment and health care operations purposes related to your care within UI Health Care Medical Center Downtown. UI Health Care Medical Center Downtown will disclose your PHI to the medical staff for treatment, payment, and health care operations.

Revocation of Permission

If you give us authorization to use or disclose your medical information, you may remove that authorization at any time. Please make your request in writing to Release of Information at the contact information listed at the end of this Notice.

If you remove your authorization, we will no longer use or disclose medical information about you for the reasons covered by your written revocation. We are not able to take back any disclosures made before with your authorization.
 

Complaints and Questions

If you believe your privacy rights have been violated, you may file a complaint with University of Iowa Health Care or with the Secretary of the U.S. Department of Health and Human Services.

To file a complaint about our privacy practices with University of Iowa Health Care or questions about this Notice, notify: 

University of Iowa Health Care Privacy Officer
200 Hawkins Drive, 1309B JCP 
Iowa City, Iowa 52242-1009
319-384-8282
[email protected]

 
You will not be penalized for filing a complaint, and your care will not be compromised.

If you would like to file a complaint with the Secretary of the U.S. Department of Health and Human Services, please contact:

Download HIPAA Notice of Privacy Practices