Privacy Notice in English

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

Print version

Enlace a la política de confidencialidad en español

Our Legal Responsibility

As your health care provider, we are legally required to protect the privacy of your health information, and to provideyou with this Notice about our legal duties, privacy practices, and your rights with respect to your health information. This requirement applies to all patients served by University of Iowa Health Care and University of Iowa Student Health Services.

University of Iowa Health Care describes the partnership between University of Iowa Hospitals & Clinics and the Roy J. and Lucille A. Carver College of Medicine. Student Health Services provides health services to University of Iowa students. This Notice applies to health information held by both entities.

University of Iowa Heath Care and Student Health Services are legally required to follow the privacy practicesdescribed in this Notice. If you have any questions or want more information about this Notice, please contact our Privacy Officer at the contact information listed at the end of this Notice.

Your Protected Health Information (PHI)

Throughout this Notice we will refer to your protected health information as PHI. Your PHI includes data that identifies you and reports about the care and services you receive at the hospital, in the clinics, or at Student Health Services. For example, it includes information about your diagnosis, medications, insurance status and policy number, payment information, social security number, address and other demographic information.

This Notice about our privacy practices explains how, when, and why we use and share your PHI. We may not use ordisclose any more of your PHI than is necessary for the purpose of the use or disclosure, with some exceptions.

Changes to This Notice

We are required to follow the terms of the Notice currently in effect. We reserve the right to change the terms of thisNotice and our privacy policies and practices. Any changes will apply to your past, current, or future PHI. When wemake an important change to our policies, we will change this Notice and post a new Notice on our website (uihc.org).We will post the Notice as required by law and will have available a copy of the revised Notice in the places where weprovide medical services. The Notice will contain the effective date on the last page. You may also request a copy ofour current Notice at any time from the University of Iowa Hospitals & Clinics Registration Desks.

Uses of Protected Health Information

We are allowed by law to use and share your health information with others without your consent for many reasons. The following examples describe the categories of our uses and disclosures we may make without your permission.Please note that not every use or disclosure in each category is listed and these are general descriptions only. Where state or federal law restricts one of the described uses or disclosures, we follow the requirements of such law.

Treatment

We may use and disclose medical information about you to physicians, nurses, technicians, physicians in training, orother health care professionals who are involved in your care. For example, if you are being treated for a knee injury, we may disclose your PHI to the Department of Rehabilitation Therapies. Different health care professionals, such aspharmacists, lab technicians, and X-ray technicians, also may share information about you in order to coordinate yourcare. In addition, we may send information to the physician who referred you to University of Iowa Health Care, or other health care providers not affiliated with UI Hospitals & Clinics who are involved in your care. At all times, we will comply with any regulations that apply.

Payment

We may use and disclose your PHI in order to bill and collect payment for the treatment and services we provided toyou. For example, we may provide PHI to an insurance company or other third party payor in order to obtain approval for treatment or admission to the hospital. We may also share your health information with another doctor or hospitalthat has treated you so that they can bill you, your insurance company, or a third party.

Health care operations

We may use and disclose your PHI as part of our routine operations. For example, we may use your PHI to evaluate the quality of health care services you received or to evaluate the performance of health care professionals who cared for you. We may also disclose information to physicians, nurses, technicians, medical, nursing and other health professional students, and other hospital personnel as part of our educational mission. In some cases, we will furnish other qualified parties with your medical information for their health care operations.

Business associates

We may share your health information with others called “business associates,” who perform services on our behalf. The business associate must agree in writing to protect the confidentiality of the information. For example, we may share your health information with a billing company that bills for the services we provide.

Appointment reminders and health-related benefits or services

We may use your PHI to provide appointment reminders or give you information about treatment alternatives or otherhealth care services. If you provide us with your mobile telephone number, we may contact you by call or text message at that number for treatment-related purposes such as appointment reminders, wellness checks, registration instructions, etc. We will identify UI Hospitals & Clinics or Student Health Services as the sender of the communication and provide you with a way to "opt out" and not receive further communication in this manner. With your consent, we may contact you on your mobile phone for certain other purposes.

Public health activities

We may disclose medical information about you for public health activities. These activities may include disclosures:

  • To a public health authority authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury or disability;
  • To appropriate authorities authorized to receive reports of child abuse and neglect;
  • To FDA-regulated entities for purposes of monitoring or reporting the quality, safety, or effectiveness of FDA-regulated products; 
  • To notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition; and
  • With parent or guardian permission, to send proof of required immunization to a school.

Law enforcement

We may disclose certain medical information to law enforcement authorities for law enforcement purposes, such as:

  • As required by law, including reporting certain wounds and physical injuries;
  • In response to a court order, subpoena, warrant, summons, or similar process;
  • To identify or locate a suspect, fugitive, material witness, or missing person;
  • About the victim of a crime if we obtain the individual's agreement, or under certain limited circumstances, if we are unable to obtain the individual's agreement; 
  • To alert authorities of a death we believe may be the result of criminal conduct;
  • Information we believe is evidence of criminal conduct occurring on our premises; and
  • In emergency circumstances to report a crime; the location of the crime or victims or the identity, description, or location of the person who committed the crime.

Abuse, neglect, or domestic violence

We may notify the appropriate government authority if we believe you have been the victim of abuse, neglect, or domestic violence. Unless such disclosure is required by law (for example, to report a particular type of injury), we will only make this disclosure if you agree.

Judicial and administrative proceedings

If you are involved in a lawsuit or a dispute, we may disclose medical information about you in response to a court or administrative order. We may also disclose medical information about you in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if reasonable efforts have been made to notify you of the request or to obtain an order from the court protecting the information requested.

Health oversight activities

We may disclose PHI to a health oversight agency for audits, investigations, inspections, licensure, and other activities, as authorized by law. For example, we may disclose PHI to the Food and Drug Administration, state Medicaid fraud control, or the U.S. Department of Health and Human Service Office for Civil Rights.

Research studies

Under certain circumstances, we may disclose your PHI to help conduct research, subject, to certain safeguards. Research may involve finding a cure for an illness or helping to determine how effective a treatment is. In research studies, a Privacy Board or Institutional Review Board determines that measures are in place to protect your identity from disclosure to organizations outside of University of Iowa Health Care. We may disclose medical information about you to people preparing to conduct a research project but the information will stay on site. 

Organ or tissue donation

We may use your PHI to notify organ donation organizations, and to assist them in organ, eye, or tissue donation and transplants.

Deceased individuals

We are required to apply safeguards to protect your medical information for 50 years following your death. Following your death we may disclose medical information to a coroner, medical examiner, or funeral director as necessary for them to carry out their duties and to a personal representative (for example, the executor of your estate). We may also release your medical information to a family member or other person who acted as personal representative or was involved in your care or payment for care before your death, if relevant to such person’s involvement, unless you have expressed a contrary preference.

Workers’ compensation purposes

We may disclose PHI about you to your employer or others as authorized by law for workers' compensation or similar programs that provide benefits for work-related injuries or illness.

National security and intelligence activities

We may release PHI to authorized federal officials when required by law. This information may be used to protect the president, other authorized persons or foreign heads of state, to conduct special investigations, for intelligence and other national security activities authorized by law.

Threats to health or safety

Under certain circumstances, we may use or disclose your medical information to avert a serious threat to health and safety if we, in good faith, believe the use or disclosure is necessary to prevent or lessen the threat and is to a person reasonably able to prevent or lessen the threat (including the target) or is necessary for law enforcement authorities to identify or apprehend an individual involved in a crime.

Incidental uses and disclosures

There are certain incidental uses or disclosures of your information that occur while we are providing service to you or conducting our business. For example, after surgery the nurse or doctor may need to use your name to identify family members that may be waiting for you in a waiting area. Other individuals waiting in the same area may hear your name called. We will make reasonable efforts to limit these incidental uses and disclosures.

Required by law

We will use and disclose your information as required by federal, state, or local law.

Uses and Disclosures for Which You Have the Opportunity to Object

Hospital directory

We will use your name, the location at which you are receiving care, your general condition, and your religious affiliation for directory purposes. All of this information, except religious affiliation, will be disclosed to people who ask for you by name. If you object to this use, we will not include this information in the directory and will not share it. To object, please notify us at registration or notify a member of your nursing staff.

Health care affiliates/alliances

We participate in a variety of electronic health information data sharing agreements with other health care providers, public health organizations, and payors. These data sharing arrangements are to facilitate treatment, improve health care operations, and allow for an analysis of care provided in all settings. These data sharing arrangements are designed to assure appropriate protections are in place and prevent the inappropriate release of your protected health information. If you do not wish to participate in these data sharing arrangements, please notify our Privacy Officer at the contact information listed at the end of this Notice.

Fundraising

We may use your PHI in efforts to raise money for University of Iowa Health Care. We may provide your PHI to the University of Iowa Center for Advancement for this purpose. If you do not want University of Iowa Health Care to contact you for fundraising efforts, please notify our Privacy Officer at the contact information listed at the end of this Notice or respond to any opt out process provided with each fundraising communication.

Disclosures to family, friends, or others

We may provide your PHI to a family member, friend, or other person you tell us is involved in your care or involved in the payment of your health care, unless you object in whole or in part. If you are unable to agree or object to such a disclosure, we may disclose such information as necessary if we determine that it is in your best interest. This could include sharing information with your family or friend so they can pick up a prescription or a medical supply. We may also share medical information about you with an organization assisting in a disaster relief effort.

Uses and Disclosures Requiring Your Authorization

There are many uses and disclosures we will make only with your written authorization. These include:

Uses and disclosures not described above

We will obtain your authorization for any use of disclosure of your medical information that is not described in the preceding examples.

Psychotherapy notes

These are notes made by a mental health professional documenting conversations during private counseling sessions or in joint or group therapy. Many uses or disclosures of psychotherapy notes require your authorization.

Marketing

We will not use or disclose your medical information for marketing purposes without your authorization. Moreover, if we will receive any financial remuneration from a third party in connection with marketing, we will tell you that in the authorization form.

Sale of medical information

We will not sell your medical information to third parties without your authorization. Any such authorization will state that we will receive remuneration in the transaction.

If you provide authorization, you may revoke it at any time by giving us notice in accordance with our authorization policy and the instructions in our authorization form. Your revocation will not be effective for uses and disclosures made in reliance on your prior authorization.

Your Rights Regarding PHI

You have the right to:

Request restrictions

You can ask us not to use or share certain PHI for treatment, payment of health care operations purposes. For example, when you have paid for your services out of pocket in full, at your request we will not share information about those services with your health plan (the organization that pays for your medical care), as long as such disclosure is not required by law. For all other requests, we will consider your request, but we are not legally required to accept it. If we accept your request, we will document any limits in writing and follow them except in emergency situations. You may not limit the uses and disclosures that we are legally required or allowed to make. To request a restriction, notify the Privacy Officer listed at the end of this Notice.

Request confidential communications

You can ask that we send PHI to you at a different address or contact you about your health information in a certain way. For example, you may wish to have appointment reminders and test results sent to a PO Box or a different address than your home address. We will say “yes” to reasonable requests that provide specific directions of the alternative. To make a request, contact the Privacy Officer at the address listed at the end of this Notice. You do not need to provide a reason for your request.

Inspect and copy

You have the right to inspect and obtain a copy of much of the medical information that we maintain about you, with some exceptions. Usually, this information includes the medical record and billing records, but also includes records used to make decisions about you. There are certain conditions on which we may deny your request. If we maintain the medical information electronically in one or more designated record sets and you ask for an electronic copy, we will provide the information to you in the form and format you request, if it is readily producible. If we cannot readily produce the record in the form and format you request, we will produce it in another readable electronic form we both agree to. If you direct us to transmit your medical information to another person, we will do so, provided your signed, written direction clearly designates the recipient and location for delivery.

To see or obtain a copy of medical or billing information, please submit your request in writing to either:

  1. Release of Information, for medical information; or
  2. Patient Financial Services, for billing, both listed at the end of this Notice.

We will usually respond to your request within 30 days but may require longer in certain cases. You may be charged a fee as allowed by law to cover certain costs associated with your request.

Accounting of disclosures

You have the right to obtain a list of certain instances in which we have disclosed your PHI. You may request this list for a period of six years prior to the date you ask for the list. We will provide the times we have shared your PHI, who we shared it with, and why. The list will not include uses or disclosures that you have specifically authorized in writing, such as copies of records to your attorney or to your employer, or disclosures for treatment, payment or health care operations and certain other types of disclosures. Please submit your request in writing to the Privacy Officer listed at the end of this Notice. We will provide one list a year free, but will charge a reasonable cost-based fee if you ask for another list within twelve months.

Amendment

You have the right to ask us to amend certain medical information that we keep in your records if you think that information is inaccurate or incomplete. You may request an amendment for as long as that record is maintained. You may submit a written request for an amendment to Release of Information listed at the end of this Notice. University of Iowa Health Care may say “no” to certain requests, but we will tell you in writing within 60 days why we denied your request.

Paper copy of this notice

You can ask for a paper copy of this Notice at any time, even if you have asked to receive it electronically. You may pick up a copy at any check-in point throughout the hospital and clinics, at the Registration Desk, at Student Health Service, or request that a copy be sent to you.

Notification in the case of breach

We are required by law to notify you of a breach of your unsecured medical information. We will provide such notification to you without unreasonable delay but in no case later than 60 days after we discover the breach. 

How to exercise these rights

All requests to exercise these rights must be in writing. We will respond to your request on a timely basis in accordance with our written policies and as required by law. Contact the offices noted below in this Notice to obtain request forms or ask questions.

Revocation of Permission

If you provide us with permission to use or disclose your medical information, you may revoke that permission at any time. Please make your request in writing to Release of Information at the contact information listed at the end of this Notice.

If you revoke your permission, we will no longer use or disclose medical information about you for the reasons covered by your written revocation. We are unable to take back any disclosures previously made with your permission.

Complaints and Questions

If you believe your privacy rights have been violated, you may file a complaint with University of Iowa Health Care or with the Secretary of the U.S. Department of Health and Human Services.

To file a complaint about our privacy practices with University of Iowa Health Care or questions about this Notice, notify the University of Iowa Health Care Privacy Officer at the contact information listed below:

University of Iowa Hospitals & Clinics
Privacy Officer
200 Hawkins Drive, 1309B JCP
Iowa City, IA 52242-1009
1-319-384-8282
compliance@healthcare.uiowa.edu

You may also contact the Office of the Patient Experience listed below:

University of Iowa Hospitals & Clinics
Office of the Patient Experience
200 Hawkins Drive, CC102 GH
Iowa City, IA 52242-1009
1-319-356-1802
1-800-777-8442
patient-experience@uiowa.edu

You will not be penalized for filing a complaint, and your care will not be compromised.

Contact Information:
For: Contact
  • Requesting a Restriction
  • Requesting an Accounting of Disclosures
  • Opting out of Fundraising
  • Opting Out of Data Sharing
Privacy Officer listed above
  • Inspection and Copying of your Billing Records
University of Iowa Hospitals & Clinics
Patient Financial Services
200 Hawkins Drive
Iowa City, IA 52242-1084
1-319-356-2211
  • Inspection and Copying of your Medical Record
  • Amending your Medical Record
  • Revoking your Permission to Disclose your Medical Information
University of Iowa Hospitals & Clinics
Health Information Management (Medical Records)
200 Hawkins Drive, HSSB Suite 100
Iowa City, IA 52242
1-319-356-1719

If you would like to file a complaint with the Secretary of the U.S. Department of Health and Human Services, please contact:

U.S. Department of Health and Human Services
Office for Civil Rights
200 Independence Avenue, S.W.
Washington, D.C. 20201
1-877-696-6775
www.hhs.gov/ocr/privacy/hipaa/complaints/

EFFECTIVE DATE OF NOTICE: April 14, 2003; September 20, 2013; November 1, 2019