BETH ISRAEL MEDICAL CENTER
ST. LUKE’S-ROOSEVELT HOSPITAL CENTER
NEW YORK EYE AND EAR INFIRMARY
NOTICE OF PRIVACY PRACTICES
Effective Date: September 2013
THIS NOTICE OF PRIVACY PRACTICES DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
Beth Israel Medical Center, St. Luke's-Roosevelt Hospital Center and the New York Eye and Ear Infirmary including its owned off-site physician practices (collectively, "Hospitals" for purposes of this Notice) are required by law to protect the privacy of your health information. We are also required to provide you with a copy of this Notice of Privacy Practices ("Notice") which describes our health information privacy practices, and to follow the terms of the Notice as it may be revised from time to time.
We reserve the right to change this Notice. A copy of our current Notice will always be posted in the reception area where you receive care. You will also be able to obtain your own copy by accessing our website at www.wehealnewyork.org, calling our office, or asking for one at the time of your next visit.
If you have any questions about this Notice or would like additional information, please contact the Hospital's Privacy Office at 212-523-2162.
We provide healthcare to patients jointly with physicians and other healthcare professionals and organizations. The privacy practices described in this Notice will be followed by:
These privacy practices will be followed at sites of care associated with all of the entities listed above. These facilities and individuals will share protected health information (PHI) with each other as necessary to carry out the treatment, payment, and healthcare operations described in this Notice.
IMPORTANT SUMMARY INFORMATION
What Health Information is Protected. We are committed to protecting the privacy of information we gather about you while providing health-related services. Some examples of PHI are: information indicating that you are a patient at one of our Hospitals; information about your health condition (such as a disease that you may have); information about healthcare products or services you have received or may receive in the future (such as an operation); or information about your healthcare benefits under an insurance plan (such as whether a prescription is covered) when combined with: demographic information (such as your name, address, or insurance status); unique numbers that may identify you (such as your social security number, your telephone number or your driver's license number); genetic information (see Attachment D); and other types of information that may identify who you are. Note that PHI is no longer protected 50 years after a patient's death.
Personal Representatives. If a person has the authority under law to make decisions for you relating to your healthcare ("personal representative") we will treat your personal representative the same way we would treat you with respect to your PHI. Parents and guardians will generally be personal representatives of minors unless the minors are permitted by law to act on their own behalf.
Requirement for Written Authorization. We will obtain your written authorization before using your PHI or sharing it with others outside of our Hospitals, except as described below. You may also request the transfer of your records to another person by completing a written authorization form. If you provide us with written authorization, you may revoke that written authorization at any time, except to the extent that we have already relied upon it. To revoke a written authorization, please write to: Privacy Office, 555 West 57th Street, 18th Floor, New York, NY 10019.
A verbal authorization is sufficient to disclose proof of immunization to a school where state law requires such information prior to admitting the student.
Special Protections for HIV, Alcohol and Substance Abuse, Mental Health and Genetic Information. Special privacy protections apply to HIV-related information, alcohol and substance abuse treatment information, mental health information, and genetic information. Some parts of this Notice may not apply to these types of information. Notices explaining how these categories of information will be protected by us are found in Attachments A-D.
YOUR RIGHTS TO ACCESS AND CONTROL YOUR HEALTH INFORMATION
You have the following rights regarding your medical information:
Right to Inspect and/or Obtain Record Copies
You have the right to inspect and obtain a copy in either electronic or paper form of any of your PHI that may be used to make decisions about you and your treatment for as long as we maintain this information in our records. We will produce the records in the specific electronic format that you request if it is feasible to do so. This includes medical and billing records. To inspect or obtain a copy of your PHI, please submit your request in writing to the hospital's Medical Record Department, the physician's office that has your records, or the hospital's Patient Accounts Department.
If you request a copy of the information, we may charge a fee, as permitted by law, for the costs of copying, mailing or other supplies we use to fulfill your request. The fee must generally be paid before or at the time we give the copies to you.
We will respond to your request for inspection of records within 10 days. We ordinarily will respond to requests for copies within 30 days if the information is located on-site and within 60 days if it is located in off-site storage. If we need additional time to respond to a request for copies, we will notify you in writing within the time frame above to explain the reason for the delay and when you can expect to have a final answer to your request.
Under certain very limited circumstances, we may deny your request to inspect or obtain a copy of your information. If we do, we will provide you with a summary of the information instead. We will also provide a written statement that explains the reasons for providing only a summary and a complete description of your right to have that decision reviewed. The written statement will also include information on how to file a complaint about these issues with us or with the Secretary of the United States Department of Health and Human Services/ Office for Civil Rights (OCR). If we have reason to deny only part of your request, we will provide complete access to the remaining parts.
Right to Amend Records
If you believe that the PHI we have about you is incorrect or incomplete, you may ask us to amend the information. You have the right to request an amendment for as long as the information is kept in our records. If you wish to amend your PHI please contact the Hospital's Medical Record Department or the physician's office that has your records.
Your request should include the reasons why you think we should make the amendment. Ordinarily we will respond to your request within 60 days. If we need additional time to respond, we will notify you in writing within 60 days to explain the reason for the delay and tell you when you can expect to have a final answer to your request.
If we deny part or all of your request, we will provide a written notice that explains our reasons for doing so. You will have the right to have certain information related to your requested amendment included in your records. For example, if you disagree with our decision, you will have an opportunity to submit a statement explaining your disagreement which we will include in your records. We will also include information on how to file a complaint with us or with the OCR. These procedures will be explained in more detail in any written denial notice we send you.
Right to an Accounting of Disclosures
You have a right to request an "accounting of disclosures", which is a list with information about how your PHI has been disclosed to others outside of our Hospitals (other than through our HIE).
An accounting list will not include:
To request this list, please write to:
Legal Affairs - 18th Floor
555 West 57th Street
New York, NY 10019
Your request must state a time period within the past six years for the disclosures you want us to include. For example, you may request a list of the disclosures that we made between January 1, 2008 and January 1, 2009. You have a right to receive one list within every 12 month period for free. However, we may charge you for the cost of providing any additional lists in that same 12 month period. We will always notify you of any cost involved so that you may choose to withdraw or modify your request before any costs are incurred.
Ordinarily we will respond to your request for an accounting within 60 days. If we need additional time to prepare the accounting list you have requested, we will notify you in writing about the reason for the delay and the date when you can expect to receive the accounting list. In rare cases, we may have to delay providing you with the accounting list without notifying you because a law enforcement official or government agency has directed us to do so.
Right to Request Additional Privacy Protections
You have the right to request that we further restrict the way we use and disclose your PHI to treat your condition, collect payment for that treatment, or run our business operations. You may also request that we limit how we disclose information about your treatment. To request restrictions, please write to the hospital's Medical Record Department or physician office that has your medical records. Your request should include (1) what information you want to limit; (2) whether you want to limit how we use the information, how we share it with others, or both; and (3) to whom you want the limits to apply.
We are not always required to agree to your request for a restriction, and in some cases the restriction you request may not be permitted under law but if we do agree, we will be bound by our agreement unless the information is needed to provide you with emergency treatment or to comply with the law. We are required, however, to honor your request if you direct us not to share specific PHI with your insurance company relating to a service you plan to pay for and do pay for personally. It is your responsibility, however, to inform other providers who may receive copies of your Hospital record that they may not share this information with your insurer.
Right to Request Confidential Communications
You have the right to request that we communicate with you about your medical matters by alternate means or at a specific location. For example, you may ask that we contact you at home instead of at work. To request more confidential communications, please write to:
Legal Affairs - 18th Floor
555 West 57th Street
New York, NY 10019
We will not ask you the reason for your request, and we will try to accommodate all reasonable requests. Please specify in your request how or where you wish to be contacted.
Notification of Other Disclosures:
You will be notified within 60 days if your PHI has been disclosed to or accessed by a person who was not authorized to receive the information if we determine that there was a high probability that the PHI has been compromised.
How to File a Complaint. If you believe your privacy rights have been violated, you may file a complaint with the Hospitals' Privacy Office or with the Department of Health and Human Services/Office for Civil Rights. To file a complaint please contact: Privacy Office - 555 West 57th Street, Legal Affairs, 18th Floor, New York, NY 10019 or the Department of Health and Human Services/OCR: www.hhs.gov/ocr/hipaa
Under no circumstances will you be penalized or subject to retaliation for filing a complaint.
HOW WE MAY USE AND DISCLOSE YOUR HEALTH INFORMATION WITHOUT YOUR WRITTEN AUTHORIZATION
Treatment. We may share your PHI with healthcare providers at our Hospitals who are involved in taking care of you, and they may in turn use that information to diagnose or treat you. We may also make your PHI available to providers you see outside our Hospitals by making it accessible through a Health Information Exchange (HIE), an electronic network that makes it possible to share information electronically, but we will not let anyone access it through the HIE without your consent except in an emergency (unless you direct us otherwise). This means that if your private, non-Hospital physician uses an HIE that we operate or is part of, s/he will be able to access your PHI generated in the course of any Hospital inpatient or outpatient care. In addition, certain information about your care at our Hospitals may be sent automatically to the person you name as your Primary Care Provider and to the physician who referred you to us. If your private physician is on staff at our Hospitals and uses our electronic health record (EHR) in his/her office, anyone taking care of you at our Hospitals will be able to access your private physician's medical record directly as well.
PHI shared through the HIE may include, in addition to your demographics and clinical information, the specially protected health information described in Attachments A (HIV-Related Information), B (Alcohol and Substance Abuse Treatment Information), C (Mental Health Information) and D (Genetic Information) of this Notice. The purpose of this use and disclosure to other non-Hospital providers is to ensure that they have the most current and complete information about the care you received at our Hospitals.
If you participate in one of our Health Homes, staff for those entities will have access to your PHI, with your consent, to assist in coordinating your care.
Payment. We may use your PHI or share it with others to obtain payment for your healthcare services. For example, we may share information about you with your health insurance company in order to obtain reimbursement after we have treated you, or to determine whether it will cover your treatment. You may direct us not to share specific PHI with your insurance company relating to a service you plan to pay for and do pay for personally. It is your responsibility, however, to inform other providers who may receive copies of your Hospital record that they may not share this information with your insurer. We might also need to inform your health insurance company about your health condition in order to obtain pre-approval for your treatment, such as admitting you to the hospital for a particular type of surgery. Finally, we may share your PHI with other healthcare providers, payers and their business associates for their payment activities.
Business Operations. We may use your PHI or share it with others in order to conduct our business operations. For example, we may use your PHI to evaluate the performance of our staff in caring for you, to educate our staff on how to improve the care they provide for you or to conduct training programs for students, trainees and other healthcare practitioners. Finally, we may share your PHI with other healthcare providers and payers for certain of their business operations if the information is related to a relationship the provider or payor currently has or previously had with you, and if the provider or payor is required to protect the privacy of your PHI.
Appointment Reminders, Treatment Alternatives, Benefits and Services. In the course of providing treatment to you, we may use your PHI to contact you with a reminder that you have an appointment for treatment or services at our facility. We may also use your PHI in order to recommend possible treatment alternatives or health-related benefits and services that may be of interest to you. If we are paid to send you treatment information, we will tell you that and give you the right not to receive these communications.
Fundraising. To support our business operations, we may use demographic information about you, including information about your age, date of birth and gender, where you live or work, the type of insurance you have, and limited clinical information including the dates that you received treatment, the department and physician that provided you with services and outcome information, in order to contact you to raise money to help us improve our facilities and programs. We will not sell your PHI without your authorization. You may opt out of receiving any fundraising communications at any time by calling us at 212-636-8400 or writing us at our Development Office, 555 West 57th Street, New York, NY 10019.
Business Associates (BAs). We may disclose the minimum amount of your PHI necessary to contractors, agents and other business associates who need the information in order to assist us with obtaining payment or carrying out our business operations. For example, we may share your PHI with a billing company that helps us obtain payment from your insurance company or with an insurance company, accounting firm, law firm, or risk management organization in order to obtain their advice regarding our operations. If we do disclose your PHI to a BA, we will have a written contract with them that requires the BA and any of its subcontractors to protect the privacy of your PHI. They and their subcontractors are also now independently required by federal law to protect your information.
In-Patient Directory. If you do not object, we will include your name, your location in our facility, your general condition (e.g., fair, stable, critical, etc.) and your religious affiliation in our Patient Directory while you are an inpatient or ambulatory surgery patient at any Hospital facility. This directory information, except for your religious affiliation, may be released to people who ask for you by name. If you do not object, your religious affiliation may be given to a member of the clergy, such as a priest or rabbi, even if he or she does not ask for you by name. If you wish to opt out or restrict access to any of this information, please let us know when you register for inpatient or ambulatory surgery services at any Hospital facility.
Family and Friends Involved in Your Care. If you do not object, we may share your PHI with a family member, relative, or close personal friend who is involved in your care or payment for that care. In some cases, we may need to share your PHI with a disaster relief organization that will help us notify these persons.
As Required By Law. We may use or disclose your PHI if we are required by law to do so. We also will notify you of these uses and disclosures if notice is required by law.
Public Health Activities. We may disclose your PHI to authorized public health officials (or a foreign government agency collaborating with such officials) so they may carry out their public health activities. For example, we may share your PHI with government officials responsible for controlling disease, injury or disability. We may also disclose your PHI to a person who may have been exposed to a communicable disease or be at risk for contracting or spreading the disease if the law permits us to do so. And finally, we are required to release some PHI about you to your employer if your employer hires us to provide you with a physical exam and we discover that you have a work-related injury or disease that your employer must know about in order to comply with employment laws.
Victims of Abuse, Neglect or Domestic Violence. We may release your PHI to a public health authority that is authorized to receive reports of abuse, neglect or domestic violence. For example, we may report your PHI to government officials if we reasonably believe that you have been a victim of such abuse, neglect or domestic violence. We will make every effort to obtain your permission before releasing this information, but in some cases we may be required or authorized to act without your permission.
Health Oversight Activities. We may release your PHI to government agencies authorized to conduct audits, investigations, and inspections of our facility. These government agencies monitor government benefit programs such as Medicare and Medicaid, as well as compliance with government regulatory programs and civil rights laws. We are required to release aggregate data (summary information that does not identify any specific patient) to the federal Center for Medicare and Medicaid Services (CMS) to demonstrate that we comply with Meaningful Use regulations by using EHR's to improve the quality of care, to better the overall health of the population and to improve efficiency.
Product Monitoring, Repair and Recall. We may disclose your PHI to a person or company that is regulated by the United States Food and Drug Administration for the purpose of: (1) reporting or tracking product defects or problems; (2) repairing, replacing, or recalling defective or dangerous products or (3) monitoring the performance of a product after it has been approved for use by the general public.
Lawsuits and Disputes. We may disclose your PHI if we are ordered to do so by a court or administrative tribunal that is handling a lawsuit or other dispute.
Law Enforcement. We may disclose your PHI to law enforcement officials for the following reasons:
To Avert A Serious And Imminent Threat to Health or Safety. We may use your PHI or share it with others when necessary to prevent a serious and imminent threat to your health or safety, or the health or safety of another person or the public. We may also disclose your PHI to law enforcement officers or others if you tell us that you participated in a violent crime that may have caused serious physical harm to another person, if we determine that you escaped from lawful custody (such as a prison) or eloped from a mental health institution.
National Security and Intelligence Activities or Protective Services. We may disclose your PHI to authorized federal officials who are conducting national security and intelligence activities or providing protective services to the President or other important officials.
Military and Veterans. If you are in the Armed Forces, we may disclose PHI about you to appropriate military command authorities for activities they deem necessary to carry out their military mission. We may also release PHI about foreign military personnel to the appropriate foreign military authority.
Inmates and Correctional Institutions. If you are an inmate or you are detained by a law enforcement officer, we may disclose your PHI to prison officers or law enforcement officers if necessary to provide you with healthcare, or to maintain safety, security and good order at the place where you are confined. This includes sharing information that is necessary to protect the health and safety of other inmates or persons involved in supervising or transporting inmates.
Workers' Compensation. We may disclose your PHI for workers' compensation or similar programs that provide benefits for work-related injuries.
Coroners, Medical Examiners and Funeral Directors. We may use PHI to identify a deceased person or determine the cause of death or disclose PHI to a coroner or medical examiner for such purposes. We may also release PHI to funeral directors as necessary to carry out their duties.
Organ and Tissue Donation. If you are a potential organ donor, we may use or disclose your PHI to other organizations that procure or store organs, eyes or other tissues for the purpose of investigating whether donation or transplantation is possible .
Research. In most cases, we will ask for your written authorization before using your PHI or sharing it with others in order to conduct research. However, under some circumstances, we may use and disclose your PHI without your written authorization if the hospital's Institutional Review Board, applying specific criteria, determines that the particular research protocol poses minimal risk to your privacy. Under no circumstances, however, would we allow researchers to use your name or identity publicly without your authorization. We may also release your PHI without your written authorization to people who are preparing a future research project as long as any information identifying you does not leave our facility. We may share PHI with people who are conducting research using the information of persons deceased less than 50 years, as long as they agree not to remove from our facility any information that identifies the deceased person.
Completely De-identified or Partially De-identified Information. We may use and disclose your health information if we have removed any information that has the potential to identify you so that the health information is "completely de-identified." We may also use and disclose "partially de-identified" health information about you for research, public health and specific healthcare operations if the person who will receive the information signs an agreement to protect the privacy of the information. Partially de-identified health information will exclude all direct identifiers but may include zip code, dates of birth, admission and discharge.
Incidental Disclosures. While we will take reasonable steps to safeguard the privacy of your PHI, certain disclosures of your PHI may occur during or as an unavoidable result of our otherwise permissible uses or disclosures of your PHI. For example, during the course of a treatment session, other patients in the treatment area may see or overhear discussion about your PHI.
CONFIDENTIALITY OF HIV-RELATED INFORMATION
Effective Date: September 2013
The privacy and confidentiality of HIV-related information maintained by us is protected by Federal and State law and regulations. These protections go above and beyond the protections described in our general Notice of Privacy Practices (Notice). If you have questions about this Notice or would like further information, please contact: Privacy Office - 212-523-2162
We recommend that you also take time to review our Notice for information about how your protected health information (PHI) may generally be used and disclosed by us. If there is any conflict between the Notice and this Attachment, the protections described in this Attachment will apply.
Confidential HIV-related information is any information indicating that you had an HIV-related test (even if the test is negative), have HIV-related illness or AIDS, or have an HIV-related infection, as well as any information which could reasonably identify you as a person who has had a test for or has HIV infection.
Under New York State law, confidential HIV-related information may only be given to persons allowed to have it by law, or persons you have allowed to have it by signing a written authorization form. The disclosure will be accompanied by a statement that the HIV-related information may not be redisclosed.
Confidential HIV-related information about you may be used by personnel within our Hospital who need the information to provide you with direct care or treatment, to process billing or reimbursement records, or to monitor or evaluate the quality of care provided at the hospital. Generally we may not reveal to an outside person confidential HIV-related information that the institution obtains in the course of treating you, unless:
Violation of these privacy regulations may subject the institution to civil or criminal penalties. Suspected violations may be reported to appropriate authorities in accordance with Federal and State law. To file a complaint, mail completed form DOH-2865 (Complaint Report for Alleged Violation of Article 27-F), available on the DOH website (http://www.health.ny.gov), to:
NYS Department of Health/AIDS Institute/Special Investigation Unit
5 Penn Plaza
New York, New York 10001
CONFIDENTIALITY OF ALCOHOL AND SUBSTANCE ABUSE TREATMENT INFORMATION
Effective Date: September 2013
The confidentiality of alcohol and substance abuse treatment records maintained by us is protected by Federal and State law and regulations. These protections go above and beyond the protections described in our Notice of Privacy Practices (Notice). If you have questions about this Notice or would like further information, please contact:
Privacy Office 212-523-2162
We recommend that you also take time to review our Notice for information about how your protected health information (PHI) may generally be used and disclosed by us. Our Notice provides information about how you may obtain access to your PHI, including alcohol and substance abuse treatment records. If there is any conflict between the Notice and this Attachment, the protections described in this Attachment will apply instead of the protections described in the Notice.
Confidential alcohol and substance abuse treatment records include any information that identifies you as having been diagnosed with, treated for or referred for treatment of alcohol abuse, substance abuse or chemical dependency.
Information about you may be used by personnel within our Hospitals in connection with their duties to provide you with diagnosis of, treatment for or referral for treatment of alcohol or substance abuse. Such use will be limited to the minimum amount of information necessary to carry out their duties. Generally, we may not reveal to a person outside of our Hospitals any information that would identify you as under treatment for alcohol or substance abuse, unless:
Violation of these privacy regulations is a crime. Suspected violations may be reported to appropriate authorities in accordance with Federal and State law.
CONFIDENTIALITY OF MENTAL HEALTH INFORMATION
AND PSYCHOTHERAPY NOTES
Effective Date: September 2013
The privacy and confidentiality of mental health information and psychotherapy notes maintained by us is protected by Federal and State law and regulations. These protections go above and beyond the protections described in our Notice of Privacy Practices (Notice). If you have questions about this Attachment or would like further information, please contact: Privacy Office 212-523-2162
We recommend that you also take time to review our Notice for information about how your protected health information (PHI) may generally be used and disclosed by us. The Notice also provides information about how you may obtain access to your PHI, including mental health information. If there is any conflict between the Notice and this Attachment, the protections described in this Attachment will apply instead of the protections described in the Notice.
CONFIDENTIALITY OF MENTAL HEALTH INFORMATION
Mental health information about you may be used by personnel within our Hospitals in connection with their duties to provide you with treatment, obtain payment for that treatment, or conduct our business operations. Generally, we may not reveal mental health information about you to other persons outside of our Hospitals, except in the following situations:
CONFIDENTIALITY OF PSYCHOTHERAPY NOTES
Psychotherapy notes are notes by a mental health professional that document or analyze the contents of a conversation during a private counseling session or during a group, joint, or family counseling session. If these notes are maintained separately from the rest of your medical records, they can only be used and disclosed as follows:
In general, Psychotherapy notes may not be used or disclosed without your written authorization, except by the mental health professional who created them in the following circumstances:
All other uses and disclosures of psychotherapy notes require your special written authorization.
CONFIDENTIALITY OF GENETIC INFORMATION
Effective Date September 2013
The privacy and confidentiality of genetic information maintained by us is protected by State law and Federal regulations. Genetic information means, with respect to an individual: (i) the individual's genetic tests; (ii) the genetic tests of family members of the individual; (iii) the manifestation of a disease or disorder in family members of such individual; or (iv) any request for, or receipt of, genetic services, or participation in clinical research which includes genetic services, by the individual or any family member of the individual. These protections go above and beyond the protections described in our general Notice of Privacy Practices (Notice). If you have questions about this Attachment or would like further information, please contact:
Privacy Office 212-523-2162
We recommend that you also take time to review our Notice for information about how your protected health information (PHI) may generally be used and disclosed by us. Our Notice also provides information about how you may obtain access to your PHI, including confidential genetic information.
Under New York State (NYS) law, special restrictions apply to (1) genetic testing of human biological samples and (2) the disclosure of information derived from genetic tests to any person or organization. Genetic test means any laboratory test of DNA, chromosomes, genes or gene products to detect a genetic variation linked to a predisposition to a genetic disease. It does not include information relating to a manifested disease (a disease that can be diagnosed primarily based on symptoms) or information obtained when confirming a disease with genetic testing.
We will not perform a genetic test on a biological sample taken from you unless we obtains your written informed consent under NYS law. With your informed consent, we may use the results of your genetic test for treatment, payment and healthcare operations. Any other uses or disclosures of the results of your genetic test will generally require your written authorization. This authorization is separate from, and may not be combined with the informed consent.
Authorization is not required if: