The Notice of Privacy Practices describes ways in which Great River Health Systems may use and disclose your medical information, and obligations regarding use and disclosure. It also describes your rights to access and control your protected health information (PHI). Please review it carefully. If you have any questions, please call the health systems’ Privacy Officer at 319-768-1960.
PHI is medical and demographic information that may identify you. It includes past, present or future physical or mental health, or conditions and related health-care services. Great River Health Systems and independent providers of diagnostic-imaging services, collectively referred to as Great River Health Systems, may use and disclose your PHI to carry out treatment, initiate payment or conduct health-care operations, and for other purposes that are permitted or required by law.
Great River Health Systems includes all Great River Medical Center departments, Burlington Area Family Practice Center, Great River Clinics, Home Health and Hospice, Great River Klein Center, Heritage Family Pharmacy, Heritage Medical Equipment and Supplies, Heritage Park Pharmacy and Heritage Partners Pharmacy.
Who must follow this notice?
• All Great River Health Systems employees, health-care providers and volunteers
• All business associates in formal agreement with the health system
Our promise to you
A record of the health care and services you receive at Great River Health Systems is created to provide you with quality care and comply with legal requirements. We understand that your medical information is private, and we are committed to protecting it.
We are required by law to:
• Keep private and confidential all medical information that identifies you
• Give you this notice of our legal obligation and privacy practices regarding your PHI
• Follow the terms of the Notice of Privacy Practices
We may change the terms of our notice at any time. A new notice will be effective for all PHI that we maintain at that time. On request, we will provide you with a revised Notice of Privacy Practices. You also may get a copy by calling the Health Information Management Department at 319-768-1900, or asking for one when you register for your next appointment.
How we may use and disclose your medical information
The following categories describe ways we may use and disclose your PHI without your written authorization. Not every use or disclosure is listed, but all permitted uses fit into one of these categories and are in compliance with Health Insurance Portability and Accountability Act (HIPAA) privacy and security regulations.
For treatment – We may use your PHI to provide, coordinate or manage your medical treatment or services. We may disclose minimally necessary information to providers, nurses and other health-care providers who are or will be involved in your care.
Examples: You may need surgery, and the surgeon may need a medical provider’s recent history and physical before he or she can perform the procedure. If you have diabetes, the provider may need to tell a dietitian so appropriate meals are ordered. Other hospital departments also may share medical information about you to coordinate the care you need, such as medicines, and laboratory and diagnostic-imaging tests. Your health information may be shared with a provider to whom you have been referred to ensure that the provider has the necessary information to continue care, diagnose or treat you.
For payment – We may use and disclose relevant PHI so treatment and services you receive at our facility can be billed to and payment may be collected from you, an insurance company or a third party. Information also may be used for Case Management activities.
Example: We may tell your health-insurance plan about a scheduled procedure or test to have it pre-certified and determine whether the treatment or hospital stay will be covered.
For health-care operations – We may use or dis-close, as needed, your PHI to support the health systems’ business activities. This may include, but is not limited to minimally necessary information for quality-assessment activities, employee-review activities, educating nurses, and conducting or arranging for other business activities.
Examples: We may use your PHI to review our treatment and services, and evaluate the performance of our staff in caring for you. We also may:
• Combine medical information about many patients to decide determine the effectiveness of treatments, plan services or discontinue services
• Combine medical information to compare information from other hospitals to improve services
• Remove information that identifies you in a set of medical information so others may use it to study health care and health-care delivery
• Share your PHI with third-party businesses that perform billing and other services for the health system. Arrangements between Great River Health Systems and business associates that require the use or disclosure of PHI will have written contracts containing terms that protect the privacy of your PHI.
For appointment reminders – We may use or disclose your PHI, as necessary, to remind you of an appointment.
For the hospital directory – Unless you object, we may include limited information about you in the hospital directory while you are an inpatient. This information may include your name and location in the hospital. General condition reports (undetermined, good, fair, serious, critical) on specific patients may be given to the media. These include patients who are well-known public figures on a local, statewide or national level. Information about patients in the Psychiatric Care Unit is never provided to media. Directory information will be released only to people who ask for you by name, indicating they already know you are a patient.
For treatment alternatives and health-related benefits and services – We may use or disclose your PHI, as necessary, to provide you with information about treatment alternatives or other health-related benefits and services that may interest you.
Example: We may send you a newsletter about services we offer. If you do not want this information, call the Privacy Officer to have your name removed from the mailing list.
Other permitted and required uses and disclosures that may be made without your authorization or opportunity to object
We may use or disclose your PHI in these instances without a consent or authorization, in compliance with HIPAA regulations, to:
• Abuse or neglect – A government or public-health official authorized by law to receive reports of abuse or neglect in children or adults. This is mandated by federal and state laws.
• Adverse reactions, defective products – A representative of the U.S. Food and Drug Administration to report adverse events, product defects or problems, biologic product deviations or track products to initiate product recalls, make repairs or replacements, or conduct post-marketing surveillance
• Communicable diseases – A person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading the disease or condition, if authorized by law
• Coroners, funeral directors and organ donation – To a coroner or medical examiner for identification, determining cause of death or performing other duties authorized by law. The health system also may disclose PHI to funeral directors, as authorized by law, to permit them to carry out their duties. The health system may disclose such information in reasonable anticipation of death. PHI may be used and disclosed for organ, eye or tissue-donation purposes.
• Health oversight – Health-oversight agencies for activities authorized by law, such as audits, investigations and inspections. This includes government agencies that oversee the health-care system, government benefit programs, other government regulatory programs and civil rights laws.
• Inmates – Correctional institutions to provide health care, to protect inmates’ health and safety or the health and safety of others, and for the safety and security of the correctional institution
• Law enforcement – Law-enforcement agencies, as long as applicable legal requirements are met. Law-enforcement purposes include:
• Events in which a crime occurs on the premises of the health-care facility
• Limited-information requests for identifying or locating a suspect, fugitive, material witness or missing person
• Emergency medical treatment situations during which a crime is reported and it’s necessary to report the location of the crime or victims, or the identity, description, or location of a person who committed the crime
• Responses pertaining to victims of a crime
• Responses to a court order, subpoena, warrant, summons or similar process
• Legal proceedings – A subpoena, discovery request or other lawful process by someone else involved in a dispute, but only if efforts have been made to tell you about the request or to obtain an order protecting the information requested
• Military or national security – Authorities who carry out duties under the law if patients are involved with military, national security or intelligence activities
• Public health – A public-health authority who is permitted by law to collect or receive the information for public-health activities and purposes. The disclosure may be made to help control disease, injury or disability; report births and deaths; report child abuse or neglect; report reactions to medicines or problems with products; notify patients of product recalls. We may disclose PHI, if directed by the public-health authority, to a foreign government agency that is working with the public-health authority.
• Required by law – Comply with the law. Disclosure will be limited to the relevant requirements of the law, and patients will be notified of any such uses or disclosures.
• Required uses and disclosures – Investigate or determine the health systems’ compliance with the requirements of Section 164.500 et. Seq., which is required by the Secretary of the Department of Health and Human Services
• Workers’ compensation – Comply with workers’ compensation laws and other similar legally established programs
Uses and disclosures with your authorization or opportunity to object
In some instances, we may use and disclose all or part of your PHI. You will have the opportunity to agree or object. If you cannot agree or object, your provider, using professional judgment, may determine whether the disclosure is in your best interest. In this case, only minimal information that is necessary and relevant to your health care would be disclosed.
• Emergencies – We may need to use or disclose your PHI when you need emergency treatment. If this happens, your provider will attempt to obtain acknowledgement that you have received the Notice of Privacy Practices as soon as possible after necessary treatment.
• Others involved in your health care – We may disclose minimal PHI to a relative or close friend directly involved in your health care or any other person you have identified or listed as a contact person or power of attorney. We may use this information to notify anyone responsible for your care of your location, general condition or death. We may use or disclose minimal PHI to an authorized public or private entity help in disaster relief-efforts.
• Research – Under specific circumstances and only after a special approval process, we may use and disclose your PHI to help conduct research.
Uses and disclosures with your written authorization
Some uses and disclosures of your PHI can be made only with your written authorization, unless otherwise permitted or required by law, as described in the next section. You may revoke this authorization anytime, in writing, unless the health system relies on the use or disclosure indicated in the authorization.
You have the right to inspect and receive a copy of your PHI.
You may review and get a copy of your PHI that is contained in a designated record set for as long as we maintain the information. A designated record set contains medical and billing records, and any other records our staff uses for making decisions about you. Under federal law, you may not review or receive a copy of the following records:
• Information compiled in reasonable anticipation of or use in a civil, criminal or administrative action or proceeding
• PHI that is subject to law that prohibits access to this information
• Psychotherapy notes
To review and copy PHI that may be used to make decisions about your care, you must submit a written request to the Health Information Management Department. You may be charged for copying and mailing. For health information that is maintained in electronic form, you can sign a form that authorizes us to send an electronic copy to a designated person or entity.
In rare instances, your request to review and copy your PHI may be denied. For example, a health-care provider may determine that such access would be harmful to you or someone else. You have a right to have the decision reviewed by another health-care provider for a second opinion. The person conducting the review would not be the person who denied your request. We will comply with the outcome of the review. Please contact our Privacy Officer if you have questions about denial of access to your PHI.
You have the right to request a restriction of your PHI.
You may ask Great River Health Systems not to use or disclose any part of your PHI for the purposes of treatment, payment or health-care operations.
Example: You can request that we not use or disclose information about a surgery you had. You also may request that any part of your PHI not be disclosed to family members or friends who are involved in your care or notification of general condition, location or death.
Please discuss restrictions with our Privacy Officer. Requests must be in writing, stating the specific restriction requested and to whom you want the restriction to apply.
We are not obligated to agree to requested restrictions. If we do not agree, you will receive notification in writing. If the restriction is to a health plan or other payer for purposes of carrying out payment or health-care operations, unless required by law and you have paid for the services, your request may not be accepted.
If we agree to the requested restriction, we will comply with the request, except as needed for emergency treatment.
You have the right to request to receive confidential communications from us by alternative means or at an alternative location.
You can request communication about treatment-related matters, such as appointment reminders or test results, in a certain way or at a certain location.
Example: You can request that we contact you only by cell phone or answering machine at work or at home. You may request that we mail information to an alternative address. Please make this request in writing to the Health Information Management Department. We will accommodate reasonable requests, but we may ask for payment information.
You have the right to request changes in your PHI.
If you think PHI in your designated record set is incorrect, you can request an amendment, if the information is still retained by Great River Health Systems. Forms are available in the Health Information Management Department. You must provide a reason for your request.
We may deny your request for an amendment if the PHI:
• Is determined to be correct
• Is not part of the information you are permitted to review or copy
• Is no longer retained by the health system
• Was created by a person or entity that is no longer available to make the amendment
• Was not created by the health system
If we deny your request, you have the right to file a statement of disagreement and request that statement be sent to anyone the information was disclosed to or be included in any future release of information. We may prepare a rebuttal and provide you with a copy of it.
You have the right to receive an accounting of disclosures of your PHI.
This right applies to disclosures made by Great River Health Systems or its contracted business associates. We are not required to include disclosures:
• Made for treatment, payment or operations
• Made to you or your personal representative(s)
• For notification to persons involved in your care
• For disaster relief or facility directory
• For other releases whereby an authorization is not required by regulations
However, accountings or access reports from your electronic health record represent disclosures made for treatment, payment and health-care operations, and you may request a report of who has accessed your electronic medical record.
The accounting of disclosures will include the date of each disclosure, a brief description of the information disclosed, who received the information and why the disclosure was made.
You may request disclosures made within six years of the request date. Submit a written request of disclosures to the Health Information Management Department. The first list you receive in a 12-month period is free. There may be a charge for additional lists. You will receive information about fees before the request is fulfilled.
Complaints
If you believe your privacy rights have been violated by Great River Health Systems, please call the health systems’ Privacy Officer, 319-768-1960, or contact the U.S. Secretary of Health and Human Services. The health system will not seek retaliation for filing a complaint.
Original: April 14, 2003 Revised: Aug. 1, 2011