What is HIPAA?
The privacy provisions of the federal law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), apply to health information created or maintained by health care providers who engage in certain electronic transactions, health plans, and health care clearinghouses.
The Department of Health and Human Services (HHS) has issued the regulation, “Standards for Privacy of Individually Identifiable Health Information,” applicable to entities covered by HIPAA, and detailed below.
The Office for Civil Rights (OCR) is the Departmental component responsible for implementing and enforcing the privacy regulation.
Notice of Privacy Practices
We want our patients to understand how protected health information about you may be used and disclosed, and how you can get access to this information. “Protected health information” (PHI) or “medical information” is information about you, including demographic information, that may identify you and that relates to your past, present or future physical or mental health or condition and related health care services.
Please take a few minutes to review this carefully. If you have any questions about this notice, please contact Cayuga Medical Center’s privacy officer at 274-4316.
Additionally, for the privacy of our patients, residents and staff – we ask that you do not take photos or video of other patients or residents, or of staff, without their prior permission.
Who Must Follow These Guidelines
These guidelines describe Cayuga Medical Center’s practices and that of:
- Any health care professional authorized to enter information into your hospital chart.
- All departments and units of Cayuga Medical Center.
- Any member of a volunteer group we allow to help you while you are in Cayuga Medical Center.
- Cayuga Medical Center medical staff and adjunct staff members.
- All employees, staff and other Cayuga Medical Center personnel.
- These guidelines apply to all of the above persons and entities at any site or location owned or operated by Cayuga Medical Center. In addition, these entities, sites and locations may share medical information with each other for treatment, payment or hospital operations purposes described in this notice.
Our Pledge Regarding Medical Information
We understand that protected health information about you and your health is personal and we are committed to protecting medical information about you. We create a record of the care and services you receive at Cayuga Medical Center. We need this record to provide you with quality care and to comply with certain legal requirements. These guidelines apply to all of the records of your care generated by Cayuga Medical Center, whether made by hospital personnel or your personal doctor. Your personal doctor may have different policies or notices regarding the doctor’s use and disclosure of your medical information created in the doctor’s office or clinic.
This notice of our guidelines describes the ways in which we may use and disclose medical information about you. We also describe your rights and certain obligations we have regarding the use and disclosure of medical information.
We are required by law to:
- Make sure that protected health information that identifies you is kept private.
- Give you this notice of our legal duties and privacy practices with respect to protected health information about you.
- Follow the terms of the guidelines that are currently in effect.
How We May Use and Disclose Medical Information About You
The following categories describe different ways that we use and disclose protected health information. For each category of uses or disclosures we explain what we mean and try to give some examples. Not every use or disclosure in a category will be listed. However, all of the ways we are permitted to use and disclose information will fall within one of the categories.
We may use medical information about you to provide you with medical treatment or services. We may disclose medical information about you to doctors, nurses, technicians, medical students, or other Cayuga Medical Center personnel who are involved in taking care of you at the hospital. For example, a doctor treating you for a broken leg may need to know if you have diabetes because diabetes may slow the healing process. In addition, the doctor may need to tell the dietitian if you have diabetes so that we can arrange for appropriate meals. Different departments of Cayuga Medical Center also may share medical information about you in order to coordinate the different things you need, such as prescriptions, lab work and x-rays. We also may disclose medical information about you to people outside Cayuga Medical Center who may be involved in your medical care after you leave Cayuga Medical Center, such as family members or others we use to provide services that are part of your care.
We may use and disclose protected health information about you so that the treatment and services you receive at Cayuga Medical Center may be billed to and payment may be collected from you, an insurance company or a third party. For example, we may need to give your health plan information about surgery you received at Cayuga Medical Center so your health plan will pay us or reimburse you for the surgery. We may also tell your health plan about a treatment you are going to receive to obtain prior approval or to determine whether your plan will cover the treatment.
For Health Care Operations
We may use and disclose protected health information about you for Cayuga Medical Center operations. These uses and disclosures are necessary to run Cayuga Medical Center and make sure that all of our patients receive quality care. For example, we may use protected health information to review our treatment and services and to evaluate the performance of our staff in caring for you. We may also combine protected health information about many Cayuga Medical Center patients to decide what additional services the facility should offer, what services are not needed, and whether certain new treatments are effective. We may also disclose information to doctors, nurses, technicians, medical students, and other Cayuga Medical Center personnel for review and learning purposes. We may also combine the medical information we have with medical information from other hospitals to compare how we are doing and see where we can make improvements in the care and services we offer. We may remove information that identifies you from this set of medical information so others may use it to study health care and health care delivery without learning who the specific patients are.
We may share your protected health information with third party “business associates” that perform various activities (e.g., billing, transcription services) for the practice. Whenever an arrangement between Cayuga Medical Center and a business associate involves the use or disclosure of your protected health information, we will have a written contract that contains terms that will protect the privacy of your protected health information.
We may contact you to remind you that you have an appointment at Cayuga Medical Center.
We may use and disclose medical information to tell you about or recommend possible treatment options or alternatives that may be of interest to you.
Health-Related Benefits and Services
We may use and disclose medical information to tell you about health-related benefits or services that may be of interest to you.
We may include certain limited information about you in the hospital directory while you are a patient at Cayuga Medical Center. This information may include your name, location in the hospital, your general condition (e.g., fair, stable, etc.) and your religious affiliation. The directory information, except for your religious affiliation, may also be released to people who ask for you by name. Your religious affiliation may be given to a member of the clergy, such as a priest or rabbi, even if they don’t ask for you by name. This is so your family, friends, and clergy can visit you in Cayuga Medical Center and generally know how you are doing. You may restrict or prohibit the use or disclosure of this information by notifying the Admissions Department at 274-4353.
Individuals Involved in Your Care or Payment for Your Care
We may release medical information about you to a friend or family member who is involved in your medical care. We may also give information to someone who helps pay for your care. We may also tell your family or friends your condition and that you are in Cayuga Medical Center. In addition, we may disclose medical information about you to an entity assisting in a disaster relief effort so that your family can be notified about your condition, status and location.
As Required By Law
We will disclose medical information about you when required to do so by federal, state, or local law.
Organ and Tissue Donation
If you are an organ donor, we may release medical information to organizations that handle organ procurement or organ, eye or tissue transplantation or to an organ donation bank, as necessary to facilitate organ or tissue donation and transplantation.
We may release medical information about you for workers’ compensation or similar programs. These programs provide benefits for work-related injuries or illness.
Public Health Risks
We may disclose your PHI for public health activities and purposes to a public health authority that is permitted by law to collect or receive the information. The disclosure will be made for the following purposes:
- To prevent or control disease, injury or disability
- To report births and deaths
- To report child abuse or neglect
- To report reactions to medications or problems with products
- To notify people of recalls of products they may be using
- To notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition
- To notify the appropriate government authority if we believe a patient has been the victim of abuse, neglect, or domestic violence. We will only make this disclosure if you agree or when required or authorized by law
- To prevent a serious threat to the health and safety of you or that of the public or another person. Any disclosure would only be to someone able to prevent the threat.
Health Oversight Activities
We may disclose medical information to a health oversight agency for activities authorized by law. These oversight activities include, for example, audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws.
Lawsuits and Disputes
If you are involved in a lawsuit or a dispute, we may disclose medical information about you in response to a properly issued court or administrative order or subpoena. We may also disclose medical information about you in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have been made to tell you about the request or to obtain an order protecting the information requested.
We may release medical information if asked to do so by a law enforcement official:
- In response to a court order, subpoena, warrant, summons or similar process
- To identify or locate a suspect, fugitive, material witness, or missing person
- About the victim of a crime if, under certain limited circumstances, we are unable to obtain the person’s agreement
- About a death we believe may be the result of criminal conduct
- About criminal conduct at the hospital
- In emergency circumstances to report a crime; the location of the crime or victims; or the identity, description or location of the person who committed the crime.
- Hospitals must report (even if not asked) certain types of wounds – e.g. stabs and gunshots
Coroners, Medical Examiners and Funeral Directors
We may release medical information to a coroner or medical examiner for identification purposes, determining cause of death, or for the coroner or medical examiner to perform other duties authorized by law. We may also disclose such information in reasonable anticipation of death.
National Security and Intelligence Activities
We may release medical information about you to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law.
Protective Services for the President and Others
We may disclose medical information about you to authorized federal officials so they may provide protection to the President, other authorized persons or foreign heads of state, or conduct special investigations.
If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may release medical information about you to the correctional institution as authorized or required by law. This release would be necessary (1) for the institution to provide you with health care; (2) to protect your health and safety or the health and safety of others; or (3) for the safety and security of the correctional institution.
Your Rights Regarding Medical Information about You
You have the following rights regarding medical information we maintain about you:
Right to Inspect and Copy
You have the right to inspect and receive a copy of medical information that may be used to make decisions about your care. Usually, this includes medical and billing records, but does not include psychotherapy notes.
To inspect and copy medical information that may be used to make decisions about you, you must submit your request in writing to Cayuga Medical Center, Health Information Management Department. If you request a copy of the information, we may charge a fee for the costs of copying, mailing, or other supplies associated with your request.
We may deny your request to inspect and copy in certain very limited circumstances. If you are denied access to medical information, you may request that the denial be reviewed. Another licensed health care professional, chosen by Cayuga Medical Center, will review your request and the denial. The person conducting the review will not be the person who denied your request. We will comply with the outcome of the review.
Right to Amend
If you feel that medical information we have about you is incorrect or incomplete, you may ask us to amend the information. You have the right to request an amendment for as long as the information is kept by or for Cayuga Medical Center.
To request an amendment, please put your request in writing and submit it to Cayuga Medical Center, Health Information Management Department. In addition, please provide a reason that supports your request.
We may deny your request for an amendment if it is not in writing or does not include a reason to support the request. In addition, we may deny your request if you ask us to amend information that:
- Was not created by us, unless the person or entity that created the information is no longer available to make the amendment
- Is not part of the medical information kept by or for Cayuga Medical Center
- Is not part of the information which you would be permitted to inspect and copy
- Is accurate and complete.
If we deny your request for an amendment, you may request that the denial be reviewed. Another licensed health care professional, chosen by Cayuga Medical Center, will review your request and the denial. The person conducting the review will not be the person who denied your request. We will comply with the outcome of the review.
Right to an Accounting of Disclosures
You have the right to request an “accounting of disclosures.” This is a list of the disclosures we made of medical information about you. Any accounting you request will not include: 1) disclosures made to carry out treatment, payment, or health care operations; 2) disclosures made to you; 3) disclosures made pursuant to an authorization given by you; 4) disclosures made to other people involved in your care or made for notification purposes; 5) disclosures made for national security or intelligence purposes; or 6) disclosures made to correctional institutions or law enforcement officials.
To request this list or accounting of disclosures, please submit your request in writing to Cayuga Medical Center, Health Information Management Department. Your request must state a time period, which may not be longer than six years and may not include dates before April 14, 2003. Your request should indicate in what form you want the list (for example, on paper, or electronically). The first list you request within a 12-month period will be free. For additional lists, we may charge you for the costs of providing the list. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time before any costs are incurred.
Right to Request Restrictions
You have the right to request a restriction or limitation on the medical information we use or disclose about you for treatment, payment or health care operations. You also have the right to request a limit on the medical information we disclose about you to someone who is involved in your care or the payment for your care, like a family member or friend. For example, you could ask that we not use or disclose information about a surgery you had. If you request a restriction to any of the persons subject to this Notice, the restriction is binding on all the participants.
We are not required to agree to your request. If we do agree, we will comply with your request unless the information is needed to provide you emergency treatment. However, we must agree to your request to restrict disclosure of your PHI to a health plan if the disclosure is for the purposes of obtaining payment for your health care or other operations of our practice and is not otherwise required by law and we have been paid in full for the treatment we provided related to the PHI you have asked us not to disclose.
To request restrictions, please make your request in writing to Cayuga Medical Center, Health Information Management Department. In your request, you must tell us (1) what information you want to limit; (2) whether you want to limit our use, disclosure, or both; and (3) to whom you want the limits to apply, for example, disclosures to your spouse.
Right to Request Confidential Communications
You have the right to request that we communicate with you about medical matters in a certain way or at a certain location. For example, you can ask that we only contact you at work or by mail.
To request confidential communications, please make your request in writing to Cayuga Medical Center, Health Information Management Department. We will not ask you the reason for your request. We will accommodate all reasonable requests.
Your request must specify how or where you wish to be contacted.
Right to Obtain a Paper Copy of This Notice
You have the right to obtain a paper copy of this notice. You may ask us to give you a copy of this notice at any time. Even if you have agreed to receive this notice electronically, you are still entitled to a paper copy of this notice.
You may obtain a copy of this notice at our website, www.cayugamed.org.
To obtain a paper copy of this notice, please ask Cayuga Medical Center admitting staff.
We must notify you if we learn that your PHI may have been subject to unauthorized acquisition, access, use or disclosure.
Changes to These Guidelines
We reserve the right to change these guidelines. We reserve the right to make the revised or changed notice effective for medical information we already have about you as well as any information we receive in the future. We will post a copy of the current notice in Cayuga Medical Center. The notice will contain on the first page, in the top left-hand corner, the effective date. In addition, each time you register at or are admitted to Cayuga Medical Center for treatment or health care services as an inpatient or outpatient, we will offer you a copy of the current notice in effect.
If you believe your privacy rights have been violated, you may file a complaint with the hospital or with the Secretary of the Department of Health and Human Services. To file a complaint with Cayuga Medical Center, contact our Quality Assessment Office at 274-4624. Please submit your complaint in writing.
You will not be penalized for filing a complaint.
Other Uses of Medical Information
Other uses and disclosures of medical information not covered by this notice or the laws that apply to us will be made only with your written permission. If you provide us with permission to use or disclose medical information about you, you may revoke that permission, in writing, at any time. If you revoke your permission, we will no longer use or disclose medical information about you for the reasons covered by your written authorization. You understand that we are unable to take back any disclosures we have already made with your permission, and that we are required to retain our records of the care that we provided to you.