ST. LUKE'S UNIVERSITY HEALTH NETWORK, AND ITS AFFILIATES NOTICE OF PRIVACY PRACTICES
THIS NOTICE OF PRIVACY PRACTICE DESCRIBES HOW MEDICAL INFORMATION MAY BE USED AND DISCLOSED, AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
I. WHO PRESENTS THIS NOTICE
This Notice of Privacy Practices (“Notice”) is given on behalf of certain health care provider affiliates of St. Luke’s University Health Network (“St. Luke’s”) and all SLUHN employees (including work from home employees), contingent workers, residents, clinical and non-clinical students, members of the medical staff, volunteers, observers, and all contracted personnel. All of St. Luke’s entities are legally required to follow the privacy practices that are described in this notice.
This Notice of Privacy Practices is effective as of January 1, 2023. If you have any questions about this Notice, please contact St. Luke’s Chief Compliance & Privacy Officer through the confidential Compliance & Ethics Hotline at 1(855)-9ETHICS or 1(855)938-4427.
St. Luke’s is required to provide this Notice to comply with the regulations established under federal laws called the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule (the “Privacy Rule”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”). St. Luke’s is required by law to protect your medical information, including Protected Health Information (“PHI”) protected by HIPAA, and other federal and state laws, and using that information appropriately.
This Notice is intended to describe your rights, and to inform you about ways in which St. Luke’s may use and disclose your PHI, and the obligations St. Luke’s has when using and disclosing your PHI.
II. HOW WE MAY USE AND DISCLOSE YOUR PROTECTED HEALTH INFORMATION
The Privacy Rule allows St. Luke’s to use and disclose PHI about you for purposes of treatment, payment, and health care operations without your express permission. These include:
1. Treatment. St. Luke’s may use your PHI to provide you with medical treatment or services, to coordinate or manage your health care services, or to facilitate consultation or referrals as part of your treatment. For example, a doctor treating you for an injury asks another doctor about your overall health condition.
2. Payment. St. Luke’s may use and disclose your medical record to send bills and collect payment from you, your insurance company or other third parties, for the treatment and services provided to you by St. Luke’s. For example, we give information about you to your health insurance plan, so it will pay for your services.
3. Health Care Operations. St. Luke’s may use and disclose PHI about you for St. Luke’s health care operations. We can use and share your health information to run our practice, improve your care, and contact you when necessary. For example, we use health information about you to manage your treatment and services.
4. Business Associates. There are some services at St. Luke’s that may be provided through contracts with business associates. To protect your health information, however, we require the business associate to appropriately safeguard your information.
5. Public Health. St. Luke’s may use and disclose medical information about you for public health activities, such as disclosures to a public health authority or other government agency that is permitted by law to collect or receive the information (e.g., the Food and Drug Administration).
6. Victims of Abuse, Neglect, or Domestic Violence. The Privacy Rule authorizes St. Luke’s to disclose your PHI to the appropriate government authority, including a social service or protective service agency, if St. Luke’s reasonably believes a patient or resident has been a victim of abuse, neglect, or domestic violence.
7. Health Oversight Activities. St. Luke’s is permitted to disclose PHI to a health oversight agency for activities authorized by law, including audits, investigations, inspections, licensure or disciplinary activities, and other similar proceedings. St. Luke’s may not disclose the PHI of a person who is the subject of an investigation that is not directly related to that person’s receipt of health care or public benefits.
8. To Avert a Serious Threat to Health or Safety. St. Luke’s may, consistent with applicable law and standards of ethical conduct, use or disclose your PHI to prevent or lessen a serious or imminent threat to the health or safety of a person or the public.
9. Funeral Directors, Medical Examiners, and Coroners. Sometimes, St. Luke’s may deem it necessary to release medical information to funeral directors, so that they can carry out their duties appropriately. Sometimes, when there are concerns about identification of a patient, or determining what caused a death, we will release medical information to medical examiners or coroners.
10. Organ and Tissue Donation. If you are an organ donor, St. Luke’s may disclose your PHI to organizations that facilitate organ, eye, or tissue procurement, banking, or transportation.
11. Workers’ Compensation. St. Luke’s may release medical information about you to insurers, government administrators, and employers for workers’ compensation or similar programs. This relates to care provided for work-related injuries or illness.
12. Specialized Government Functions. In certain circumstances, the Privacy Rule authorizes St. Luke’s to use or disclose your PHI to facilitate specified government functions to include:
a. Medical Suitability and Intelligence Activities. St. Luke’s may disclose your PHI to the federal Department of State for use in making suitable determinations.
b. Inmates and Correctional Institutions. Should you be an inmate of a correctional institution or under the custody of law enforcement official, St. Luke’s may release the PHI of inmates and others in law enforcement custody to the correctional institution or law enforcement official, where necessary.
c. Active-Duty Military Personnel. If you are a member of the armed forces, St. Luke’s may release medical information about you as required by military command authorities, including foreign authorities.
d. Government Security, Intelligence, and Bioterrorism. St. Luke’s may release medical information about you to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law.
13. Judicial and Administrative Proceedings. If you are involved in a lawsuit or dispute, the Privacy Rule allows St. Luke’s to disclose your PHI in response to a court or administrative order, or in certain situations, a subpoena.
14. Law Enforcement. We may disclose limited PHI to the police or other law enforcement official as required or permitted by law or in compliance with a court order or a grand jury or administrative subpoena.
15. Research. Under certain circumstances, St. Luke’s may use and disclose your PHI for research purposes. Before we use or disclose medical information for research, the project will have been approved through St. Luke’s research approval process, but we may disclose your medical information to people preparing to conduct the research project (e.g., to help the researchers look for patients with specific medical conditions or needs).
16. As Required by Law. St. Luke’s is permitted to disclose your PHI when required to do so by federal, state, or local law.
III. WHEN YOU MAY AGREE OR OBJECT TO HOW WE USE AND DISCLOSE YOUR PHI
1. Hospital and Facility Directory. Unless you object, St. Luke’s may list certain information about you in the hospital directory while you are an inpatient at St. Luke’s. This information may include your name, where you are in St. Luke’s, a general description about your condition (e.g., fair, stable) and your religious affiliation. Information in the directory may be disclosed to anyone who asks for you by name; however, your religious affiliation may be given to members of the clergy even if they do not ask for you by name. If you choose to opt out, please call the Patient Access Center at (484) 526-1128 and ask them to remove you from the Hospital Directory.
2. Persons Involved in Your Care or Payment for Your Care. St. Luke’s may release PHI about you to a family member, friend, or someone you designate who is involved in your care or payment of medical bills. St. Luke’s may also disclose your health information to an entity authorized to assist in disaster relief so that those who care for you can receive information about your location or health status.
IV. WHEN YOUR WRITTEN AUTHORIZATION IS REQUIRED FOR USES AND DISCLOSURES OF YOUR PHI
1. Other Uses of Medical Information. Other uses and disclosures of medical information not covered by this Notice or the laws that apply to us will be made only with your written permission. If you provide us permission to use or disclose medical information about you, you may revoke that permission, in writing, at any time. You understand that we are unable to take back any disclosure that St. Luke’s has already made with your permission, and that we are required to retain our records of the care that we provided to you.
2. Psychotherapy Notes. St Luke’s must obtain your written authorization for most uses and disclosures of psychotherapy notes, except when required to do so by a court order.
3. Marketing. St Luke’s must obtain your written authorization prior to using or disclosing your PHI for most marketing materials.
4. Sale of Your PHI. St. Luke’s must obtain your written authorization for any disclosure of your PHI which constitutes the sale of PHI.
St. Luke's has operations and providers in both Pennsylvania and New Jersey, and such States' law may be more protective of certain information than the Privacy Rule. Accordingly, depending on the State in which the information is obtained, St. Luke’s may be prohibited or limited, without obtaining your authorization, from disclosing your information related to treatment for mental health, development disabilities, alcoholism, substance abuse or drug dependency, venereal disease, genetic information, or information concerning the presence of HIV, antigen or non-antigenic products of HIV or an antibody to HIV. However, in some cases, State law allows such disclosures without your specific authorization.
V. WHEN YOU HAVE THE OPPORTUNITY TO OPT OUT OF ST. LUKE’S CORRESPONDENCE
1. Fundraising Activities. St. Luke’s may solicit contributions to support the expansion and improvement of services and programs we provide to the community. In connection with our fundraising efforts, we may disclose to our employees or business associates, demographic information about you (e.g., your name, address, and phone number), dates on which we provided health care to you, health insurance status, department of service, treating physician and general outcome information. If you do not wish to receive any fundraising requests in the future, you may contact the St. Luke’s Foundation at (866)468- 6251 or respond via one of the methods identified in the fundraising correspondence that you may receive in the future.
2. Treatment Options. St. Luke’s may use or disclose your PHI to tell you about or recommend possible treatment options or alternatives that may be beneficial to you. For example, your name, address, and electronic mail address may be used so we can send you newsletters or health care bulletins about St. Luke’s and the services we provide. We may also send you information about health-related products or services that we or others make available and that we think may be useful or of interest to you. You may write to St. Luke’s Marketing and Communications Department Attn: InfoLink 801 Ostrum St., Bethlehem, PA 18015 or firstname.lastname@example.org as notification that you do not wish to receive any of our newsletters or other information.
3. Health Information Exchange. A patient's PHI is available electronically to local, state, or national healthcare providers who participate in our Electronic Health Record (EHR) system or other similar programs. These programs facilitate the exchange of health information by allowing approved participating providers to have a more complete picture about a patient's health such as lab results, summary of care documents, and other medical data. Patients can choose to prohibit sharing their PHI for these purposes by completing a process referred to as Opting-Out. Opting-Out will prevent participating providers and its authorized users from viewing PHI, but the patient will still have access to view their PHI made available in our patient portal. To opt-out, please call our MyChart Service Desk at 1-866-STLUKES.
1. To the extent required by law, St. Luke’s will notify affected individuals, the federal Department of Health and Human Services, and the media, as applicable, of any Breach of unsecured PHI that compromises the security or privacy of the PHI. All suspected Breaches will be investigated, and all necessary notifications will be sent, in accordance with company policy. Examples of unsecured PHI include but are not limited to:
a. Medical record left unattended in a public location (e.g., cafeteria or office waiting room);
b. Misdirected e-mail to an external group that includes a listing of patients’ accounts that have addresses, social security numbers, date of birth, or medical diagnosis; and
c. Intentional and non-work-related access by St. Luke’s workforce member or its business associate of your PHI.
2. “Breach” means the unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of the PHI, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.
VII. YOUR RIGHTS REGARDING YOUR PROTECTED HEALTH INFORMATION
You have several rights with regard to the PHI that St. Luke’s maintains about you. If you wish to exercise any of the following rights, please contact the Medical Records Department at (484) 526- 4719 or email@example.com.
1. Right to Request Restrictions. You have the right to request restrictions or limitations on St. Luke’s uses or disclosures of PHI about you for treatment, payment, or health care operations. Any request for restrictions must be in writing, directed to the Medical Records Department 801 Ostrum St., Bethlehem, PA 18015, and should include (1) name and address of where services were received; (2) what information you want to limit; (3) whether you want to limit its use, disclosure, or both; and (4) to whom you want the limits to apply.
St. Luke’s is not required to agree to your request. If St. Luke’s does agree, it will comply with your request unless the information is needed to provide you emergency treatment.
2. Right to Request Confidential Communications. You have the right to request that St. Luke’s communicate with you about medical matters through specific channels, that is, in a certain way (e.g., “by cell phone only”) or at a certain location.
3. Right to Inspect and Copy. You have the right to inspect and copy a designated set of your medical records. This designated set typically includes medical and billing records but may not include psychotherapy notes. St. Luke’s may charge a reasonable fee for the costs of copying, mailing or other supplies associated with your request. St. Luke’s may deny your request to inspect and copy in certain circumstances. If you are denied access to your medical records, you may have the denial reviewed by a licensed health care professional chosen by St. Luke’s.
4. Right to Amend. You have the right to request that we amend your PHI that is maintained in a designated record set. We will comply with your request unless we believe that the information that would be amended is accurate and complete or other special circumstances apply. In the case of a denial, you will be provided with a written explanation for the basis of the denial and informed of subsequent measures you can take, if you choose to do so.
5. Right to an Accounting of Disclosures. You have the right to request an accounting of certain disclosures of PHI by St. Luke’s. A request for accounting of disclosures must specify a time period, which may not be longer than six years, and which may not include dates of service before April 14, 2003. Your written request should indicate in what form you want the disclosure. The first accounting within a 12-month period will be free; for additional accountings, St. Luke’s may charge for its costs after notifying you of the cost involved and giving you the opportunity to withdraw or modify your request before any costs are incurred.
6. Right to Complain. If you believe your privacy rights have been violated, you may file a complaint with St. Luke’s and/or with the federal Department of Health and Human Services (DHHS). St. Luke’s will not retaliate against you for filing such a complaint.
To file a complaint with St. Luke’s, contact:
Chief Compliance & Privacy Officer
801 Ostrum Street
Bethlehem, PA 18015
A patient can also send a letter to DHHS at:
Office for Civil Rights
U.S. Department of Health and Human Services
150 S. Independence Mall West
Suite 372, Public Ledger Building
Philadelphia, PA 19106-9111
7. Right to a Paper Copy of this Notice. You have the right to a paper copy of this Notice. You may ask us to give you a copy of this notice at any time. You may also obtain a copy of the current version of St. Luke’s Notice of Privacy Practices at our Web site, www.sluhn.org.
8. Right to Breach Notification. You have a right to receive written notification when a breach of PHI has occurred. You shall receive notification no later than 60 days after the breach has been discovered.
VIII. AMENDMENTS TO THIS NOTICE
St. Luke’s reserves the right to amend this Notice at any time. In addition, St. Luke’s is required to amend this Notice as made necessary by changes in the Privacy Rule. St. Luke’s reserves the right to make the amended Notice effective for PHI maintained at the time the amendment is made, as well as for any PHI that St. Luke’s may receive or create in the future. St. Luke’s will post a copy of the current Notice on the St. Luke’s website, www.sluhn.org as well as in the registration area of St. Luke’s facilities, when substantial changes are made.
IX. ST. LUKE’S DUTIES
St. Luke’s is required by the Privacy Rule to maintain the privacy of your PHI. The Privacy Rule requires that St. Luke’s provide notice of its privacy practices to all of its patients or clients. St. Luke’s obligations to maintain your privacy, and the situations and circumstances, in which your PHI may be used or disclosed, are described in more detail in this Notice. St. Luke’s is required to comply with the terms and conditions of this Notice and may not amend this Notice except as set forth above.
X. YOUR PERSONAL INFORMATION
The Limited Ways We Use Your Information
We do not sell or license your information. These are the limited ways we interact with your information in connection with our mobile apps:
- When you choose to add a profile photo to our mobile apps, you may select an existing photo on your device or take a new photo using the camera app on your device. If you select an existing photo on your device, we store a copy of your chosen photo in app-private storage on your device. If you use the camera app on your device to take a new photo, the photo you take is first saved to your camera app and then also saved to app-private storage on your device. If you remove the photo from your profile or delete our mobile apps, the copy of the photo is deleted from the app-private storage, but the photo saved to your camera app remains available in your camera app until you choose to delete it. If you already have a photo stored in your profile – we do not interact with that photo in any way.
- When you choose to use Apple’s HealthKit, we create encrypted identifiers to identify recipients of your Apple’s HealthKit data and store them on your device in app-private storage. If you choose to stop using Apple HealthKit or delete our mobile apps, the identifiers are deleted.
- When you choose to view documents (such as letters or images) using our mobile apps, to make the files viewable for you we temporarily store copies on your device in app-private storage. The temporary copies are deleted when you close your session on our mobile apps.
- If you elect to use and enable automatic appointment arrival, we temporarily store identifiers and times for your upcoming appointments in app-private storage to detect when you arrive for an upcoming appointment. If you choose to stop using our mobile apps or you disable automatic appointment arrival, the identifiers are deleted.
- If you use location-based check in for in-person appointments, or find healthcare providers near you, you may choose to allow our mobile apps to interact with your location data for those purposes. We do not store your location data.
- While you use our apps, we collect non-identifying information so we can provide customer service to you and understand how people use our mobile apps so we can improve our products. This information includes the time you began using the app, any error messages or codes, the model of device used and its operating system, and the version of our mobile app used. If you use Android devices, we also collect your connection type (cellular or WiFi) during an error.
- You may contact us through the methods listed on Our Website. If you contact us, we may keep a record of the communication. You can decide how much information you want to share with us in those cases.
XI. YOUR PERSONAL INFORMATION
For Android Users – Required Google Play Disclosures for Certain Health Apps
Google has determined our mobile apps are subject to their COVID-19 apps requirements. As a result, we are required to provide the following information so we can make our mobile apps available to you in the Play store.
- Our mobile apps interact with your microphone only if you choose to use your microphone during a Virtual Visit. Our mobile apps interact with your camera roll only if you choose to add a profile photo to a profile in our mobile apps. This information is not used in connection with COVID-19.
- Our mobile apps access, collect, use, and share your information as stated above in the section titled, “The Limited Ways We Use Your Information.”
- Our mobile apps were not created specifically for the COVID-19 pandemic. They existed before the COVID-19 pandemic to allow you to access your health information on file. We allow you to access COVID-19-related vaccination information, laboratory test results, and documents with illness-related information using our mobile apps. You may choose if or how you want to access, display, or use the information – just like you can make those decisions about health information relating to other conditions, services, tests, or vaccinations.
- We allow you to use our mobile apps to conduct telehealth appointments with your healthcare providers. Our mobile apps only provide the technical support for those appointments to happen. We do not interact with any health information about you exchanged during any telehealth appointments.
- Our mobile apps interact with Bluetooth only if you choose to use it during a Virtual Visit.
- Our mobile apps interact with your calendar only if you choose to add upcoming appointments to your calendar.