ST. LUKE'S UNIVERSITY HEALTH NETWORK, AND ITS AFFILIATES NOTICE OF PRIVACY PRACTICES
THIS NOTICE OF PRIVACY PRACTICE DESCRIBES HOW MEDICAL INFORMATION MAY BE USED AND DISCLOSED, AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
I. WHO PRESENTS THIS NOTICE
This Notice of Privacy Practices (“Notice”) is given on behalf of certain health care provider affiliates of St. Luke's University Health Network (“St. Luke's”) and all of their departments, units, employed health professionals, students, and members of volunteer groups who are allowed to help while you are an inpatient or being treated at a St. Luke's facility. All of St. Luke's entities are legally required to follow the privacy practices that are described in this notice.
This Notice of Privacy Practices is effective as of November 15, 2017. If you have any questions about this Notice, please contact St. Luke's Network Compliance Department through the confidential Hotline at 1 (855) 9- ETHICS or 1(855) 938-4427.
St. Luke’s is required to give you this Notice to comply with the regulations (the “Privacy Rule”) established under federal laws called the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule and the Health Information Technology for Economic and Clinical Health Act (“HITECH”). St. Luke’s is committed to protecting your medical information, including health information protected by HIPAA and other federal and state laws, and using that information appropriately.
This Notice is intended to describe your rights, and to inform you about ways in which St. Luke’s may use and disclose your protected health information (“PHI”), and the obligations St. Luke’s has when using and disclosing your PHI. Your personal physician or any other provider of your health care services may have different policies or Notices regarding their use and disclosure of your PHI which is created in that provider’s office.
II. HOW WE MAY USE AND DISCLOSE YOUR PROTECTED HEALTH INFORMATION
A. The Privacy Rule allows St. Luke’s to use and disclose PHI about you for purposes of treatment, payment, and St. Luke’s health care operations. Any uses or disclosures for payment or health care operations must be limited to the minimum necessary to accomplish the purpose of the use or disclosure.
1. Treatment. St. Luke’s may use your PHI to provide you with medical treatment or services, to coordinate or manage your health care services, or to facilitate consultation or referrals as part of your treatment. For example, if you are being treated for a knee injury, St. Luke’s may disclose your PHI to the physical rehabilitation department in order to coordinate your care. Different departments of St. Luke’s also may share your medical records in order to coordinate your treatment and care, such as prescriptions, lab and x-ray tests. Also, St. Luke’s may disclose your medical records to people outside of St. Luke’s after you leave a St. Luke’s facility, including family members, clergy, or other health care providers such as nursing homes or home health agencies.
2. Payment. St. Luke’s may use and disclose your medical record to send bills and collect payment from you, your insurance company or other third parties, for the treatment and services provided to you by St. Luke’s. For example, St. Luke’s may provide portions of your PHI to our billing department and your health plan to get paid for the health care services St. Luke’s provided to you. St. Luke’s may also provide your PHI to our business associates, such as billing companies, claims processing companies, and others that process our health care claims.
3. Health Care Operations. St. Luke’s may use and disclose PHI about you for St. Luke’s health care operations. These uses and disclosures are necessary to provide quality care to all patients and residents as well as to facilitate the functioning of St. Luke’s, including among other things:
a. Quality assessment and improvement activities;
b. Protocol development;
c. Care management, coordination, and related functions;
d. Competence assessment and performance reviews of St. Luke's employees;
e. Training, accreditation, certification, licensing, credentialing or other related activities;
f. Insurance related activities;
g. Internal patient complaint or grievance resolution; and
h. Activities relating to improving health or reducing health care costs.
Examples of how St. Luke's may use and disclose your information include:
a. Use medical records to review its treatment and services as well as to evaluate the performance of its staff in caring for you;
b. Combine medical records about many St. Luke’s patients to decide what additional services St. Luke’s should offer, what services are not needed, and to study the safety and effectiveness of treatments;
c. Disclose information to doctors, nurses, and other St. Luke’s personnel for training purposes;
d. Remove information that identifies you from a set of medical records so that others may use it to study health care and health care delivery without learning who the specific patients are; or
e. Use and disclose medical records to contact you by telephone or in writing as a reminder that you have an appointment for a test or procedure, or to see your doctor.
4. Hospital and Facility Directory. St. Luke’s may list certain information about you in the hospital directory while you are an inpatient at St. Luke’s. This information may include your name, where you are in St. Luke’s, a general description about your condition (e.g., fair, stable) and your religious affiliation. Unless you opt out, St. Luke’s can disclose this information, except for your religious affiliation, to people who ask for you by name. Your religious affiliation may be given to members of the clergy even if they do not ask for you by name. This information is released so that your family, friends, and clergy can call and visit you in the hospital and generally know how you are doing and so that you can receive flowers, cards, or gifts sent to you during your hospital stay. If you choose to opt out, please call the Patient Access Center at (484)526-1128 and ask them to remove you from the Hospital Directory.
5. Persons Involved in Your Care or Payment for Your Care. St. Luke’s may release PHI about you to a family member, friend, or someone you designate who is involved in your care or payment of medical bills. St. Luke’s may also disclose your health information to an entity authorized to assist in disaster relief so that those who care for you can receive information about your location or health status.
6. Fundraising Activities. St. Luke’s may solicit contributions to support the expansion and improvement of services and programs we provide to the community. In connection with our fundraising efforts, we may disclose to our employees or business associates, demographic information about you (e.g., your name, address and phone number), dates on which we provided health care to you, health insurance status, department of service, treating physician and general outcome information. If you do not wish to receive any fundraising requests in the future, you may contact the St. Luke’s Foundation at (866) 468-6251 or respond via one of the methods identified in the fundraising correspondence that you may receive in the future.
7. Treatment Options. St. Luke’s may use or disclose your PHI to tell you about or recommend possible treatment options or alternatives that may be beneficial to you. For example, your name, address, and electronic mail address may be used so we can send you newsletters or health care bulletins about St. Luke’s and the services we provide. We may also send you information about health-related products or services that we or others make available and that we think may be useful or of interest to you. You may write to St. Luke's Marketing and Communications Department Attn: InfoLink 801 Ostrum St., Bethlehem, PA 18015 or email@example.com as notification that you do not wish to receive any of our newsletters or other information.
8. Research. Under certain circumstances, St. Luke’s may use and disclose your PHI for research purposes. Before they begin, all research projects that are conducted at St. Luke’s are carefully reviewed. This process evaluates the proposed project’s use of medical information, trying to balance the needs of medical research with your need for privacy. Before we use or disclose medical information for research, the project will have been approved through St. Luke’s research approval process, but we may disclose your medical information to people preparing to conduct the research project (e.g., to help the researchers look for patients with specific medical conditions or needs).
9. Client/Patient Satisfaction Surveys. St. Luke’s may conduct client/patient satisfaction surveys to understand how we can improve our services to patients and their families or friends. For example: A client or patient may receive a survey from a patient satisfaction research organization, asking for comment on the services provided.
10. Business Associates. There are some services at St. Luke’s that may be provided through contracts with business associates. Examples include but are not limited to certain laboratory tests and a copy service that we may use to make copies of your health record. When these services are contracted, we may disclose your health information to our business associate so that they can perform the job we’ve asked them to do. To protect your health information, however, we require the business associate to appropriately safeguard your information.
11. Health Information Exchange: A patient's PHI will be available electronically to local, state, or national healthcare providers who participate in our Electronic Health Record (EHR) system or other similar programs that facilitate the exchange of health information by allowing approved participating providers to have a more complete picture about a patient's health such as lab results, summary of care documents, and other medical data. Patients can choose to prohibit sharing their PHI for these purposes by completing a process referred to as Opting-Out. Opting-Out will prevent participating providers and its authorized users from viewing PHI, but the patient will still have access to view their PHI made available in our patient portal. To opt-out, please call our MyChart Service Desk at 1-866-STLUKES.
St. Luke's has operations and providers in both Pennsylvania and New Jersey, and such States' law may be more protective of certain information than the Privacy Rule. Accordingly, depending on the State in which the information is obtained, St. Luke’s will not disclose your information related to treatment for mental health, development disabilities, alcoholism, substance abuse or drug dependency, venereal disease, genetic information, or information concerning the presence of HIV, antigen or non-antigenic products of HIV or an antibody to HIV, without in each case obtaining your authorization unless otherwise permitted or required by the applicable State or federal law.
B. Certain Uses and Disclosures Do Not Require Your Consent. The Privacy Rule and Pennsylvania or New Jersey law (as applicable) allow St. Luke’s to use or disclose your protected health information/patient health care records without your authorization or informed consent for a number of special functions and activities, described below.
1. As Required by Law. St. Luke’s is permitted to disclose your protected health information when required to do so by federal, state, or local law.
2. Public Health. St. Luke’s may use and disclose medical information about you for public health activities. These activities generally include the following:
a. To prevent or control disease, injury, or disability, to report vital statistics such as births and deaths, and for public health surveillance or interventions;
b. To report births and deaths;
c. To report abuse or neglect of children, elders, and dependent adults;
d. To the Federal Drug Administration (FDA), to report reactions to medications or problems with products, to track products, to enable product recalls, or to conduct post-market surveillance as required by the FDA;
e. To notify people of recalls of products they may be using; and
f. To notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition.
3. Victims of Abuse, Neglect, or Domestic Violence. The Privacy Rule authorizes St. Luke’s to notify the appropriate government authority if St. Luke’s believes a patient or resident has been a victim of abuse, neglect, or domestic violence. St. Luke’s will only make this disclosure if you agree or when required or authorized by law.
4. Health Oversight Activities. St. Luke’s is permitted to disclose PHI to a health oversight agency for activities authorized by law, including audits, investigations, inspections, licensure or disciplinary activities, and other similar proceedings. St. Luke’s may not disclose the PHI of a person who is the subject of an investigation that is not directly related to that person’s receipt of health care or public benefits.
5. To Avert a Serious Threat to Health or Safety. St. Luke’s may use and disclose medical information about you when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat.
6. Funeral Directors, Medical Examiners, and Coroners. Sometimes, St. Luke’s may deem it necessary to release medical information to funeral directors, so that they can carry out their duties appropriately. Sometimes, when there are concerns about identification of a patient, or determining what caused a death, we will release medical information to medical examiners or coroners.
7. Organ and Tissue Donation. If you are an organ donor, St. Luke’s may release information to the organizations responsible for organ or tissue transplantation in order to help with the process.
8. Workers Compensation. St. Luke’s may release medical information about you to insurers, government administrators, and employers for workers’ compensation or similar programs. This relates to care provided for work-related injuries or illness.
9. Specialized Government Functions. In certain circumstances, the Privacy Rule authorizes St. Luke’s to use or disclose your PHI to facilitate specified government functions to include:
a. Medical Suitability and Intelligence Activities. St. Luke’s may disclose your PHI to the Department of State for use in making suitable determinations.
b. Inmates and Correctional Institutions. Should you be an inmate of a correctional institution or under the custody of law enforcement official, St. Luke’s may release the PHI of inmates and others in law enforcement custody to the correctional institution or law enforcement official, where necessary 1) for the correctional institution or official to provide you with health care; 2) to protect your health and safety or health and safety of others; or 3) for the safety and security of the correctional institution. An inmate does not have a right to the Notice.
c. Active Duty Military Personnel. If you are a member of the armed forces, St. Luke’s may release medical information about you as required by military command authorities. St. Luke’s may also release medical information about foreign military personnel to the appropriate foreign military authority.
d. Government Security, Intelligence and Bioterrorism: St. Luke’s may release medical information about you to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law. St. Luke’s may disclose medical information about you to authorized federal officials so they may provide protection to the President, other authorized persons or foreign heads of state or conduct special investigations.
10. Disputes, Lawsuits, Administrative Proceedings. If you are involved in a lawsuit or dispute, the Privacy Rule allows St. Luke’s to disclose your PHI in response to a court or administrative order. St. Luke’s may disclose your PHI in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have been made to tell you about the request or to obtain an order protecting the information requested if that is required by law.
11. Law Enforcement. St. Luke's may release medical information if asked to do so by a law enforcement official:
a. In response to a court order, subpoena, warrant, summons, or similar process;
b. To identify or locate a suspect, fugitive, material witness, or missing person;
c. About the victim of a crime if, under certain limited circumstances, we are unable to obtain the person's agreement;
d. About a death St. Luke's believe may be the result of criminal conduct;
e. About criminal conduct at St. Luke's; and
f. In emergency circumstances to report a crime; the location of the crime or victims, or the identity, description or location of the person who committed the crime.
Pennsylvania and New Jersey law generally requires a court order for the release of patient health care records in these circumstances, and may be considered more protective of your privacy that the Privacy Rule. However, Pennsylvania law does allow the release of confidential patient health care records when a crime occurs on the premises and a victim is threatened with bodily harm. Pennsylvania and New Jersey law also requires that gunshot wounds or other suspicious wounds, including burns, that are reasonably believed to have occurred as the result of a crime must be reported to the local police or sheriff. The report must include the nature of the wound and the patient’s name.
12. Other Uses of Medical Information. Other uses and disclosures of medical information not covered by this Notice or the laws that apply to us will be made only with your written permission. If you provide us permission to use or disclose medical information about you, you may revoke that permission, in writing, at any time. If you revoke your permission, we will no longer use or disclose the medical information about you for the reasons covered in your authorization. You understand that we are unable to take back any disclosure that St. Luke’s has already made with your permission, and that we are required to retain our records of the care that we provided to you.
A. A. St. Luke’s will notify affected individuals, Department of Health and Human Services, and the media, as applicable, of any Breach of unsecured PHI that compromises the security or privacy of the PHI. All suspected Breaches will be investigated and all necessary notifications will be sent, in accordance with company policy. Examples of unsecured PHI includes but are not limited to:
1. Medical record left unattended in a public location (e.g., cafeteria or office waiting room);
2. Misdirected e-mail to an external group that includes a listing of patients' accounts that have addresses, social security numbers, date of birth, or medical diagnosis; and
3. Intentional and non-work related access by St. Luke's workforce member or its business associate of your PHI.
B. “Breach” means the unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of the PHI, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.
IV. YOUR RIGHTS REGARDING YOUR PROTECTED HEALTH INFORMATION
You have several rights with regard to the PHI that St. Luke’s maintains about you. If you wish to exercise any of the following rights, please contact the confidential Privacy Hotline at 1 (855) 9- ETHICS or 1(855) 938-4427.
1. Right to Request Restrictions. You have the right to request restrictions or limitations on St. Luke's uses or disclosures of PHI about you for treatment, payment or health care operations.
St. Luke's is not required to agree to your request. If St. Luke’s does agree, it will comply with your request unless the information is needed to provide you emergency treatment. A request for restrictions must be in writing, directed to the St. Luke’s Medical Records Department 801 Ostrum St., Bethlehem, PA 18015, and should include (1) name and address of where services were received; (2) what information you want to limit; (3) whether you want to limit its use, disclosure or both; and (4) to whom you want the limits to apply.
2. Right to Request Confidential Communications. You have the right to request that St. Luke’s communicate with you about medical matters through specific channels, that is, in a certain way or at a certain location. For example, you can ask that St. Luke’s only contact you at work, or only at home, or only by mail. To request confidential communications, you must make a request in writing to the St. Luke’s Medical Records Department at the address in Section IV.1, and your request must specifically and clearly state how or where you want to be contacted. St. Luke’s will not ask you the reason for your request, and will attempt to accommodate all reasonable requests.
3. Right to Inspect and Copy. You have the right to inspect and copy a designated set of your medical records. This designated set typically includes medical and billing records, but may not include psychotherapy notes. Please note that a request to inspect your medical records means that you may examine them at a mutually convenient time or place. If you request a copy of the information, your request must be in writing and must be submitted to the St. Luke’s Medical Records Department at the address in Section IV.1. St. Luke’s may charge a reasonable fee for the costs of copying, mailing or other supplies associated with your request. St. Luke’s may deny your request to inspect and copy in certain circumstances. If you are denied access to your medical records, you may have the denial reviewed by a licensed health care professional chosen by St. Luke’s. The person conducting the review will not be the person who denied your request. St. Luke’s will comply with the outcome of the review.
4. Right to Amend. If, in your opinion, your medical records are incorrect or incomplete, you may request that St. Luke’s amend your records. You have the right to request an amendment for as long as the information is kept by or for St. Luke’s. A request to amend your medical records must give the reasons for the amendment. St. Luke’s may deny your request for an amendment if it is not in writing or does not include a reason. St. Luke’s may also deny your request for amendment if it covers medical records that:
a. Were not created by St. Luke's, unless the person who actually created the information is no longer available to make the amendment;
b. Are not part of the medical records kept by or for St. Luke's;
c. Are not part of the information which you would be permitted to inspect and copy, as discussed above; or
d. Are accurate and complete.
5. Right to an Accounting of Disclosures. You have the right to request an accounting of certain disclosures of PHI by St. Luke’s. A request for accounting of disclosures must specify a time period, which may not be longer than six years, and which may not include dates of service before April 14, 2003. A request for accounting of disclosures must be in writing and must be submitted to the St. Luke’s Medical Records Department at the address in Section IV.1. Your written request should indicate in what form you want the disclosure (for example, on paper). The first accounting within a 12-month period will be free; for additional accountings, St. Luke’s may charge for its costs after notifying you of the cost involved and giving you the opportunity to withdraw or modify your request before any costs are incurred.
6. Right to Complain. If you believe your privacy rights have been violated, you may file a complaint with St. Luke’s and/or with the federal Department of Health and Human Services (DHHS). A patient can send a letter to DHHS at:
Office for Civil Rights
U.S. Department of Health and Human Services
150 S. Independence Mall West
Suite 372, Public Ledger Building
Philadelphia, PA 19106-9111
St. Luke's cannot require you to waive your right to complain in order for you to receive treatment at St. Luke's. To file a complaint with St. Luke's, contact St. Luke's Network Compliance Department through the confidential Privacy Hotline at 1 (855) 9-ETHICS or 1(855) 938-4427. St. Luke's will not retaliate against you for filing such a complaint.
7. Right to a Paper Copy of this Notice. You have the right to a paper copy of this Notice. You may ask us to give you a copy of this notice at any time. You may also obtain a copy of the current version of St. Luke’s Notice of Privacy Practices at our Web site, www.sluhn.org.
8. Right to Breach Notification. You have a right to receive written notification when a breach of PHI has occurred. You shall receive notification no later than 60 days after the breach has been discovered.
V. AMENDMENTS TO THIS NOTICE
St. Luke’s reserves the right to amend this Notice at any time. In addition, St. Luke’s is required to amend this Notice as made necessary by changes in the Privacy Rule. Each version of the Notice will have an effective date on the first page. St. Luke’s reserves the right to make the amended Notice effective for PHI at the time the amendment is made, as well as for any PHI that St. Luke’s may receive or create in the future. St. Luke’s will post a copy of the current Notice on the St. Luke’s website, www.sluhn.org as well as in the registration area of St. Luke's facilities, when substantial changes are made.
VI. ST. LUKE'S DUTIES
St. Luke’s is required by the Privacy Rule to maintain the privacy of your PHI. The Privacy Rule requires that St. Luke’s provide notice of its privacy practices to all of its patients or clients. St. Luke’s obligations to maintain your privacy, and the situations and circumstances, in which your PHI may be used or disclosed, are described in more detail in this Notice of its legal duties and privacy practices. St. Luke’s is required to comply with the terms and conditions of this Notice, and may not amend this Notice except as set forth above.