HIPAA Notice of Privacy Practices
Effective Date: April 14, 2003
Revised: July 1, 2014
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
St. Francis Medical Center is required by the Health Insurance Portability and Accountability Act of 1996, and the Health Information Technology for Economic and Clinical Health Act (found in Title XIII of the American Recovery and Reinvestment Act of 2009) (collectively referred to as “HIPAA”), as amended from time to time, to maintain the privacy of individually identifiable patient health information (this information is “protected health information” and is referred to herein as “PHI”). We are also required to provide patients with a Notice of Privacy Practices regarding PHI. We will only use or disclose your PHI as permitted or required by applicable state law. This Notice applies to your PHI in our possession including the medical records generated by us.
St. Francis Medical Center understands that your health information is highly personal, and we are committed to safeguarding your privacy. Please read this Notice of Privacy Practices thoroughly. It describes how we will use and disclose your PHI.
This Notice applies to the delivery of health care by St. Francis Medical Center and its medical staff in the main hospital, outpatient departments and clinics, its physician practices, Life St. Francis, CARES Program, St. Francis Medical Center’s medical and other health care related education programs, and Respite Grant Program.This Notice also applies to the utilization review, quality assessment and other healthcare operation activities of CHE Trinity Health, a Catholic health care system with facilities located in multiple states throughout the United States, and of which St. Francis Medical Center is a member. This notice also applies to the activities of St. Francis Medical Center Foundation in support of St. Francis Medical Center’s mission.
I. Permitted Use or Disclosure
A. Treatment: St. Francis Medical Center will use and disclose your PHI to provide, coordinate, or manage your health care and related services to carry out treatment functions. The following are examples of how St. Francis Medical Center will use and/or disclose your PHI:
- To your attending physician, consulting physician(s), and other health care providers who have a legitimate need for such information in your care and continued treatment.
- To coordinate your treatment (e.g., appointment scheduling) with us and other health care providers such as name, address, employment, insurance carrier, etc.
- To contact you as a reminder that you have an appointment for treatment or medical care at our facilities.
- To provide you with information about treatment alternatives or other health-related benefits or services.
- If you are an inmate of a correctional institution or under the custody of a law enforcement officer, St. Francis Medical Center will disclose your PHI to the correctional institution or law enforcement official
B. Payment: St. Francis Medical Center will use and disclose PHI about you for payment purposes. The following are examples of how St. Francis Medical Center will use and/or disclose your PHI:
- To an insurance company, third party payer, third party administrator, health plan or other health care provider (or their duly authorized representatives) for payment purposes such as determining coverage, eligibility, pre-approval / authorization for treatment, billing, claims management, reimbursement audits, etc.
- To collection agencies and other subcontractors engaged in obtaining payment for care.
C. Health Care Operations:St. Francis Medical Center will use and disclose your PHI for health care operations purposes. The following are examples of how St. Francis Medical Center will use and/or disclose your PHI:
- For case management, quality assurance, utilization, accounting, auditing, population based activities relating to improving health or reducing health care costs, education, accreditation, licensing and credentialing activities of St. Francis Medical Center.
- To consultants, accountants, auditors, attorneys, transcription companies, information technology providers, etc.
D. Other Uses and Disclosures:As part of treatment, payment and health care operations, St. Francis Medical Center may also use your PHI for the following purposes:
- Fundraising Activities: St. Francis Medical Center will use and may also disclose some of your PHI to a related foundation for certain fundraising activities. For example, St. Francis Medical Center may disclose your demographic information, your treatment dates of service, treating physician information, department of service and outcomes information to the foundation who may ask you for a monetary donation. Any fundraising communication sent to you will let you know how you can exercise your right to opt-out of receiving similar communications in the future.
- Medical Research: St. Francis Medical Center will use and disclose your PHI without your authorization to medical researchers who request it for approved medical research projects. Researchers are required to safeguard all PHI they receive.
- Information and Health Promotion Activities: St. Francis Medical Center will use and disclose some of your PHI for certain health promotion activities. For example, your name and address will be used to send you general newsletter or specific information based on your own health concerns.
E. More Stringent State and Federal Laws: The State law of New Jersey is more stringent than HIPAA in several areas. Certain federal laws also are more stringent than HIPAA. St. Francis Medical Center will continue to abide by these more stringent state and federal laws.
- More Stringent Federal Laws: The federal laws include applicable internet privacy laws, such as the Children’s Online Privacy Protection Act and the federal laws and regulations governing the confidentiality of health information regarding substance abuse treatment.
- More Stringent State Laws: State law is more stringent when the individual is entitled to greater access to records than under HIPAA. State law is also more restrictive when the records are more protected from disclosure by state law than under HIPAA. In cases where St. Francis Medical Center provides treatment to a patient who resides in a neighboring state, St. Francis Medical Center will abide by the more stringent applicable state law. Refer below for more stringent state law protections in states in which St. Francis Medical Center conducts business:
HIV/AIDS Related Information: Your authorization must expressly refer to your HIV/AIDS related information in order to permit us to disclose your HIV/AIDS related information. However, there are certain purposes for which we may disclose your HIV/AIDS information without obtaining your authorization: (1) for your diagnosis and treatment; (2) scientific research; (3) management audits, financial audits or program evaluation; (4) medical education; (5) disease prevention and control when permitted by the New Jersey Department of Health and Senior Services; (6) to comply with a certain type of court order; and (7) as required by law, to the Department of Health and Senior Services or other entity. You also should note that we may disclose your HIV/AIDS related information to third party payors (such as your insurance company or HMO) in order to receive payment for the services we provide.
Genetic Information: Except in certain cases (such as a paternity test for a court proceeding, anonymous research, newborn screening requirements, or pursuant to a court order), we will obtain your written consent prior to obtaining or retaining your genetic information (for example, your DNA sample), or using or disclosing your genetic information for treatment, payment or health care operations purpose. We may use or disclose your genetic information for any other reason only when Your Authorization expressly refers to your genetic information or when disclosure is permitted under New Jersey State law (including, for example, when disclosure is necessary for the purposes of a criminal investigation, to determine paternity, newborn screening, identifying your body or as otherwise authorized by a court order).
Sexually Transmitted Diseases (STD): Your Authorization must expressly refer to your STD information in order to permit us to disclose any information identifying you as having or being suspected of having a STD. However, there are certain purposes for which we may disclose your STD information without obtaining Your Authorization, including to a prosecuting officer or the court if you are being prosecuted under New Jersey State law, to the Department of Health and Senior Services, or to your physician or a health authority, such as the local Board of Health. Your physician or a health authority may further disclose your STD information if he/she/it deems it necessary in order to protect the health and welfare of you, your family or the public. Under New Jersey law, we may also grant access to your STD information upon the request of a person (or his/her insurance carrier) against whom you have commenced a lawsuit for compensation or damages for your personal injuries.
Tuberculosis Information (TB): Your Authorization must expressly refer to your TB information in order to permit us to disclose any information identifying you as having TB or refusing/failing to submit to a TB test if you are suspected of having TB or are in close contact with a person with TB. However, there are certain purposes for which we may disclose your TB information, without obtaining Your Authorization, including for research purposes under certain conditions, pursuant to a valid court order, or when the Department of Health and Senior Services determines that such disclosure is necessary to enforce public health laws or to protect life or health of a named person.
F. Health Information Exchange (HIE): St. Francis Medical Center will share your health records electronically with a regional HIE, which operates in the State of New Jersey. The purpose of the HIE is to provide an electronic information system through which physicians, healthcare facilities, and other healthcare providers (collectively “Healthcare Providers”) can share clincial and other patient information electronically in connection with their provision of healthcare services to patients, thereby improving the overall quality of healthcare services provided to you (eg., avoids unnecessary duplicate testing). The electronic health records will include sensitive diagnosis such as HIV/AIDS, sexually transmitted diseases, genetic information, and mental health substance abuse, etc. The HIE is functioning as our business associate and, in acting on our behalf, the HIE will transmit, maintain and store your PHI for treatment, payment and health care operation purposes. The HIE is governed by a strict set of rules designed to protect patient confidentiality and the privacy and security of patient information. The HIE has a duty to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality and integrity of your medical information.
New Jersey State Law provides you with the right to opt-out of the HIE. If you do not wish to allow Healthcare Providers involved with your care to electronically share your PHI with one another through the HIE as explained in this notice, you must submit an “HIE Opt Out Form” to St. Francis Medical Center. You may obtain an “HIE Opt Out Form” from the St. Francis Medical Center Health Information Management Department by calling (609) 599-5075 or by visiting the following website:
Your opt out request will be processed within three (3) business days of receipt by St. Francis Medical Center.
In addition, St. Francis Medical Center, as a member of CHE Trinity Health, maintains a patient portal known as MyHealth, a secure online tool which permits patients to view their PHI through a secure, encrypted portal from the home page of St. Francis Medical Center. This shared information will also be made available to CHE Trinity Health Healthcare Providers for the purpose of improving overall quality of health care services provided to patients and to avoid duplication and inefficiencies. To accomplish this, St. Francis Medical Center shares your PHI with CHE Trinity Health and its member organizations, so that you and your Healthcare Providers can access your clinical and other patient information from this portal.
II. Permitted Use or Disclosure with an Opportunity for You to Agree or Object
A. Family/Friends: St. Francis Medical Center will disclose PHI about you to a friend or family member who is involved in or paying for your medical care. You have a right to request that your PHI not be shared with some or all of your family or friends. In addition, St. Francis Medical Center will disclose PHI about you to an agency assisting in disaster relief efforts so that your family can be notified about your condition, status, and location.
B. Facility Directory: St. Francis Medical Center will include certain information about you in facility directory while you are a hospital patient at St. Francis Medical Center. This information will include your name, location in St. Francis Medical Center your general condition (e.g., fair, stable, critical, etc.) and your religious affiliation. The directory information, except your religious affiliation, will be disclosed to people who ask for you by name. You have the right to request that your name not be included in St. Francis Medical
Center’s directory. If you request to opt-out of the facility directory, we cannot inform visitors of your presence, location, or general condition.
C. Spiritual Care: Directory information, including your religious affiliation, will be given to a member of the clergy, even if they do not ask for you by name. Spiritual care providers are members of the health care team at St. Francis Medical Center and may be consulted upon regarding your care. You have the right to request that your name not be given to any member of the clergy.
D. Media Reports: St. Francis Medical Center will release facility directory information to the media (excluding religious affiliation) if the media requests information about you using your name and after we have given you an opportunity to agree or object.
III. Use or Disclosure Requiring Your Authorization
A. Marketing: Subject to certain limited exceptions, your written authorization is required in cases where St. Francis Medical Center receives any direct or indirect financial remuneration in exchange for making the communication to you which encourages you to purchase a product or service or for a disclosure to a third party who wants to market their products or services to you.
B. Research: St. Francis Medical Center will obtain your written authorization to use or disclose your PHI for research purposes when required by HIPAA.
C. Psychotherapy Notes: Most uses and disclosures of psychotherapy notes require your written authorization.
D. Sale of PHI: Subject to certain limited exceptions, disclosures that constitute a sale of PHI requires your written authorization.
E. Other Uses and Disclosures: Any other uses or disclosures of PHI that are not described in this Notice of Privacy Practices require your written authorization. Written authorizations will let you know why we are using your PHI. You have the right to revoke an authorization at any time.
IV. Use or Disclosure Permitted or Required by Public Policy or Law without your Authorization
A. Law Enforcement Purposes: St. Francis Medical Center will disclose your PHI for law enforcement purposes as required by law, such as identifying a criminal suspect or a missing person, or providing information about a crime victim or criminal conduct.
B. Required by Law: St. Francis Medical Center will disclose PHI about you when required by federal, state or local law. Examples include disclosures in response to a court order / subpoena, mandatory state reporting (e.g., gunshot wounds, victims of child abuse or neglect), or information necessary to comply with other laws such as workers’ compensation or similar laws. St. Francis Medical Center will report drug diversion and information related to fraudulent prescription activity to law enforcement and regulatory agencies.
C. Public Health Oversight or Safety: St. Francis Medical Center will use and disclose PHI to avert a serious threat to the health and safety of a person or the public. Examples include disclosures of PHI to state investigators regarding quality of care or to public health agencies regarding immunizations, communicable diseases, etc. St. Francis Medical Center will use and disclose PHI for activities related to the quality, safety or effectiveness of FDA regulated products or activities, including collecting and reporting adverse events, tracking and facilitating in product recalls, etc.
D. Coroners, Medical Examiners, Funeral Directors: St. Francis Medical Center will disclose your PHI to a coroner or medical examiner. For example, this will be necessary to identify a deceased person or to determine a cause of death. St. Francis Medical Center may also disclose your medical information to funeral directors as necessary to carry out their duties.
E. Organ Procurement: St. Francis Medical Center will disclose PHI to an organ procurement organization or entity for organ, eye or tissue donation purposes.
F. Specialized Government Functions: St. Francis Medical Center will disclose your PHI regarding government functions such as military, national security and intelligence activities. St. Francis Medical Center will use or disclose PHI to the Department of Veterans Affairs to determine whether you are eligible for certain benefits.
G. Immunizations: St. Francis Medical Center will disclose proof of immunization to a school where the state or other similar law requires it prior to admitting a student.
V. Your Health Information Rights
You have the following individual rights concerning your PHI:
A. Right to Inspect and Copy: Subject to certain limited exceptions, you have the right to access your PHI and to inspect and copy your PHI as long as we maintain the data.
If St. Francis Medical Center denies your request for access to your PHI, St. Francis Medical Center will notify you in writing with the reason for the denial. For example, you do not have the right to psychotherapy notes or to inspect the information which is subject to law prohibiting access. You may have the right to have this decision reviewed.
You also have the right to request your PHI in electronic format in cases where St. Francis Medical Center utilizes electronic health records. You may also access information via patient portal if made available by St. Francis Medical Center.
You will be charged a reasonable copying fee in accordance with applicable federal or state law.
B. Right to Amend: You have the right to amend your PHI for as long as St. Francis Medical Center maintains the data. You must make your request for amendment of your PHI in writing to St. Francis Medical Center including your reason to support the requested amendment.
However, St. Francis Medical Center will deny your request for amendment if:
- St. Francis Medical Center did not create the information;
- The information is not part of the designated record set;
- The information would not be available for your inspection (due to its condition or nature); or
- The information is accurate and complete.
If St. Francis Medical Center denies your request for changes in your PHI, St. Francis Medical Center will notify you in writing with the reason for the denial. St. Francis Medical Center will also inform you of your right to submit a written statement disagreeing with the denial. You may ask that St. Francis Medical Center include your request for amendment and the denial any time that St. Francis Medical Center subsequently discloses the information that you wanted changed. St. Francis Medical Center may prepare a rebuttal to your statement of disagreement and will provide you with a copy of that rebuttal.
C. Right to an Accounting: You have a right to receive an accounting of the disclosures of your PHI that St. Francis Medical Center has made, except for the following disclosures:
- To carry out treatment, payment or health care operations;
- To you;
- To persons involved in your care;
- For national security or intelligence purposes; or
- To correctional institutions or law enforcement officials.
You must make your request for an accounting of disclosures of your PHI in writing to St. Francis Medical Center.
You must include the time period of the accounting, which may not be longer than 6 years. In any given 12-month period, St. Francis Medical Center will provide you with an accounting of the disclosures of your PHI at no charge. Any additional requests for an accounting within that time period will be subject to a reasonable fee for preparing the accounting.
D. Right to Request Restrictions: You have the right to request restrictions on certain uses and disclosures of your PHI to carry out treatment, payment or health care operations functions or to prohibit such disclosure. However, St. Francis Medical Center will consider your request but is not required to agree to the requested restrictions.
E. Right to Request Restrictions to a Health Plan: You have the right to request a restriction on disclosure of your PHI to a health plan (for purposes of payment or health care operations) in cases where you paid out of pocket, in full, for the items received or services rendered.
F. Right to Confidential Communications: You have the right to receive confidential communications of your PHI by alternative means or at alternative locations. For example, you may request that St. Francis Medical Center only contact you at work or by mail.
G. Right to Receive a Copy of this Notice: You have the right to receive a paper copy of this Notice of Privacy Practices, upon request.
VI. Breach of Unsecured PHI
If a breach of unsecured PHI affecting you occurs, St. Francis Medical Center is required to notify you of the breach.
VII. Sharing and Joint Use of Your Health Information
In the course of providing care to you and in furtherance of St. Francis Medical Center’s mission to improve the health of the community, St. Francis Medical Center will share your PHI with other organizations as described below who have agreed to abide by the terms described below:
A. Medical Staff. The medical staff and St. Francis Medical Center participate together in an organized health care arrangement to deliver health care to you. Both St. Francis Medical Center and medical staff have agreed to abide by the terms of this Notice with respect to PHI created or received as part of delivery of health care to you by St. Francis Medical Center. Physicians and allied health care professionals who are members of St. Francis Medical Center’s medical staff will have access to and use your PHI for treatment, payment and health care operations purposes related to your care within St. Francis Medical Center. St. Francis Medical Center will disclose your PHI to the medical staff and allied health professionals for treatment, payment and health care operations.
B. Membership in CHE Trinity Health. St. Francis Medical Center and members of CHE Trinity Health participate together in an organized health care arrangement for utilization review and quality assessment activities. We have agreed to abide by the terms of this Notice with respect to PHI created or received as part of utilization review and quality assessment activities of CHE Trinity Health and its members. Members of CHE Trinity Health will abide by the terms of their own Notice of Privacy Practices in using your PHI for treatment, payment or healthcare operations. As a part of CHE Trinity Health, a national Catholic health care system, St. Francis Medical Center and other hospitals, nursing homes, and health care providers in CHE Trinity Health share your PHI for utilization review and quality assessment activities of CHE Trinity Health, the parent company, and its members. Members of CHE Trinity Health also use your PHI for your treatment, payment to St. Francis Medical Center and/or for the health care operations permitted by HIPAA with respect to our mutual patients.
C. Business Associates. St. Francis Medical Center will share your PHI with business associates and their Subcontractors contracted to perform business functions on St. Francis Medical Center’s behalf, including CHE Trinity Health which performs certain business functions for St. Francis Medical Center
VIII. Changes to this Notice. St. Francis Medical Center will abide by the terms of the Notice currently in effect. St. Francis Medical Center reserves the right to make material changes to the terms of its Notice and to make the new Notice provisions effective for all PHI that it maintains. St. Francis Medical Center will distribute / provide you with a revised Notice at your first visit following the revision of the Notice in cases where it makes a material change in the Notice. You can also ask St. Francis Medical Center for a current copy of the Notice at any time.
IX. Complaints. If you believe your privacy rights have been violated, you may file a complaint with St. Francis Medical Center’s Privacy Official or with the Secretary of the Department of Health and Human Services. All complaints must be submitted in writing directly to St. Francis Medical Center’s Privacy Official. St. Francis Medical Center assures you that there will be no retaliation for filing a complaint. You will not be retaliated against for filing any complaint.
X. Privacy Official – Questions / Concerns / Additional Information. If you have any questions, concerns, or want further information regarding the issues covered by this Notice of Privacy Practice or seek additional information regarding St. Francis Medical Center’s privacy policies and procedures, please contact St. Francis Medical Center’s Privacy Official: at (609) 599-5714.