Notice of Privacy Practices (The Notice) – a written notice in compliance with the requirements of Health Insurance Portability and Accountability Act (HIPAA), and the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act (ARRA) of 2009, made available from KentuckyOne Health to an individual or the individual’s personal representative at the first delivery of service, or at the individual’s next visit following a revision to the Notice, that describes the uses and disclosures of protected health information that may be made by KentuckyOne Health and the individual’s rights and KentuckyOne Health’s legal duties with respect to protected health information.
Protected Health Information (PHI) – individually identifiable health information that is transmitted or maintained in any form or medium, including electronic media. Protected health information does not include employment records held by KentuckyOne Health in its role as an employer.
KentuckyOne Health (Saint Joseph Hospital, Flaget Memorial Hospital, Saint Joseph Berea, Saint Joseph East, Saint Joseph Jessamine, Saint Joseph London, Saint Joseph Mount Sterling, Saint Joseph Martin, Continuing Care Hospital, Inc., Frazier Rehab Institute, Jewish Hospital, Jewish Hospital Shelbyville, Our Lady of Peace Hospital, Sts. Mary & Elizabeth Hospital, Jewish Hospital Medical Center Northeast, Jewish Hospital Medical Center East, Jewish Hospital Medical Center Meade County, Jewish Hospital Medical Center South, Jewish Hospital Medical Center Southwest, Saint Joseph Outpatient Care Center, James Graham Brown Cancer Center, University of Louisville Hospital, and all KentuckyOne Health employed physicians and their practice locations), Southern Indiana Rehab Hospital, and members of the KentuckyOne Health hospital medical staffs, participate in an OHCA to manage their joint operating activities similar to the CHI OCHA. The KentuckyOne Health OHCA may use and disclose your health information to provide treatment, payment, or health care operations for the affiliated members such as integrated information system management, health information exchange, financial and billing services, insurance, quality improvement, and risk management activities. As the operations of KentuckyOne Health may change over time, a list of current KentuckyOne Health facilities can be accessed by visiting www.kentuckyonehealth.org and selecting “locations”.
For Treatment. We will use your health information to provide you with health care treatment and to coordinate or manage services with other health care providers, including third parties. We may disclose all or any portion of your health information to your attending physician, consulting physician(s), nurses, technicians, health profession students, or other facility or health care personnel who have a legitimate need for such information in order to take care of you. Different departments of the facility will share your health information in order to coordinate the health care services you need, such as prescriptions, lab work and X-rays. We may disclose your health information to family members or friends, guardians or personal representatives who are involved with your health care. We may also use and disclose your health information to contact you for appointment reminders and to provide you with information about possible treatment options or alternatives and other health-related benefits and services. We also may disclose your health information to people outside the facility who may be involved in your health care after you leave the facility, such as other physicians involved in your care, specialty hospitals, skilled nursing care facilities, and other healthcare-related services. We may use and disclose your health information to prescription networks to obtain your prescription benefits from payers, to obtain your medication history from different health care providers in the community such as pharmacies, and to send your prescriptions electronically to your pharmacy.
For Payment. We will use and disclose your health information for activities that are necessary to receive payment for our services, such as determining insurance coverage, billing, payment and collection, claims management, and medical data processing. For example, we may tell your health plan about a treatment you are planning in order to receive approval or to determine whether your plan will pay for the proposed treatment. We may disclose your health information to other health care providers so they can receive payment for health care services that they provided to you, such as your personal physician, and other physicians involved in your health care such as an anesthesiologist, pathologist, radiologist, or emergency physician, and ambulance services. We may also give information to other third parties or individuals who are responsible for payment for your health care, such as the named insured under the health policy who will receive an explanation of benefits (EOB) for all beneficiaries who are covered under the insured’s plan.
For Health Care Operations. We may use and disclose your health information for routine facility operations, such as business planning and development, quality review of services provided, internal auditing, accreditation, certification, licensing or credentialing activities (including the licensing or credentialing activities of health care professionals), medical research and education for staff and students, assessing your satisfaction with our services, and to other healthcare entities that have a relationship with you and need the information for operational purposes. We may use and disclose your health information to the external agencies responsible for oversight of health care activities such as the The Joint Commission, external quality assurance and peer review organizations, and credentialing organizations. We may also disclose health information to business associates we have contracted with to perform services for or on our behalf such as patient satisfaction survey organizations. We may also disclose your health information to medical device manufacturers or pharmaceutical companies in order for those companies to carry out their legal obligations to state and federal agencies.
CHI Health Information Exchange. KentuckyOne Health, as a member of the CHI OHCA, participates in the CHI Health Information Exchange (HIE). Your health information is maintained electronically and healthcare providers, employed, under contract, or otherwise associated with KentuckyOne Health, and the CHI OHCA members may access, use, and disclose your health information for treatment, payment, and healthcare operations.
Kentucky Health Information Exchange. KentuckyOne Health facilities participate in the Kentucky Health Information Exchange, a statewide internet-based health information exchange. As permitted by law, your health information will be shared with this exchange in order to provide faster access, better coordination of care and assist providers and public health officials in making more informed decisions.
Facility Directory. The facility directory is available so that your family, friends, and clergy can visit you and generally know how you are doing. We may include your name, location in the facility, your general condition (for example, fair or stable), and your religious affiliation in the facility directory. The directory information, except for your religious affiliation, may be released to people who ask for you by name. Your name and religious affiliation may be given to a member of the clergy such as a priest or rabbi, even if they don’t ask for you by name. You must notify the Patient Access Department (Registration) verbally or in writing if you do not want us to release information about you in the facility directory. If you do not want information released in the facility directory, we cannot tell members of the public such as flower or other delivery services or friends and family that you are here or about your general condition. KentuckyOne Health facilities providing psychiatric services may choose not to utilize a facility directory.
Future Communications. We may provide communications to you with newsletters or other means regarding treatment options, health related information, disease management programs, wellness programs, or other community based initiatives or activities in which our facility is participating.
Organ and Tissue Donation. If you are an organ donor, we may release your health information to organizations that handle organ procurement and transplantation or to an organ donation bank as necessary to facilitate organ or tissue donation and transplantation.
USES AND DISCLOSURES THAT ARE REQUIRED OR PERMITTED BY LAW
Subject to requirements of federal, state and local laws, we are either required or permitted to report your health information for various purposes. Some of these reporting requirements and permissions include:
Public Health Activities. We may disclose your health information to public health officials for activities such as for the prevention or control of communicable disease, bioterrorism, injury, or disability; to report births and deaths; to report suspected child, elder, or spouse abuse or neglect; to report reactions to medications or problems with medical products; to report information to the federal Centers for Disease Control or to authorized national or state cancer registries for their data aggregation.
Disaster Relief Efforts. We may disclose your health information to an entity assisting in a disaster relief effort, such as the American Red Cross, so that your family can be notified about your condition and location.
Health Oversight Activities. We may disclose your health information to a health oversight agency for activities authorized by law. Such agencies include federal Centers for Medicare and Medicaid Services, and state medical or nursing boards. These oversight activities may include audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor activities such as health care treatment and spending, government programs, and compliance with civil rights laws.
Judicial or Administrative Proceeding. We may disclose your health information in response to a legal court or administrative order, a subpoena, discovery request, civil or criminal proceedings, or other lawful process.
Law Enforcement. We may release your health information if asked to do so by a law enforcement official or if we have a legal obligation to notify the appropriate law enforcement or other agencies:
- In response to a court order, subpoena, warrant, summons or similar legal process;
- Regarding a victim or death of a victim of a crime in limited circumstances;
- In emergency circumstances to report a crime, the location or victims of a crime, or the identity,
description or location of a person who is alleged to have committed a crime, including crimes that
may occur at our facility, such as theft, drug diversion, or attempts to obtain drugs illegally.
Coroners, Medical Examiners and Funeral Directors. We may release health information to a coroner or a medical examiner. This may be necessary to identify a person who died or to determine the cause of death. We may release health information to help a funeral director to carry out his/her duties.
Workers' Compensation. We may release your health information for workers’ compensation benefits or similar programs that provide benefits for work-related injuries or illnesses if you tell us that workers’ compensation is the payer for your visit(s). Your employer or their workers’ compensation carrier may request the entire medical record pertinent to your workers’ compensation claim. This medical record may include details regarding your health history, current medications you are taking, and treatments.
To Avert a Serious Threat to Health or Safety. We may disclose your health information when necessary to prevent a serious threat to your health and safety or the health and safety of another person or the public.
National Security. We may disclose your health information to federal official(s) for national security activities and for the protection of the President and other Heads of State.
Military and Veterans. If you are a member of the armed forces, we may release your health information as required by military command authorities. We may also release health information about foreign military personnel to the appropriate foreign military authority.
Inmates. If you are an inmate of a correctional institution or in the custody of a law enforcement official, we may release your health information to the institution or law enforcement official. This release would be necessary for the institution to provide you with health care, to protect your health and safety or the health and safety of others, or for the safety and security of the correctional institution.
OTHER USES AND DISCLOSURES OF YOUR HEALTH INFORMATION
Other uses and disclosures of your health information not covered by this notice or the laws that apply to KentuckyOne Health will be made only with your written authorization. If you provide us with authorization to use or disclose your health information, you may revoke that authorization in writing at any time. When we receive your written revocation we will no longer use or disclose your health information for the purpose of that authorization. However, we are unable to retrieve any disclosures already made based on your prior authorization.
KentuckyOne Health will obtain your authorization to use and disclose your health information for these specific purposes:
KentuckyOne Health may ask you to authorize us to use and disclose your health information for marketing purposes. Marketing is a communication about a product or service that you may be interested in purchasing. If KentuckyOne Health receives payment of any kind from a third party in order for KentuckyOne Health to promote the product or service to you, then KentuckyOne Health is required to obtain your written authorization before we can use or disclose your health information. KentuckyOne Health is not required to obtain your authorization to discuss with you about KentuckyOne Health health-related products or services that are available for your health care treatment, case management or care coordination, or to direct or recommend alternative treatments, therapies, providers, or settings of care, providing face to face discussions and offering samples or promotional gifts of nominal value.
You have the right to revoke your marketing authorization and KentuckyOne Health will honor the revocation. To opt out of these communications, you may send an e-mail to email@example.com, or contact the KentuckyOne Health Privacy Office toll free at 877.247.6997.
Psychotherapy notes are notes by a mental health professional that document or analyze the contents of a conversation during a private counseling session or a group, joint, or family counseling session. If psychotherapy notes are maintained separate from the rest of your health information they may not be used or disclosed without your written authorization, except as may be required by law.
Sale of PHI
KentuckyOne Health will obtain your authorization for any disclosure of your information which KentuckyOne Health directly or indirectly receives remuneration in exchange for the information.
YOUR RIGHTS REGARDING YOUR HEALTH INFORMATION
You have the following rights regarding your health information:
Right to Inspect and Copy. You have the right to inspect your health information and receive a copy of medical, billing, or other records that may be used to make decisions about your care. The right to inspect and receive a copy may not apply to psychotherapy notes that are maintained separately from your health information.
Your request to inspect and receive a copy of your health information must be submitted in writing. We may charge a fee for document requests to cover the costs of copying, mailing, or other supplies. You have the right to request your health information in electronic format. KentuckyOne Health will provide your health information in the form and format you request, if available or in a mutually agreeable form and format.
In limited circumstances we may deny your request to inspect or receive a copy of your health information. If you are denied access to your health information, you may request that the denial be reviewed. A licensed health care professional chosen by KentuckyOne Health will review your request and the denial. The person who conducts the review will not be the same person who denied your request. We will comply with the outcome of the review. Requests to inspect and receive a copy of your health information should be submitted to the Medical Records Department of the respective KentuckyOne Health facility. For physician office requests, please contact the Practice Manager for the physician office.
Right to Amend. You have the right to request an amendment to your health information that you believe is incorrect or incomplete.
Submit your request in writing, including your reason for the amendment, using our “Request for Amendment to PHI” form and send to the Medical Records Department of the respective KentuckyOne Health facility. For physician office requests, please contact the Practice Manager for the physician office.
We may deny your request for an amendment if it is not in writing or does not include a reason to support the request. We may also deny your request if you ask us to amend information that:
- Was not created by KentuckyOne Health unless the person or entity that created the information is no longer available to make the amendment;
- Is not part of the medical information kept by or for KentuckyOne Health;
- s not part of the information that you would be permitted to inspect and copy; or
- Is accurate and complete.
Right to an Accounting of Disclosures. We are required to maintain a list of certain disclosures of your health information. However, we are not required to maintain a list of disclosures that we made by acting upon your written authorizations. You have the right to request an accounting of disclosures that are not subject to your written authorization.
Submit your request in writing using our “Request for Accounting of Disclosures of PHI” form and send to the Medical Records Department of the respective KentuckyOne Health facility. For physician office requests, please contact the Practice Manager for the physician office. Your request must state a time period, not longer than six years from the date of request. The first list you request within a 12-month period will be free. For additional lists, we may charge you for the costs of providing the list. We will notify you of the cost involved and you may choose to withdraw or modify your request before any costs are incurred.
Right to Request Restrictions. You have the right to request a restriction or limitation on how much of your health information we use or disclose for treatment, payment, or health care operations. You also have the right to request a restriction on the disclosure of your health information to someone who is involved in your care or payment for your care, such as a family member or friend.
We are not required to agree to your request. However, if we do agree, we will comply with your request unless the information is needed to provide you with emergency treatment.
You have the right to request to restrict the disclosure of your information to a health plan regarding a specific health care item or service that you, or someone on your behalf (other than a health plan), has paid for in full. We are required to comply with your request for this specific type of restriction. For example, if you sought counseling services and paid in full for the services rather than submitting the expenses to a health plan, you may request that your health information related to the counseling services not be disclosed to your health plan.
Submit your request in writing or request and submit a “Request for Restrictions to Use or Disclose Protected Health Information” form and send to the Billing Department upon scheduling or registration for Payment restrictions or Health Information Management for processing other restrictions. For physician office requests, please contact the Practice Manager for the physician office or submit your request in writing to them. You must include: a description of the information that you want to restrict, whether you want to restrict our use or disclosure or both; and to whom you want the restriction to apply.
Right to Request Confidential Communications. You have the right to request that we communicate with you about health care matters in a certain way or at a certain location. For example, you can ask that we only contact you at an alternative location from your home address, such as work, or only contact you by mail instead of by phone. Your request must specify how or where you wish to be contacted. We do not require a reason for the request. We will accommodate all reasonable requests. Submit your request in writing or request and submit a “Confidential Communications Request” form and send to the Patient Access Department (Registration). For physician office requests, please contact the Practice Manager for the physician office or submit your request in writing to them.
Right to Receive Notice of a Privacy Breach. You have the right to receive written notification if KentuckyOne Health discovers a breach of unsecured protected health information involving your health information. Breach means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of the information.
Right to a Paper Copy of This Notice. You have the right to a paper copy of this notice. If you have agreed to receive this notice electronically, you are still entitled to a paper copy of this notice. You may ask us to give you a copy of this notice at any time.
To obtain a paper copy of this notice, contact the Patient Access Department (Registration). Or, you may obtain a copy of this notice at our Web site, www.kentuckyonehealth.org.
CHANGES TO THIS NOTICE
We reserve the right to change this notice. We reserve the right to make the revised or changed notice effective for health information we already have about you and for any information we may receive in the future. We will post a copy of the current notice in the facility and on our web site (if applicable) at www.kentuckyonehealth.org. The notice will contain the effective date. Upon your initial registration or admittance to the facility for treatment or health care services as an inpatient or outpatient, we will offer you a copy of the notice currently in effect. Whenever the notice is revised, it will be available to you upon request.
You may file a complaint with us or with the Secretary of the Department of Health and Human Services if you believe that we have not complied with our privacy practices.
You may file a complaint with us by contacting the KentuckyOne Health Privacy Office at 877.247.6997:
Attention: Privacy Officer
Corporate Responsibility Office
200 Abraham Flexner Way,
Louisville, KY 40202.
If you file a complaint, we will not take any action against you or change our treatment of you in any way.