THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
Health Center/Towson University Understands the
Importance of Your Privacy
We are committed to protecting the privacy of your personal health information through compliance with the Federal Privacy Standard of the Health Insurance Portability and Accountability Act (HIPAA). This notice will tell you about the ways we may use or disclose “protected health information” (PHI) about you in accordance with HIPAA. PHI is information that may identify you and that relates to (a) your past, present, or future physical or mental health or condition or (b) the past, present or future payment for your health care. This notice also describes your rights to your own health information that we keep about you, and certain obligations we have to use or disclose it.
Our Obligations under HIPAA
The federal privacy regulations require us to:
1. Maintain the privacy of your PHI, including implementing reasonable and appropriate physical, administrative, and technical safeguards to protect the information
2. Provide you with notice of our legal duties and privacy practices with respect to individually identifiable information we collect and maintain about you
3. Abide by the terms of this notice
4. Train our personnel concerning privacy and confidentiality
5. Implement a sanction policy to discipline those who breach privacy/confidentiality or our policies with regard thereto
6. Mitigate (lessen the harm of) any breach of privacy/confidentiality
Uses and Disclosures of PHI for Treatment, Payment and Healthcare Operations
For treatment: For example, a doctor, nurse, or other member of our health care team will record information in your record to document your condition and determine the best course of treatment. The primary caregiver will give treatment orders and document what he or she expects other members of the health care team to do to treat you. Those caregivers will document their actions and observations, so the primary caregiver will know how you respond to treatment. We may disclose your health information to other health care professionals involved in your care, such as a specialist or hospital emergency physician to whom we refer you, a lab, a radiologist or a pharmacy. Information disclosed will be limited to the minimum necessary to enable appropriate treatment.
For Payment: For example, we may send a bill to you or a third-party payer, such as a health insurer. The information on or accompanying the bill may include information that identifies you, your diagnosis, treatment received, and supplies used. We will send the minimum information necessary to insure payment for services.
For Health Care Operations: For example, members of the Health Center’s medical staff, risk or quality improvement manager, or quality assurance team, who have signed acknowledgements of their duty not to re-disclose any PHI as defined by Maryland law, may review information in your health record to assess the quality and outcomes of care in your case and other similar cases, in order to assess the performance of the caregivers. We will use this information to continually improve the quality and effectiveness of the healthcare and services we provide.
Uses and Disclosures in Special Circumstances
For Appointments: We may use your information to provide appointment reminders or information about treatment alternatives or other health-related benefits and services that may be of interest to you.
For Communication with Persons Involved In Your Care: If you are a varsity athlete, and unless you object, our health professionals, using their best judgment, may disclose to Towson University athletic trainers, PHI relevant to the trainers’ involvement in your care, or to payment for your care.
For Notification of Location/Condition: Unless you object, and only in the case of a health emergency (in the judgment of our health care professionals) or death, we may use or disclose PHI to give notice or assist in giving notice of your location, general condition or death to a family member, close personal friend or another person responsible for your care.
Health oversight activities: We may disclose information to a health oversight agency for activities authorized by law. These include audits; civil, criminal, or administrative investigations, proceedings or actions; inspections; licensure or disciplinary actions; or other activities in which health information is necessary for the government to monitor the healthcare system, determine eligibility for government benefits, determine compliance with program standards and civil rights laws, or compliance with HIPAA.
Business associates: We provide some services through contracts with business associates, such as the student insurance plan or medical software vendor. We may disclose your PHI to the business associate so they can perform the function(s) we have hired them to do. However, we require the business associate to sign a written agreement concerning appropriate uses and disclosures of PHI, and we provide them with only the minimum information necessary to perform the contracted services.
Research: We may disclose information to researchers when the research proposal has been reviewed and approved by an institutional review board or privacy board that has established protocols to ensure the privacy of your PHI.
Fund-raising: Although we don't currently do fundraising, we (or the Towson University Foundation or a business associate) may at some time in the future contact you as part of a fund-raising effort. You have the right to request not to receive fund-raising materials by submitting your request in writing to the Director of Health Center.
Incidental: We may use or disclose information incidental to a use or disclosure that is permitted or required by the privacy regulations.
Public Health: As required by law, we may disclose your health information to public health or legal authorities charged with preventing or controlling disease, injury, disability, child abuse or neglect; or to a person at risk of contracting or spreading a disease or condition, if authorized by law.
Funeral Directors, Coroners, Medical Examiners: We may disclose information to funeral directors consistent with applicable law to enable them to carry out their duties. We may disclose information to coroners or medical examiners for the purpose of identifying a deceased person, determining a cause of death, or carrying out other duties as authorized by law.
Food and Drug Administration (FDA): We may disclose to the FDA health information relative to adverse effects/events with respect to food, drugs, supplements, product or product defects, or post marketing surveillance information to enable product recalls, repairs, or replacement.
Workers Compensation: We may disclose health information as authorized by and as necessary to comply with workers compensation laws or similar programs established by law.
Correctional Institution: If you are an inmate of a correctional institution, we may disclose to the institution or its agents health information necessary for your health and the health and safety of other individuals, for law enforcement on the premises of the correctional institution, or the administration and maintenance of the safety, security and good order of the correctional institution.
Law Enforcement: We may disclose health information purposes as required by law, to a law enforcement official for law enforcement purposes, or in response to a valid subpoena.
Whistleblowing: If a member of our work force or a business associate believes in good faith that we have engaged in unlawful conduct or otherwise violated professional or clinical standards and are potentially endangering one or more patients, workers or the public, they may disclose your health information to health oversight agencies and/or public health authorities, such as the department of health, or to an attorney providing legal advice with respect to such a situation.
Employer: We may disclose to your employer information relating to medical surveillance of the workplace or to work-related illness(es) or injury(ies).
Disaster Relief: We may use or disclose your health information to a public or private entity authorized by law or by its charter to assist in disaster relief efforts, for the purpose of coordination with those entities the uses or disclosures permitted by the “Notification” section above.
Victims of abuse, neglect, or domestic violence: If we reasonably believe you are a victim of abuse, neglect, or domestic violence, we may disclose information about you to a government authority authorized by law to receive reports of such abuse, neglect, or domestic violence, including a social service or protective services agency.
Disclosures for judicial and administrative proceedings: We may disclose information in any judicial or administrative proceeding in response to an order of a court or administrative body, a subpoena, discovery request, or other lawful process.
Cadaveric organ, eye, or tissue donation: We may use or disclose information to organ procurement organizations or other entities that procure, bank, or transport organs, eyes or tissue for donation and transplanting.
Threat to health or safety: We may use or disclose information if we believe, in good faith, that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, or is necessary for law enforcement officials to identify and apprehend an person admitting participation in a violent crime.
Specialized government functions: We may use and disclose U.S. or foreign military personnel’s health information as deemed necessary by military command authorities. We may use and disclose information to authorized federal officials to conduct lawful intelligence, counter-intelligence and other national security activities. We may use and disclose information to authorized federal officials who provide protective services.
Disclosures Required by Law
We will use and disclose PHI about you when required by federal state or local law. In the event applicable law, other than HIPAA, prohibits or materially limits our uses and disclosures of your PHI, as described above, we will restrict our uses or disclosures in accordance with the more stringent standard.
To you: We must disclose your health information to you on your request, as required by regulations on access to your health information and accounting of health information.
Uses and Disclosures of PHI Made Only with Your Written
Other uses and disclosure of PHI about you will be made only with your written authorization, unless otherwise permitted or required by law as described in this notice. You may revoke your written authorization at any time, in writing, except to the extent we have taken action in reliance on that written authorization before you revoked it.
Your Rights Under the Federal Privacy Regulations
Although your health records are the property of the Health Center, you have certain rights to the information contained in the records. You have the right to:
1. Request restriction on uses/disclosures of your health information for treatment, payment, and health care operations; and uses/disclosures for involvement in your care and for notification purposes. We do not have to agree to any restriction you request. However, if we do agree, we will comply with the restriction, unless disclosure is necessary to provide you with emergency treatment, or unless you request otherwise or we give you advance notice.
2. Request, in writing, that we communicate with you by alternate means or at alternate locations. If the request is reasonable, we must grant it. For example, you may prefer to have mail from us sent to your local rather than your home address.
3. Request a paper copy of this notice. Although copies are posted in prominent locations in the facility, and an electronic copy is available on our website, you have a right to request and receive a paper copy.
4. Inspect and copy your health information upon your written request. This right is not absolute. In certain situations we can deny access. You do not have a right of access to the following:
a. psychotherapy notes if the health care provider believes disclosure may injure your health.
b. protected health information that is subject to the Clinical Laboratory Improvement Amendments of 1988 (“CLIA”), 42 U.S.C. section 263a, to the extent that the provision of access to you would be prohibited by law, or exempt from the CLIA pursuant to 42 CFR 493.3(a)(2).
If we grant access, we will advise you of the procedure to request access to or a copy of your records. We reserve the right to charge a reasonable, cost-based fee for making copies.
5. Request, in writing, amendment/correction of your health information, providing reasons to support the requested amendment. We do not have to grant the request if:
a. we did not create the record. For example, if we have a consultation report from another provider, we did not create the record, and we cannot know whether it is accurate or not. In such cases, you must seek amendment/correction from the party creating the record. If they amend or correct the record, we will put the corrected record in our records.
b. the records are not available to you for inspection as discussed in section 3 immediately above
c. the record is accurate and complete
If we deny your request for amendment/correction, we will notify you why, how you can attach a statement of disagreement to your records (which we may rebut), how you can request that we include your request and our denial with any future disclosures, and how you can complain. If we grant the request, we will make the correction and distribute the correction to those who need it and those you indicate should receive the corrected information.
6. Obtain an accounting of “non-routine” uses and disclosures (those other than for treatment, payment and health care operations). We do not need to provide an accounting for disclosures:
a. to you of protected health information about you
b. which you have authorized
c. to persons involved in your care or for other notification purposes under section 164.510
d. for national security or intelligence purposes under section 164.512(k) (2)
e. to correctional institutions or law enforcement officials under section 164.512(k)(5)
f. that occurred before April 14, 2003
We must provide the accounting within 60 days. The accounting must include the date of each disclosure; the name and address of the organization or person who received the protected health information; a brief description of the information disclosed; a brief statement of the purpose of the disclosure that reasonably informs you of the basis for the disclosure, or a copy of the written request for disclosure. The first accounting in any 12-month period is free. Thereafter, we reserve the right to charge a reasonable, cost-based fee.
7. Revoke, in writing, your authorization to use or disclose health information except to the extent that we have already taken action in reliance on the authorization.
If you believe your privacy rights have been violated, you may complain to Towson University and/or to the Secretary of the U.S. Department of Health and Human Services. To file a complaint, you may contact the university’s Privacy Officer, at 410-704-2361. You will not be retaliated against for filing such a complaint.
WE RESERVE THE RIGHT TO CHANGE OUR PRIVACY PRACTICES AS SET FORTH IN THIS NOTICE, AND TO MAKE THE NEW PROVISIONS EFFECTIVE FOR ALL INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION WE MAINTAIN. SHOULD WE CHANGE OUR INFORMATION PRACTICES, WE WILL MAIL A REVISED NOTICE TO THE ADDRESS YOU HAVE SUPPLIED US.
How to Get More Information or to Report a Problem
If you have questions and/or would like additional information, you may contact the university’s Privacy Officer, at 410-704-2361