NOTICE OF PRIVACY PRACTICES
THIS NOTICE OF PRIVACY PRACTICE DESCRIBES HOW MEDICAL INFORMATION MAY BE USED AND DISCLOSED, AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
I. WHO PRESENTS THIS NOTICE
This Notice of Privacy Practices (“Notice”) is given on behalf of certain health care provider affiliates of Geisinger St. Luke’s Hospital (“Geisinger St. Luke’s”) and all of their departments, units, employed health professionals, students, and members of volunteer groups who are allowed to help while you are an inpatient or being treated at a Geisinger St. Luke’s facility. All of Geisinger St. Luke’s entities are legally required to follow the privacy practices that are described in this notice.
This Notice of Privacy Practices is effective as of October 30, 2019. If you have any questions about this Notice, please contact Geisinger St. Luke’s Network Compliance Department through the confidential Hotline at 1 (855) 9-ETHICS or 1(855) 938-4427.
Geisinger St. Luke’s is required to give you this Notice to comply with the regulations (the “Privacy Rule”) established under federal laws called the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule and the Health Information Technology for Economic and Clinical Health Act (“HITECH”). Geisinger St. Luke’s is committed to protecting your medical information, including health information protected by HIPAA and other federal and state laws, and using that information appropriately.
This Notice is intended to describe your rights, and to inform you about ways in which Geisinger St. Luke’s may use and disclose your protected health information (“PHI”), and the obligations Geisinger St. Luke’s has when using and disclosing your PHI. Your personal physician or any other provider of your health care services may have different policies or Notices regarding their use and disclosure of your PHI which is created in that provider’s office.
II. HOW WE MAY USE AND DISCLOSE YOUR PROTECTED HEALTH INFORMATION
A. The Privacy Rule allows Geisinger St. Luke’s to use and disclose PHI about you for purposes of treatment, payment, and Geisinger St. Luke’s health care operations. Any uses or disclosures for payment or health care operations must be limited to the minimum necessary to accomplish the purpose of the use or disclosure.
- Treatment. Geisinger St. Luke’s may use your PHI to provide you with medical treatment or services, to coordinate or manage your health care services, or to facilitate consultation or referrals as part of your treatment. For example, if you are being treated for a knee injury, Geisinger St. Luke’s may disclose your PHI to the physical rehabilitation department in order to coordinate your care. Different departments of Geisinger St. Luke’s also may share your medical records in order to coordinate your treatment and care, such as prescriptions, lab and x-ray tests. Also, Geisinger St. Luke’s may disclose your medical records to people outside of Geisinger St. Luke’s after you leave a Geisinger St. Luke’s facility, including family members, clergy, or other health care providers such as nursing homes or home health agencies.
- Payment. Geisinger St. Luke’s may use and disclose your medical record to send bills and collect payment from you, your insurance company or other third parties, for the treatment and services provided to you by Geisinger St. Luke’s. For example, Geisinger St. Luke’s may provide portions of your PHI to our billing department and your health plan to get paid for the health care services Geisinger St. Luke’s provided to you. Geisinger St. Luke’s may also provide your PHI to our business associates, such as billing companies, claims processing companies, and others that process our health care claims.
- Health Care Operations. Geisinger St. Luke’s may use and disclose PHI about you for Geisinger St. Luke’s health care operations. These uses and disclosures are necessary to provide quality care to all patients and residents as well as to facilitate the functioning of Geisinger St. Luke’s, including among other things:
- Quality assessment and improvement activities;
- Protocol development;
- Care management, coordination, and related functions;
- Competence assessment and performance reviews of Geisinger St. Luke’s employees;
- Training, accreditation, certification, licensing, credentialing or other related activities;
- Insurance related activities;
- Internal patient complaint or grievance resolution; and
- Activities relating to improving health or reducing health care costs.
Examples of how Geisinger St. Luke’s may use and disclose your information include:
- Use medical records to review its treatment and services as well as to evaluate the performance of its staff in caring for you;
- Combine medical records about many Geisinger St. Luke’s patients to decide what additional services Geisinger St. Luke’s should offer, what services are not needed, and to study the safety and effectiveness of treatments;
- Disclose information to doctors, nurses, and other Geisinger St. Luke’s personnel for training purposes;
- Remove information that identifies you from a set of medical records so that others may use it to study health care and health care delivery without learning who the specific patients are; or
- Use and disclose medical records to contact you by telephone or in writing as a reminder that you have an appointment for a test or procedure, or to see your doctor.
- Hospital and Facility Directory. Geisinger St. Luke’s may list certain information about you in the hospital directory while you are an inpatient at Geisinger St. Luke’s. This information may include your name, where you are in Geisinger St. Luke’s, a general description about your condition (e.g., fair, stable) and your religious affiliation. Unless you opt out, Geisinger St. Luke’s can disclose this information, except for your religious affiliation, to people who ask for you by name. Your religious affiliation may be given to members of the clergy even if they do not ask for you by name. This information is released so that your family, friends, and clergy can call and visit you in the hospital and generally know how you are doing and so that you can receive flowers, cards, or gifts sent to you during your hospital stay. If you choose to opt out, please call the Patient Access Center at (484)526-1128 and ask them to remove you from the Hospital Directory.
- Persons Involved in Your Care or Payment for Your Care. Geisinger St. Luke’s may release PHI about you to a family member, friend, or someone you designate who is involved in your care or payment of medical bills. Geisinger St. Luke’s may also disclose your health information to an entity authorized to assist in disaster relief so that those who care for you can receive information about your location or health status.
- Fundraising Activities. Geisinger St. Luke’s may solicit contributions to support the expansion and improvement of services and programs we provide to the community. In connection with our fundraising efforts, we may disclose to our employees or business associates, demographic information about you (e.g., your name, address and phone number), dates on which we provided health care to you, health insurance status, department of service, treating physician and general outcome information. If you do not wish to receive any fundraising requests in the future, you may contact the Geisinger St. Luke’s Development Office at (866) 468-6251 or respond via one of the methods identified in the fundraising correspondence that you may receive in the future.
- Treatment Options. Geisinger St. Luke’s may use or disclose your PHI to tell you about or recommend possible treatment options or alternatives that may be beneficial to you. For example, your name, address, and electronic mail address may be used so we can send you newsletters or health care bulletins about Geisinger St. Luke’s and the services we provide. We may also send you information about health-related products or services that we or others make available and that we think may be useful or of interest to you. You may write to Geisinger St. Luke’s Marketing and Communications Department Attn: InfoLink 801 Ostrum St., Bethlehem, PA 18015 or firstname.lastname@example.org as notification that you do not wish to receive any of our newsletters or other information.
- Research. Under certain circumstances, Geisinger St. Luke’s may use and disclose your PHI for research purposes. Before they begin, all research projects that are conducted at Geisinger St. Luke’s are carefully reviewed. This process evaluates the proposed project’s use of medical information, trying to balance the needs of medical research with your need for privacy. Before we use or disclose medical information for research, the project will have been approved through Geisinger St. Luke’s research approval process, but we may disclose your medical information to people preparing to conduct the research project (e.g., to help the researchers look for patients with specific medical conditions or needs).
- Client/Patient Satisfaction Surveys. Geisinger St. Luke’s may conduct client/patient satisfaction surveys to understand how we can improve our services to patients and their families or friends. For example: A client or patient may receive a survey from a patient satisfaction research organization, asking for comment on the services provided.
- Business Associates. There are some services at Geisinger St. Luke’s that may be provided through contracts with business associates. Examples include but are not limited to certain laboratory tests and a copy service that we may use to make copies of your health record. When these services are contracted, we may disclose your health information to our business associate so that they can perform the job we’ve asked them to do. To protect your health information, however, we require the business associate to appropriately safeguard your information.
- Health Information Exchange: A patient's PHI will be available electronically to local, state, or national healthcare providers who participate in our Electronic Health Record (EHR) system or other similar programs that facilitate the exchange of health information by allowing approved participating providers to have a more complete picture about a patient's health such as lab results, summary of care documents, and other medical data. Patients can choose to prohibit sharing their PHI for these purposes by completing a process referred to as Opting-Out. Opting-Out will prevent participating providers and its authorized users from viewing PHI, but the patient will still have access to view their PHI made available in our patient portal. To opt-out, please call (484) 526-8893 or send us an email at email@example.com.
Geisinger St. Luke’s has operations and providers in Pennsylvania and such State laws may be more protective of certain information than the Privacy Rule. Geisinger St. Luke’s will not disclose your information related to treatment for mental health, development disabilities, alcoholism, substance abuse or drug dependency, venereal disease, genetic information, or information concerning the presence of HIV, antigen or non-antigenic products of HIV or an antibody to HIV, without in each case obtaining your authorization unless otherwise permitted or required by the applicable State or federal law.
B. Certain Uses and Disclosures Do Not Require Your Consent. The Privacy Rule and Pennsylvania or New Jersey law (as applicable) allow Geisinger St. Luke’s to use or disclose your protected health information/patient health care records without your authorization or informed consent for a number of special functions and activities, described below.
- As Required by Law. Geisinger St. Luke’s is permitted to disclose your protected health information when required to do so by federal, state, or local law.
- Public Health. Geisinger St. Luke’s may use and disclose medical information about you for public health activities. These activities generally include the following:
- To prevent or control disease, injury, or disability, to report vital statistics such as births and deaths, and for public health surveillance or interventions;
- To report births and deaths;
- To report abuse or neglect of children, elders, and dependent adults;
- To the Federal Drug Administration (FDA), to report reactions to medications or problems with products, to track products, to enable product recalls, or to conduct post-market surveillance as required by the FDA;
- To notify people of recalls of products they may be using; and
- To notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition.
- Victims of Abuse, Neglect, or Domestic Violence. The Privacy Rule authorizes Geisinger St. Luke’s to notify the appropriate government authority if Geisinger St. Luke’s believes a patient or resident has been a victim of abuse, neglect, or domestic violence. Geisinger St. Luke’s will only make this disclosure if you agree or when required or authorized by law.
- Health Oversight Activities. Geisinger St. Luke’s is permitted to disclose PHI to a health oversight agency for activities authorized by law, including audits, investigations, inspections, licensure or disciplinary activities, and other similar proceedings. Geisinger St. Luke’s may not disclose the PHI of a person who is the subject of an investigation that is not directly related to that person’s receipt of health care or public benefits.
- To Avert a Serious Threat to Health or Safety. Geisinger St. Luke’s may use and disclose medical information about you when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat.
- Funeral Directors, Medical Examiners, and Coroners. Sometimes, Geisinger St. Luke’s may deem it necessary to release medical information to funeral directors, so that they can carry out their duties appropriately. Sometimes, when there are concerns about identification of a patient, or determining what caused a death, we will release medical information to medical examiners or coroners.
- Organ and Tissue Donation. If you are an organ donor, Geisinger St. Luke’s may release information to the organizations responsible for organ or tissue transplantation in order to help with the process.
- Workers Compensation. Geisinger St. Luke’s may release medical information about you to insurers, government administrators, and employers for workers’ compensation or similar programs. This relates to care provided for work-related injuries or illness.
- Specialized Government Functions. In certain circumstances, the Privacy Rule authorizes Geisinger St. Luke’s to use or disclose your PHI to facilitate specified government functions to include:
- Medical Suitability and Intelligence Activities. Geisinger St. Luke’s may disclose your PHI to the Department of State for use in making suitable determinations.
- Inmates and Correctional Institutions. Should you be an inmate of a correctional institution or under the custody of law enforcement official, Geisinger St. Luke’s may release the PHI of inmates and others in law enforcement custody to the correctional institution or law enforcement official, where necessary 1) for the correctional institution or official to provide you with health care; 2) to protect your health and safety or health and safety of others; or 3) for the safety and security of the correctional institution. An inmate does not have a right to the Notice.
- Active Duty Military Personnel. If you are a member of the armed forces, Geisinger St. Luke’s may release medical information about you as required by military command authorities. Geisinger St. Luke’s may also release medical information about foreign military personnel to the appropriate foreign military authority.
- Government Security, Intelligence and Bioterrorism: Geisinger St. Luke’s may release medical information about you to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law. Geisinger St. Luke’s may disclose medical information about you to authorized federal officials so they may provide protection to the President, other authorized persons or foreign heads of state or conduct special investigations.
- Disputes, Lawsuits, Administrative Proceedings. If you are involved in a lawsuit or dispute, the Privacy Rule allows Geisinger St. Luke’s to disclose your PHI in response to a court or administrative order. Geisinger St. Luke’s may disclose your PHI in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have been made to tell you about the request or to obtain an order protecting the information requested if that is required by law.
- Law Enforcement. Geisinger St. Luke’s may release medical information if asked to do so by a law enforcement official:
- In response to a court order, subpoena, warrant, summons, or similar process;
- To identify or locate a suspect, fugitive, material witness, or missing person;
- About the victim of a crime if, under certain limited circumstances, we are unable to obtain the person’s agreement;
- About a death Geisinger St. Luke’s believe may be the result of criminal conduct;
- About criminal conduct at Geisinger St. Luke’s; and
- In emergency circumstances to report a crime; the location of the crime or victims, or the identity, description or location of the person who committed the crime.
Pennsylvania law generally requires a court order for the release of patient health care records in these circumstances, and may be considered more protective of your privacy that the Privacy Rule. However, Pennsylvania law does allow the release of confidential patient health care records when a crime occurs on the premises and a victim is threatened with bodily harm. Pennsylvania law also requires that gunshot wounds or other suspicious wounds, including burns, that are reasonably believed to have occurred as the result of a crime must be reported to the local police or sheriff. The report must include the nature of the wound and the patient’s name.
- Other Uses of Medical Information. Other uses and disclosures of medical information not covered by this Notice or the laws that apply to us will be made only with your written permission. If you provide us permission to use or disclose medical information about you, you may revoke that permission, in writing, at any time. If you revoke your permission, we will no longer use or disclose the medical information about you for the reasons covered in your authorization. You understand that we are unable to take back any disclosure that Geisinger St. Luke’s has already made with your permission, and that we are required to retain our records of the care that we provided to you.
A. Geisinger St. Luke’s will notify affected individuals, Department of Health and Human Services, and the media, as applicable, of any Breach of unsecured PHI that compromises the security or privacy of the PHI. All suspected Breaches will be investigated and all necessary notifications will be sent, in accordance with company policy. Examples of unsecured PHI includes but are not limited to:
- Medical record left unattended in a public location (e.g., cafeteria or office waiting room);
- Misdirected e-mail to an external group that includes a listing of patients’ accounts that have addresses, social security numbers, date of birth, or medical diagnosis; and
- Intentional and non-work related access by Geisinger St. Luke’s workforce member or its business associate of your PHI.
B. “Breach” means the unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of the PHI, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.
IV. YOUR RIGHTS REGARDING YOUR PROTECTED HEALTH INFORMATION
You have several rights with regard to the PHI that Geisinger St. Luke’s maintains about you. If you wish to exercise any of the following rights, please contact the confidential Privacy Hotline at 1 (855) 9-ETHICS or 1(855) 938-4427.
- Right to Request Restrictions. You have the right to request restrictions or limitations on Geisinger St. Luke’s uses or disclosures of PHI about you for treatment, payment or health care operations.
Geisinger St. Luke’s is not required to agree to your request. If Geisinger St. Luke’s does agree, it will comply with your request unless the information is needed to provide you emergency treatment. A request for restrictions must be in writing, directed to the Geisinger St. Luke’s Health Information Management Department 77 S. Commerce Way, Bethlehem, PA 18017, and should include (1) name and address of where services were received; (2) what information you want to limit; (3) whether you want to limit its use, disclosure or both; and (4) to whom you want the limits to apply.
- Right to Request Confidential Communications. You have the right to request that Geisinger St. Luke’s communicate with you about medical matters through specific channels, that is, in a certain way or at a certain location. For example, you can ask that Geisinger St. Luke’s only contact you at work, or only at home, or only by mail. To request confidential communications, you must make a request in writing to the Geisinger St. Luke’s Health Information Management Department at the address in Section IV.1, and your request must specifically and clearly state how or where you want to be contacted. Geisinger St. Luke’s will not ask you the reason for your request, and will attempt to accommodate all reasonable requests.
- Right to Inspect and Copy. You have the right to inspect and copy a designated set of your medical records. This designated set typically includes medical and billing records, but may not include psychotherapy notes. Please note that a request to inspect your medical records means that you may examine them at a mutually convenient time or place. If you request a copy of the information, your request must be in writing and must be submitted to the Geisinger St. Luke’s Health Information Management Department at the address in Section IV.1. Geisinger St. Luke’s may charge a reasonable fee for the costs of copying, mailing or other supplies associated with your request. Geisinger St. Luke’s may deny your request to inspect and copy in certain circumstances. If you are denied access to your medical records, you may have the denial reviewed by a licensed health care professional chosen by Geisinger St. Luke’s. The person conducting the review will not be the person who denied your request. Geisinger St. Luke’s will comply with the outcome of the review.
- Right to Amend. If, in your opinion, your medical records are incorrect or incomplete, you may request that Geisinger St. Luke’s amend your records. You have the right to request an amendment for as long as the information is kept by or for Geisinger St. Luke’s. A request to amend your medical records must give the reasons for the amendment. Geisinger St. Luke’s may deny your request for an amendment if it is not in writing or does not include a reason. Geisinger St. Luke’s may also deny your request for amendment if it covers medical records that:
- Were not created by Geisinger St. Luke’s, unless the person who actually created the information is no longer available to make the amendment;
- Are not part of the medical records kept by or for Geisinger St. Luke’s;
- Are not part of the information which you would be permitted to inspect and copy, as discussed above; or
- Are accurate and complete.
- Right to an Accounting of Disclosures. You have the right to request an accounting of certain disclosures of PHI by Geisinger St. Luke’s. A request for accounting of disclosures must specify a time period, which may not be longer than six years, and which may not include dates of service before April 14, 2003. A request for accounting of disclosures must be in writing and must be submitted to the Geisinger St. Luke’s Health Information Management Department at the address in Section IV.1. Your written request should indicate in what form you want the disclosure (for example, on paper). The first accounting within a 12-month period will be free; for additional accountings, Geisinger St. Luke’s may charge for its costs after notifying you of the cost involved and giving you the opportunity to withdraw or modify your request before any costs are incurred.
- Right to Complain. If you believe your privacy rights have been violated, you may file a complaint with Geisinger St. Luke’s and/or with the federal Department of Health and Human Services (DHHS). A patient can send a letter to DHHS at:
Office for Civil Rights
U.S. Department of Health and Human Services
150 S. Independence Mall West
Suite 372, Public Ledger Building
Philadelphia, PA 19106-9111
- Right to a Paper Copy of this Notice. You have the right to a paper copy of this Notice. You may ask us to give you a copy of this notice at any time. You may also obtain a copy of the current version of Geisinger St. Luke’s Notice of Privacy Practices at our Web site, www.geisingerstlukes.org.
- Right to Breach Notification. You have a right to receive written notification when a breach of PHI has occurred. You shall receive notification no later than 60 days after the breach has been discovered.
V. AMENDMENTS TO THIS NOTICE
Geisinger St. Luke’s reserves the right to amend this Notice at any time. In addition, Geisinger St. Luke’s is required to amend this Notice as made necessary by changes in the Privacy Rule. Each version of the Notice will have an effective date on the first page. Geisinger St. Luke’s reserves the right to make the amended Notice effective for PHI at the time the amendment is made, as well as for any PHI that Geisinger St. Luke’s may receive or create in the future. Geisinger St. Luke’s will post a copy of the current Notice on the Geisinger St. Luke’s website, www.geisingerstlukes.org as well as in the registration area of Geisinger St. Luke’s facilities, when substantial changes are made.
VI. GEISINGER ST. LUKE’S DUTIES
Geisinger St. Luke’s is required by the Privacy Rule to maintain the privacy of your PHI. The Privacy Rule requires that Geisinger St. Luke’s provide notice of its privacy practices to all of its patients or clients. Geisinger St. Luke’s obligations to maintain your privacy, and the situations and circumstances, in which your PHI may be used or disclosed, are described in more detail in this Notice of its legal duties and privacy practices. Geisinger St. Luke’s is required to comply with the terms and conditions of this Notice, and may not amend this Notice except as set forth above.