HIPAA Privacy Notice
Effective Date: April 14, 2003
Revised September 2016
Emory Healthcare and Emory University Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW PROTECTED HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU MAY GAIN ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) directs health care providers, payers, and other health care entities to develop policies and procedures to ensure the security, integrity, privacy and authenticity of health information, and to safeguard access to and disclosure of health information. The federal government has privacy rules which require that we provide you with information on how we might use or disclose your identifiable health information. We are required by the federal government to give you our Notice of Privacy Practices.
OUR COMMITMENT TO YOUR PRIVACY
As a health care provider, we use your confidential health information and create records regarding that health information in order to provide you with quality care and to comply with certain legal requirements. We understand that this health information is personal, and we are dedicated to maintaining your privacy rights under Federal and State law. This Notice applies to records of your care created or maintained by Emory Healthcare and by units of Emory University that are subject to HIPAA. For convenience, in this Notice, we collectively refer to Emory Healthcare and those Emory University units covered by HIPAA as “Emory Healthcare.” We are required by law to: (1) make sure we have reasonable processes in place to keep your health information private; (2) give you this Notice of our legal duties and privacy practices with respect to your health information; and (3) follow the terms of the Notice that are currently in effect.
HOW WE MAY USE OR DISCLOSE YOUR HEALTH INFORMATION WITHOUT YOUR AUTHORIZATION
The following information describes different ways that we may use or disclose your health information without your authorization. Although we cannot list every use or disclosure within a category, we are only permitted to use or disclose your health information without your authorization if it falls within one of these categories. If your health information contains certain information regarding your mental health or substance abuse treatment or certain infectious diseases (including HIV/AIDS tests or results), we are required by state and federal confidentiality laws to obtain your consent prior to certain disclosures of the information. Once we have obtained your consent through your signing of the Admission/Registration Agreement, we will treat the disclosure of such information in accordance with our privacy practices outlined in this Notice.
CATEGORIES FOR USES AND DISCLOSURES:
Treatment. We may use health information about you to provide you with medical treatment or services. We may disclose health information about you to doctors, nurses, technicians, medical students, residents, student nurses, or other health care personnel who are involved in taking care of you at Emory Healthcare or at another health care provider. For example, a doctor treating you for a broken leg may need to know if you have diabetes because diabetes may slow the healing process. In addition, the doctor may need to tell the dietitian if you have diabetes so that we can arrange for appropriate meals. Emory Healthcare departments may also share health information about you in order to coordinate health care items or services that you need, such as prescriptions, lab work and x-rays.
Payment. We may use or disclose health information about you in order to bill and collect payment for the services and items you may receive from us. For example, we may need to give your health insurance plan information about your surgery so that your health insurance plan will pay us or reimburse you for the surgery. We may also tell your health insurance plan about a treatment you are going to receive in order to obtain prior approval or to determine whether your health insurance plan will cover the treatment. We may disclose to other health care providers health information about you for their payment activities.
Health Care Operations. We may use and disclose health information about you for Emory Healthcare operations. For example, we may use health information to review our treatment and services and to evaluate the performance of our staff in caring for you. We may also combine health information about our patients to decide what additional services should be offered, what services are not needed, and whether certain new treatments are effective. We may disclose your health information to doctors, nurses, technicians, medical students, residents, nursing staff and other personnel for review and learning purposes. We may combine the health information we have with health information from other health care providers to compare how we are doing and see where we can make improvements in the care and services we offer.
Medical Staff Members. Emory Healthcare and the independent physicians and other health care providers who are members of an Emory Healthcare facility’s medical staff are considered to be an organized health care arrangement under federal law for the specific purpose of sharing patient information. As such, Emory Healthcare and its medical staff will share health information about patients necessary to carry out treatment, payment and health care operations. Although all independent medical staff members who provide care at Emory Healthcare follow the privacy practices described in this Notice, they exercise their own independent medical judgment in caring for patients and they are solely responsible for their own compliance with the privacy laws. Emory Healthcare and independent medical staff members remain completely separate and independent entities that are legally responsible for their own actions.
Health Information Exchanges (HIE). Health information exchanges allow health care providers, including Emory Healthcare, to share and receive information about patients, which assists in the coordination of patient care. Emory Healthcare participates in a HIE that may make your health information available to other providers, health plans, and health care clearinghouses for treatment or payment purposes. Your health information may be included in the HIE. We may also make your health information available to other health exchange services that request your information for coordination of your treatment and/or payment for services rendered to you. Participation in the HIE is voluntary, and you have the right to opt out. Please see the “Right to Request Restrictions” section to learn about opting out of the HIE. Additional information on Emory Healthcare’s HIE can be found at our website, www.emoryhealthcare.org/ehealthexchange.
Appointment Reminders, Follow-up Calls and Treatment Alternatives. We may use or disclose health information to remind you that you have an appointment or to check on you after you have received treatment. If you have an answering machine we may leave a message. If you elect, we may also send appointment reminders via text message or email. We also may send you a post card appointment reminder. We may contact you about possible treatment options or alternatives or other health related benefits or services that may be of interest to you.
Fundraising Activities. As a nonprofit health system, support from generous patients and families builds Emory Healthcare and the Robert W. Woodruff Health Sciences Center and remains essential to continue life-saving health care, research, and education operations. We may use health information to contact you for fundraising opportunities. We are allowed to and may use demographic information to contact you, such as your name, address, phone number, or date of birth. We may also use the dates you received treatment or services, department of service, outcomes information, treating physician information and health insurance status. You have the right to opt out of fundraising communications. If you do not want Emory Healthcare or the Woodruff Health Sciences Center to contact you for fundraising efforts, you may opt out by calling 404-727-7111, emailing email@example.com, or by submitting the request in writing to the Development and Alumni Relations Office, Robert W. Woodruff Health Sciences Center, 1440 Clifton Road, Suite 116, Atlanta, Georgia 30322. Your decision whether or not to receive fundraising communications will not affect your ability to receive health care services at Emory Healthcare.
Emory Healthcare Directory. We may use or disclose health information about you in the patient directory while you are a patient at an Emory Healthcare facility. This information may include your name, location in the facility, your general condition (e.g., fair, stable, etc.) and your religious affiliation. The directory information, except for your religious affiliation, may be released to people who ask for you by name. Your religious affiliation may be given to a member of the clergy, such as a priest or rabbi, even if they don’t ask for you by name. This is so your family, friends and clergy can visit you in the hospital and generally know how you are doing. You will be given the option not to be listed in the directory. If you choose not to be listed in the directory, we will not be able to tell any family or friends that you are in the facility, nor will we be able to tell flower couriers where you are located.
Individuals Involved in Your Care or Payment for Your Care. Unless you object, we may disclose health information to a friend or family member who is involved in your medical care or who assists in taking care of you. We may also give information to someone who helps pay for your care. We may tell your family or friends your general condition and that you are in the hospital. In addition, we may disclose health information about you to an entity assisting in a disaster relief effort so that your family can be notified about your condition, status and location.
Research. Researchers may conduct Records Research or Clinical Research that uses or discloses health information. Records Research is research that looks at health information in medical records. For example, a research project may compare the medical records of patients who received one medication to those who received another for the same condition. Clinical Research is research that involves drugs, devices, procedures or other interventions with participants. For example, a patient may take part in a clinical study to see if a new drug is effective to treat a disease. Some types of research are covered by HIPAA and other types are not. However, for all types of research that use or disclose identified health information from your medical records, we will obtain your written authorization except when (a) an Institutional Review Board determines in advance that use or disclosure of your health information meets specific criteria specified by law; (b) the researcher signs a legally binding document certifying that he/she will only use the health information to prepare a research protocol or for similar purposes to prepare for a research project and that he/she will maintain the confidentiality of the information and will not remove any of the health information from Emory Healthcare. Emory Healthcare may also disclose health information to a researcher if, (c) it involves health information of deceased patients and the researcher certifies the information is necessary for research purposes; or (d) a researcher obtains data with certain very non-specific geographic identifiers (for example, a zip code) called a limited data set and agrees to use the data only for research or public health purposes. If you would like more information on the privacy policies regarding use and disclosure of your health information for research that is covered by HIPAA you may contact the Emory University Privacy Office, 1599 Clifton Road, N.E., Suite 4.105, Atlanta, Georgia 30322.
As Required By Law. We will use or disclose health information when required to do so by federal, state or local law.
To Avert a Serious Threat to Health or Safety. We may use or disclose health information when necessary to prevent a serious threat to your health and safety, or the health and safety of another person or the public. Any disclosure, however, would only be to someone able to help prevent the threat.
We may also use or disclose your health information without your authorization in the following situations:
Organ and Tissue Donations – to organizations that handle organ procurement or organ, eye or tissue transplantation or to an organ donation bank, as necessary, to facilitate organ or tissue donation and transplantation.
Military and Veterans – to military command authorities as required, if you are a member of the armed forces. We may also disclose health information about foreign military personnel to the appropriate foreign military authority.
Workers' Compensation – to workers' compensation or similar programs that provide benefits for work-related injuries or illnesses.
Public Health Activities – to public health agencies or other governmental authorities to report public health activities or risks. These activities generally include the following: to prevent or control disease, injury or disability; to report births and deaths; to report child abuse or neglect; to report reactions to medications or problems with products; to notify people of recalls of products they may be using; to notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition as authorized by law; to notify the appropriate government authority if we believe a patient has been the victim of abuse, neglect or domestic violence (we will only make this disclosure if you agree or when required or authorized by law).
Health Oversight Activities – to a health oversight agency for activities authorized by law and the Secretary of the Department of Health and Human Services. Examples of oversight activities include: audits, investigations, inspections, and licensure. Oversight activities are necessary for the government to monitor the health care system and government programs to ensure compliance with civil rights laws and to enforce privacy regulations.
Lawsuits and Disputes – in response to a court or administrative order if you are involved in a lawsuit or a dispute. We may also disclose health information about you in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have been made to tell you about the request or to obtain an order protecting the health information requested.
Law Enforcement – under certain circumstances in response to a court order, subpoena, warrant, summons or similar process; or upon request by a law enforcement official(s) for certain law enforcement purposes. We may report a death that we believe may be the result of criminal conduct or report suspected criminal conduct occurring on our premises. We may also report information related to a suspected crime discovered in the course of providing emergency medical services.
Coroners, Medical Examiners and Funeral Directors – to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death. We may also release health information about patients of Emory Healthcare to funeral directors as necessary to carry out their duties.
National Security and Intelligence Activities – to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law.
Protective Services for the President and Others – to authorized federal officials so they may provide protection to the President of the United States, other authorized persons or foreign heads of state or to conduct special investigations.
Inmates – to the correctional institution or law enforcement official, if you are an inmate of a correctional institution or under the custody of a law enforcement official. This release would be necessary (1) for the institution to provide you with health care; (2) to protect your health and safety or the health and safety of others; or (3) for the safety and security of the correctional institution.
USES AND DISCLOSURES WHICH REQUIRE YOUR AUTHORIZATION
Most uses and disclosures of psychotherapy notes, uses and disclosures for marketing purposes, disclosures that constitute a sale of health information, and other types of uses and disclosures of your health information not described in this Notice require an authorization and will be made only with your written authorization. You may revoke your authorization by giving written notice to the medical records department where you received your care. If you revoke your authorization, we will no longer use or disclose your health information as permitted by your initial authorization. Please understand that we will not be able to take back any disclosures we have already made and that we are still required to retain our records containing your health information that documents the care that we provided to you.
YOUR RIGHTS REGARDING YOUR HEALTH INFORMATION
Right to Inspect and Copy – You have the right to inspect and obtain a copy of your medical record or billing record. To inspect and copy your medical or billing record, you must submit your request in writing to the Medical Records Department or Billing Department of the facility where you received your care. You need to include in your request your name, or if acting as a personal representative, include the name of the patient, your contact information, date of birth and dates of service if known. To the extent that your health information is maintained electronically and you request the information in an electronic format, to the extent possible we will provide you a machine readable copy. If you request a copy, you will be charged a fee for the costs of copying, mailing or other supplies associated with your request. We may deny your request to inspect and copy records in certain limited circumstances; however, you may request that the denial be reviewed. A licensed health care professional chosen by Emory Healthcare will review your request and the denial. The person conducting the review will not be the person who denied your request. We will comply with the outcome of the review. Emory Healthcare might not retain medical records from other facilities for inclusion in your medical record or designated record set. These could include radiology films, scans or compact discs that were or might be provided to your Emory Healthcare provider. Please check with your physician or clinic administrator if you have any questions regarding this policy.
Right to Request an Amendment – If you feel that health information we have about you is incorrect, you may ask us to amend it. You have the right to request an amendment for as long as the health information is kept by or for Emory Healthcare. To request an amendment, your request must be made in writing and submitted to the medical records department of the entity where you received your care. In addition, you must provide a reason that supports your request. You need to include in your request your name, contact information, date of birth and dates of service if known. If you are acting as a personal representative, include the name of the patient, your contact information, date of birth and dates of service if known. We may deny your request for an amendment if it is not in writing or does not include a reason to support the request. In addition, we may deny your request if you ask us to amend health information that:
- Was not created by us, unless the person or entity that created the health information is no longer available to make the amendment;
- Is not part of the health information kept by or for Emory Healthcare;
- Is not part of the health information which you would be permitted to inspect and copy; or
- Is accurate and complete.
Right to an Accounting of Disclosures. You have the right to request a list of the disclosures we made of your health information except for disclosures:
- for treatment, payment or health care operations,
- pursuant to an authorization,
- incident to a permitted use or disclosure, or
- for certain other limited disclosures defined by law.
To request this list of disclosures, you must submit your request in writing to the Emory Healthcare Privacy Office at 101 West Ponce de Leon Ave, 2nd Floor, Suite 242, Decatur, Georgia 30030. Your request must specify a time period for which you are seeking an accounting of disclosures and include your name, contact information, date of birth and dates of service if known. If you are acting as a personal representative, include the name of the patient, your contact information, date of birth and dates of service if known. You may not request disclosures that are more than six years from the date of your request or that were before April 14, 2003. Your request should indicate in what form you want the list, for example, on paper or electronically. The first list you request within a 12- month period will be free. For additional lists, we may charge you for the costs of providing the list. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time before any costs are incurred.
Right to Request Restrictions. You have the right to request a restriction or limitation on the health information we use or disclose about you for treatment, payment or health care operations. You also have the right to request a limit on the health information we disclose about you to someone who is involved in your care or the payment for your care, like a family member or friend. For example, you could ask that we not use or disclose information about a surgery you had. Except as otherwise required by law, we will comply with a request to restrict disclosure of health information to a health plan for purposes of carrying out payment or healthcare operations, BUT ONLY if the health information you ask to be restricted from disclosure pertains solely to a health care item or service for which you have paid out of pocket, in full. We are not required to agree to any other requests. If we do agree, we will comply with your request unless the information is needed to provide you with emergency treatment. We have the right to revoke our agreement at any time, and once we notify you of this revocation, we may use or disclose your health information without regard to any restriction or limitation you may have requested. To request restrictions, you must make your request in writing to the Emory Healthcare Privacy Office, 101 West Ponce de Leon Ave, 2nd Floor, Suite 242, Decatur, Georgia 30030. In your request, you must tell us (1) what information you want to limit; (2) whether you want to limit our use, disclosure or both; and (3) to whom you want the limits to apply, for example, disclosures to your spouse.
Right to Request Confidential Communications. You have the right to request that we communicate with you about medical matters in a certain way or at a certain location. For example, you can ask that we only contact you at work or by mail. To request confidential communications, you must make your request in writing to the Emory Healthcare Privacy Office, 101 West Ponce de Leon Avenue, 2nd Floor, Suite 242, Decatur, Georgia 30030. You will need to include your name, or if acting as a personal representative, include the name of the patient, contact information, date of birth and dates of service if known. We will not ask you the reason for your request. We will work to accommodate all reasonable requests. Your request must specify how or where you wish to be contacted.
Right To Receive a Paper Copy of This Notice. Even if you have agreed to receive this Notice electronically, you have the right to receive a paper copy of this Notice, which you may ask for at any time. You may obtain a copy of this Notice at our website, www.emoryhealthcare.org. To obtain a paper copy of this Notice, write to the Emory Healthcare Privacy Office, 101 West Ponce de Leon Avenue, 2nd Floor, Suite 242, Decatur, Georgia 30030.
Right to Receive Notification of a Breach of Your Health Information. We have put in place reasonable processes and procedures to protect the privacy and security of your health information. If there is an unauthorized acquisition, access, use, or disclosure of your protected health information we will notify you as required by law. The law may not require notice to you in all cases. In some situations, even if the law does not require notification, we may choose to notify you.
CHANGES TO THIS NOTICE
We reserve the right to change this notice. We reserve the right to make the revised or changed notice effective for health information we already have about you as well as any information we receive in the future. We will post a copy of the current Notice at Emory Healthcare facilities and you may request a copy of the current notice. In addition, the current notice will be posted at www.emoryhealthcare.org.
If you believe your privacy rights have been violated, you may file a complaint by writing to the Chief Privacy Officer, Emory Healthcare, 101 W. Ponce de Leon Avenue, 2nd Floor, Suite 242, Decatur, GA 30030. You may also file a complaint with the Secretary of the Department of Health and Human Services, http://www.hhs.gov/ocr/privacy/hipaa/complaints. You will not be penalized for filing a complaint. For further information, you may send written inquiries to the Emory Healthcare Privacy Office, 101 West Ponce de Leon Avenue, 2nd Floor, Suite 242, Decatur, GA 30030 or call 404-778-2757.
This Notice of Privacy Practices applies to the following organizations:
Emory Healthcare facilities that will abide by this notice include: Emory University Hospital, Emory University Orthopaedics and Spine Hospital, Emory University Hospital Midtown, Emory Johns Creek Hospital, Emory Saint Joseph’s Hospital, Emory Ambulatory Surgery Care Center at Dunwoody, Emory Ambulatory Surgery Center at Lagrange. Emory Ambulatory Surgery Centers, Emory Clinic, Emory Children’s Center, Emory Specialty Associates, Emory Wesley Woods Center, Emory Dialysis Center, LLC. Emory Rehabilitation Hospital in Partnership with Select Medical, Emory Rehabilitation Outpatient Center in Partnership with Select Medical, Emory, Emory Physical Therapy. This list of facilities may change from time to time; you may obtain an updated list of facilities by calling 404-778-2757.
Emory University is called a “Hybrid Covered Entity” under the HIPAA regulations. This is because the University has some components that are covered by HIPAA (thereafter referred to as, “Covered Component”) and others that are not. The following Emory University facilities have a Covered Component: the School of Medicine, School of Nursing, School of Public Health, Emory College and Emory University Graduate School Departments of Psychology, Student Health Services, Oxford College Student Health Service, Autism Center, Psychoanalytic Institute, and the Clinical and Translational Research Lab. These facilities may change from time to time; you may obtain an updated list of facilities by calling 404-727-2398.
Emory Healthcare facilities are clinically integrated and part of an organized health care arrangement (OCHA) with its components and other components of Emory University. Your health information may be disclosed between the University’s Covered Components and the University may disclose your health information to Emory Healthcare if necessary to carry out treatment, payment or health care operations related to the OCHA. All components of the OCHA arrangement are required to abide by this Notice.
Individuals who work in a Covered Component must follow HIPAA and this NPP. Individuals in a facility work as a part of the facility’s Covered Component when they perform one of the following activities:
(a) Treat patients and bill insurance or government programs for that treatment. (Note: Student patients are covered by the Family Educational Rights and Privacy Act instead of HIPAA),
(b) Take or process payment for health care services that are billed to insurance or a government program, and/or
(c) Perform health care operations.
NOTE: The Emory University Group Health Plan operates under a separate Notice of Privacy Practices and therefore does not follow this Notice.
Emory Healthcare complies with applicable Federal civil rights laws and does not discriminate on the basis of race, color, national origin, age, disability, or sex.
Emory Healthcare cumple con las leyes federales de derechos viviles aplicables y no discrimina por motivos de raza, color, nacionalidad, edad, discapacidad o sexo.
Emory Healthcare tuân thủ luật dân quyền hiện hành của Liên bang và không phân biệt đối xử dựa trên chủng tộc, màu da, nguồn gốc quốc gia, độ tuổi, khuyết tật, hoặc giới tính.
ATTENTION: If you are an individual with limited English language proficiency assistance services, free of charge, are available to you.
ATENCIÓN: si habla español, tiene a su disposición servicios gratuitos de asistencia lingüística. CHÚ Ý: Nếu bạn nói Tiếng Việt, có các dịch vụ hỗ trợ ngôn ngữ miễn phí dành cho bạn.
Effective Date: April 2003 – Revised Dates: June 16, 2004, February 2012, June 2013, July 2014, September 2016
Patients and Visitors
- Planning Your Visit
- Guest Services
- Medical Records - Release of Information
- Frequently Asked Questions
- Social Services
- Billing Information
- Insurance Information
- Patient Rights
- Financial Assistance
- Non-Discrimination Policy
- Language Interpretation Services
- Emory Health Information Exchange
- HIPAA Privacy Notice