Notice of Privacy Practices
As Required by the Privacy Regulations Created as a Result of the Federal Health Insurance Portability and Accountability Act of 1996 (HIPAA).
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED, AND HOW YOU CAN GET ACCESS TO THIS INFORMATION
PLEASE REVIEW THIS NOTICE CAREFULLY.
I. OUR COMMITMENT TO YOUR PRIVACY
The University of Maryland is dedicated to maintaining the privacy of your protected health information (PHI). PHI is individually identifiable health information about you that relates to your past, present or future physical or mental health or condition and/or related health care services. This Notice of Privacy Practices provides you with the following important information: our obligations concerning your PHI; how we may use and disclose your PHI; and your rights in your PHI.
II. UNIVERSITY STUDENTS (Patients who are not students at the University of Maryland, College Park should skip to Section III)
Although federal privacy requirements for protected health information generally exclude student health information, the confidentiality of such information is protected under the federal Family Education Rights and Privacy Act (FERPA), Maryland state law and/or University Policy, as applicable. The University Health Center recognizes the need for confidentiality and privacy with respect to student health information, and we will use, disclose and otherwise treat your health information accordingly, following the requirements of applicable law and University policy. Both FERPA and Maryland law give you the right to control the release of your health information in most instances, and we will generally obtain your consent before we release such information except under certain circumstances when your consent is not required under applicable law. Both FERPA and Maryland law (and University policy) also give you certain rights to inspect and correct your health information (see Section IV, below).
If you have questions about the privacy practices applicable to your records, please contact the Health Center Privacy Coordinator or the University HIPAA Privacy Officer at the addresses provided in Section VI.
III. NON-STUDENTS (This section does not apply to patients who are students at the University of Maryland, College Park. Those students should see section II above.)
A. OUR OBLIGATIONS
Both federal and State law require that we maintain the privacy of your PHI. We are also required to provide you with this notice regarding our privacy practices, our legal duties and your rights concerning your PHI. Except for certain records the University creates or receives in its role as an employer and student records, this Notice of Privacy Practices applies to all records containing your PHI that are created or retained by the Health Center or other units in the University’s designated Health Care Component. This Notice takes effect on April 14, 2003, and will remain in effect until we revise or replace it. We must follow the privacy practices described in this Notice during the time it is in effect. A copy of the Notice of Privacy Practices will be posted in a visible location in the Health Center at all times, and you may request a copy of the Notice at any time. A current Notice of Privacy Practices is also posted on the Health Center’s website at http://www.health.umd.edu and on the University’s HIPAA website at http://www.hipaa.umd.edu. We have the right to change our privacy practices and to revise or replace this Notice of Privacy Practices at any time, so long as the changes are consistent with applicable law. Any revision or amendment to this Notice will be effective for all PHI that we created or maintained in the past, and for any PHI that we create or maintain in the future. Before making a significant change in our privacy practices, we will change this Notice, post the revised Notice in the Health Center and on our websites, and make the new notice available upon request.
If you have questions about our Notice of Privacy Practices or to ask for additional copies of the Notice, please contact the Health Center Privacy Coordinator or the University HIPAA Privacy Officer at the addresses provided in Section VI.
B. WE MAY USE AND DISCLOSE YOUR PROTECTED HEALTH INFORMATION (PHI) IN THE FOLLOWING WAYS:
The following sections describe, in general terms, the different ways that we may use and disclose your PHI. Examples are provided to help you understand the various types of uses and disclosures; they do not cover all possible situations.
1. Treatment. The Health Center may use and disclose your PHI to provide health care and related services to you. For example, we may use or disclose your PHI to a physician or other health care provider in order to treat you or to assist others in your treatment. Other examples include uses and disclosures for laboratory tests, prescriptions, and referrals to other health care providers for additional health care services.
2. Payment. We may use and disclose your PHI in order to bill and collect payment for the services and items you may receive and to determine your eligibility to participate in our services. For example, we may contact your health insurer to certify that you are eligible for benefits (and for what range of benefits), and we may provide your insurer with details regarding your treatment to determine if your insurer will cover, or pay for your treatment. We also may use and disclose your PHI to obtain payment from you or from third parties that may be responsible for such costs, such as family members.
3. Health Care Operations. We may use and disclose your PHI in connection with our health care operations, including our administrative, financial, legal, and quality improvement activities. For example, we may use your PHI to evaluate the quality of care you received from us or the competence, performance or qualifications of our health care professionals and staff. Other examples include accreditation evaluations, training programs for medical students and other health care professionals, fraud and abuse detection, cost-management, business planning, and the preparation of de-identified information and limited data sets.
4. Business Associates. We may share your PHI with third-party “business associates” that provide various services for us, such as billing, transcription, software maintenance, accreditation and legal services. If an arrangement with a business associate involves the use or disclosure of your PHI, we will have a written contract in which the business associate agrees to maintain the confidentiality of your PHI.
5. Appointments and Other Reminders. The Health Center may use and disclose your PHI in order to contact you and remind you of an appointment. For example, Women's Health may contact you to confirm an appointment or the Pharmacy may call to remind you to pick up your prescription.
6. Health Related Services. We may use and disclose your PHI to tell you of or recommend treatment alternatives and other health related benefits and services that might be of interest to you.
7. Release of Information to Involved Individuals. Unless you object, the Health Center may release your PHI (except mental health records) to a friend or family member or other person who is involved in your care, or who assists in taking care of you or in paying for your health care. In addition, we may disclose your PHI to a public or private entity authorized by law or its charter to assist in disaster relief efforts.
If you are not present or are incapacitated, or in an emergency situation, we will disclose your PHI based upon our professional judgment that disclosure is in your best interest. We will also use our professional judgment and experience with common practice to allow a person to pick up prescriptions, medical supplies, x-rays or similar types of medical information. We will not, however, disclose any information in a way that conflicts with a previously agreed upon preference or restriction.
8. Research. Under certain limited circumstance, we may use or disclose PHI for health research purposes in accordance with the requirements of law and University policy. For example, we may use or disclose your PHI if we have your authorization or documentation that a special research review board has approved a waiver or alteration of authorization requirements. We may also use or disclose PHI for reviews preparatory to research (such as to design or assess the feasibility of conducting a study) or for research on decedents’ PHI, but only if the researcher provides appropriate assurances of confidentiality.
In addition, PHI may be used or disclosed for research as part of a limited data set, with an appropriate data use agreement to protect confidentiality.
9. Required or Allowed by Law. We may use and disclose your PHI when we are required or permitted to do so by applicable federal, state and/or local law. Such uses or disclosures may include, but are not necessarily limited to, those set forth below. The use or disclosure will be made in compliance with the applicable law and, to the extent required by law you will be notified of any such uses and disclosures.
a. Required by Law. We may use or disclose your PHI when a law requires us to do so.
b. Public Health. We may disclose your PHI for public health activities as required or permitted by law. These activities generally include the following:
- to report matters related to the quality, safety, or effectiveness of a product or service regulated by the Food and Drug Administration (FDA)
- to prevent or control disease, injury or disability
- to report disease or injury
- to report births and deaths
- to report child abuse or neglect
- to report reactions to medications and food or problems with products
- to notify people of recalls or replacements of products they may be using
- to notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition
- to notify the appropriate government authority if we believe a person has been the victim of abuse neglect or domestic violence. We will only make this disclosure if you agree or when required or authorized by law.
c. Health Oversight Activities. We may disclose your PHI to a health oversight agency for activities authorized by law. Such activities might include, for example, audits, investigations, inspections, licensure or disciplinary actions. These activities are needed to monitor the health care system, government programs, and compliance with civil rights laws.
d. Serious Threats to Health or Safety. We may use and disclose your PHI when we believe it is necessary to reduce or prevent a serious threat to your health or safety or the health or safety of another person or the public. Any such disclosures would be made to persons or organizations able to help prevent or lessen the threat.
e. Lawsuits and Similar Proceedings. We may disclose your PHI in response to a court or administrative order, subpoena, discovery request or other lawful process, under certain circumstances.
f. Law Enforcement. We may disclose PHI if asked to do so by a law enforcement official under certain circumstances, including:
- In response to a court order, subpoena, warrant, summons or similar process
- to identify or locate certain persons
- to provide information about a crime victim, criminal conduct at our premises, or a death we believe may be the result of criminal conduct
- in an emergency, to report a crime (including the locations of the crime or victims and/or the identity, description or location of the person who committed the crime)
- to authorized federal officials so they may provide protection for the President and other authorized persons or to conduct special investigations.
g. Organ and Tissue Donation. We may release PHI to authorized organizations relating to organ, eye or tissue donations or transplants.
h. Military and Veterans. If you are a member of the armed forces of the United States or another country (including veterans), we may release your PHI as required by military command authorities.
i. Workers' Compensation. We may disclose your PHI to comply with workers' compensation laws or similar programs that provide benefits for work-related injuries or illness.
j. Coroners, Medical Examiners and Funeral Directors. We may disclose PHI to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death. We may also disclose PHI to funeral directors so they can carry out their duties.
k. National Security and Intelligence Activities. We may disclose your PHI to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law.
l. In Legal Custody. If you are an inmate of a correctional institution or under custody of a law enforcement official, we may disclose health information about you to the correctional institution or law enforcement official.
10. With Authorization. We will not share information unless you give us written permission for the purposes of; marketing, sale of information, or sharing of psychotherapy notes. For any purposes other than the ones described above, we will only use or disclose your PHI when you give us written Authorization. You may give us written Authorization to use your PHI or to disclose it to anyone for any purpose. If you give us an Authorization, you may revoke it in writing at any time, but your revocation will not be effective to the extent we have already acted in reliance on the Authorization.
11. Other Legal Restrictions. Federal and/or applicable Maryland laws may otherwise limit the ways that we may use or disclose your PHI or they may require different privacy protections for certain types of information that are considered highly confidential. Such highly confidential information may include health information pertaining to drug or alcohol abuse treatment; mental health care; HIV/AIDS; developmental disabilities; or genetic testing. We will not use or disclose your PHI in a way that is prohibited by any applicable law.
IV. YOUR RIGHTS REGARDING YOUR PHI
A. NON-STUDENTS. You have the following rights regarding the PHI that we maintain about you.
1. Confidential Communications. You have the right to request that we communicate with you about your health care and related issues in a particular manner or at a certain location. For instance, you may ask that we contact you at home, rather than at work. In order to request a type of confidential communication, you must make a written request to the Medical Records Supervisor at the Health Center at the address provided in Section VI. The request must clearly specify the requested method of contact and/or or the location where you wish to be contacted. Reasonable requests will be accommodated. You do not need to give a reason for your request.
2. Requesting Restrictions. You have the right to request certain restrictions regarding our use or disclosure of your PHI. This means that you may ask us not to use or disclose part of your PHI for certain treatment, payment or health care operations purposes. You may also request that we not disclose all or part of your PHI to individuals (such as family members and friends) involved in your health care or the payment for your care. We are not required to agree to your request; however, if we do agree, we are bound by our agreement except in emergency situations or when otherwise required by law. A restriction may be terminated by you or by us. Before we terminate, we will notify you. If you do not agree, the termination will only affect PHI we create or receive after we notify you. If you pay out of pocket for a service or health care item, you may also request that we do not disclose information about your treatment to your health insurer.
In order to request a restriction in our use or disclosure of your PHI, or to request termination of a restriction to which we have agreed, you must make your request in writing to the Medical Records Supervisor at the Health Center at the address provided in Section VI. Your request must clearly describe the specific restriction you are requesting and to whom you want the restriction to apply.
3. Inspection and Copies. You have the right to look at and obtain a copy of the PHI we maintain that may be used to make decisions about you. Usually, this includes patient medical records and billing records but not psychotherapy notes or legal and other materials as provided by law. In some limited circumstances, we may deny your request to see or copy your PHI and, depending on the circumstances, you may have the right to request a review of our denial.
In order to inspect and/or obtain a copy of your PHI, you must submit your request in writing to the Medical Records Supervisor at the Health Center at the address provided in Section VI. We may charge a fee for the costs of copying, mailing, and supplies associated with your request. We will tell you the amount of the fee in advance.
4. Amendment. You may ask us to amend your PHI if you believe it is incorrect or incomplete. To request an amendment, your request must be made in writing and submitted to the Health Center’s Clinical Director at the address provided in Section VI. You must clearly describe the change(s) you are requesting and you must explain why the information should be amended. We may deny your request if we believe that the information that would be amended is already accurate and complete or if other special circumstances apply. If we deny your request, we will provide you with a written explanation of the denial and your right to submit a statement disagreeing with the denial. If we approve the request for amendment, we will inform you and change the health information, and we will tell others that need to know of the change.
5. Accounting of Disclosures. You have the right to request a list of the disclosures we have made of your PHI after April 13, 2003. The list does not have to include disclosures made to you or with your Authorization, for treatment, payment and health care operations purposes, or in connection with certain other activities.
In order to obtain an accounting of disclosures, you must submit your request in writing to the Health Center’s Medical Records Supervisor at the address provided in Section VI. All requests for an accounting must state a time period, which may not be longer than six (6) years from the date of disclosure. If you request an accounting more than once in a 12 month period we may charge a reasonable cost-based fee of which you will be notified in advance.
6. Right to a Copy of this Notice. You are entitled to receive a paper copy of our Notice of Privacy Practices. You may ask us to give you a copy of the Notice at any time. To obtain a paper copy, contact the Health Center’s Privacy Coordinator or the University’s HIPAA Privacy Officer at the addresses provided in Section VI. The Notice is also posted on the Health Center’s website at http://www.health.umd.edu and on the University’s HIPAA website at http://www.hipaa.umd.edu.
7. Right to be notified of a Breach. You have the right to be notified in the event that we (or one of our Business Associates) discover a breach of unsecured PHI. Notice of any such breach will be made in accordance with federal requirements.
B. STUDENTS. We generally provide University students with similar rights regarding their health information, including the rights to request: confidential communications; restrictions on use or disclosure; inspection and copies; amendment; accounting of disclosures; and copies of this Notice.
Those rights may, however, be implemented in different ways under FERPA, Maryland law and/or University policy, as applicable. If you have questions about your rights regarding your health information, please contact the Health Center Privacy Coordinator or the University HIPAA Privacy Officer at the addresses provided in Section VI.
V. IMPLEMENTATION, QUESTIONS AND COMPLAINTS
A. IMPLEMENTATION. This Notice provides a general overview of our privacy practices. This Notice and our privacy practices are implemented in accordance with applicable University policies and procedures and the requirements of HIPAA and other federal and Maryland laws, as applicable.
B. QUESTIONS. If you want more information about our privacy practices or have any questions or concerns, please contact the Health Center’s Privacy Coordinator or the University’s HIPAA Privacy Officer at the addresses provided in Section VI.
C. COMPLAINTS. If you believe your privacy rights have been violated, you may file a complaint with the Health Center’s Privacy Coordinator or the University’s HIPAA Privacy Officer at the addresses provided in Section VI. A complaint may also be filed with the U.S. Department of Health and Human Services (HHS). We will provide you with the address to file a complaint with HHS upon request. All complaints must be submitted in writing. We will not retaliate against you in any way if you file a complaint with us or with HHS.
VI. CHESAPEAKE REGIONAL INFORMATION SYSTEM FOR OUR PATIENTS
We have chosen to participate in the Chesapeake Regional Information System for our Patients (CRISP), a regional health information exchange serving Maryland and D.C. As permitted by law, your health information will be shared with this exchange in order to provide faster access, better coordination of care and assist providers and public health officials in making more informed decisions. You may “opt-out” and disable access to your health information available through CRISP by calling 1-877-952-7477 or completing and submitting an Opt-Out form to CRISP by mail, fax or through their website at www.crisphealth.org. Public health reporting and Controlled Dangerous Substances information, as part of the Maryland Prescription Drug Monitoring Program (PDMP), will still be available to providers.
VII. CONTACT INFORMATION
If you have any questions regarding this Notice or our health information privacy practices, please contact the:
University HIPAA Privacy Officer at:
Office of the Vice President of Student Affairs
2108J Mitchell Building
University of Maryland
College Park, MD 20742
Health Center Privacy Coordinator at:
University Health Center
Building 140, Campus Drive
College Park, MD 20742
Other Health Center personnel may be contacted as follows:
Medical Records Supervisor
University Health Center
Building 140, Campus Drive
College Park, MD 20742
University Health Center
Building 140, Campus Drive
College Park, MD 20742
The University’s HIPAA web address is: http://www.hipaa.umd.edu.
The Health Center's web address is: http://www.health.umd.edu.
This Notice is effective March 4, 2015.