Effective Date: 4/14/2003 Revised: 11/18/2014
This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.
St. Luke’s Health System (St. Luke’s) is required by law to maintain the privacy of your health information, to notify you of our legal duties and privacy practices with respect to your protected health information, and to notify affected individuals following a breach of unsecured health information. This Notice summarizes St. Luke’s duties and your rights concerning your protected health information. Our duties and your rights are set forth more fully in 45 C.F.R. part 164. We are required to abide by the terms of the Notice that is currently in effect.
I. Uses and Disclosures of Information that Do Not Require Written Authorization
We may use or disclose protected health information for the following purposes without your written authorization.
- Treatment. We may use or disclose protected health information to provide treatment to you. For example, doctors or hospital staff may use information in your medical records to diagnose or treat your condition. In addition, we may disclose your information to health care providers outside St. Luke’s so they may help treat you.
- Payment. We may use or disclose protected health information so that we, or other health care providers, may obtain payment for treatment you received. For example, we may disclose information from your medical records to your health insurance company to obtain pre-authorization for treatment or submit a claim for payment.
- Health Care Operations. We may use or disclose protected health information for certain health care operations that are necessary to providing health care services and ensure our patients receive quality care. For example, we may use information from your medical records to review the performance or qualifications of physicians and staff, train staff, or make business decisions affecting St. Luke’s and its services.
- Other Uses or Disclosures that do not require written authorization. St. Luke’s may also use or disclose your information for certain other purposes allowed by 45 CFR § 164.512 or other applicable laws and regulations, including the following:
- Idaho Health Data Exchange (IHDE). St. Luke’s is a member of the IHDE, a secure, HIPAA compliant statewide Internet-based “virtual” health record information shared with IHDE is for treatment, payment, and health care operations. The virtual health record contains lab results, transcribed reports, radiology results, medical history, insurance and demographic information from all of your health care providers who participate in IHDE. You may request to have your information restricted from IHDE members by completing a Request to Restrict Disclosure of Health Information Form (download at https://idahohde.org/patients/) and submitting it directly to IHDE by mail or fax. You may also contact IHDE at: (208) 332-7253.
- Required by Law. We may use or disclose protected health information to the extent that such use or disclosure is required by law.
- Threat to Health or Safety. We may use or disclose protected health information to avert a serious threat to your health or safety or the health and safety of others.
- Abuse or Neglect. We must disclose protected health information to the appropriate government agency if we believe it is related to child abuse or neglect, or if we believe you have been a victim of abuse, neglect, or domestic violence.
- Communicable Diseases. We are required to disclose protected health information concerning certain communicable diseases to the appropriate government agency. To the extent authorized by law, we may also disclose protected health information to a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading the disease or condition.
- Public Health Activities. We may use or disclose protected health information for certain public health activities, such as reporting information necessary to prevent or control disease, injury, or disability, reporting births and deaths, or reporting limited information for FDA activities.
- Health Oversight Activities. We may disclose protected health information to governmental health oversight agencies to help perform certain activities authorized by law, such as audits, investigations, and inspections.
- Judicial and Administrative Proceedings. We may disclose protected health information in response to an order of a court or administrative tribunal. We may also disclose protected health information in response to a subpoena, discovery request, or other lawful process if we receive satisfactory assurances from the person requesting the information that efforts have been made to inform you of the request or to obtain a protective order.
- Law Enforcement. We may disclose protected health information, subject to specific limitations, for certain law enforcement purposes, including to identify, locate, or catch a suspect, fugitive, material witness, or missing person; to provide information about the victim of a crime; to alert law enforcement that a person may have died as a result of a crime; or to report a crime.
- National Security. We may disclose protected health information to authorized federal officials for national security activities.
- Coroners and Funeral Directors. We may disclose protected health information to a coroner or medical examiner to identify a deceased person, determine cause of death, or permit the coroner or medical examiner to fulfill their legal duties. We may also disclose information to funeral directors to allow them to carry out their duties.
- Organ Donation. We may use or disclose protected health information to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs or tissue.
- Research. We may use or disclose protected health information for research if approved by an institutional review board or privacy board and appropriate steps have been taken to protect the information.
- Workers’ Compensation. We may disclose protected health information as authorized by workers’ compensation laws and other similar legally established programs.
- Appointments and Services. We may use or disclose protected health information to contact you to provide appointment reminders, or to provide information about treatment alternatives or other health-related benefits and services that may be of interest to you.
- Fundraising. We may use or disclose limited protected health information to contact you to raise funds for the hospital, including certain demographic information, insurance and the date(s) that treatment was provided to you. Fundraising communications include information on how to stop (opt-out from) further communications.
- Marketing. We may use or disclose protected health information for limited marketing activities, including face-to-face communications with you about our services.
- Business Associates. We may disclose protected health information to our third party business associates who perform activities involving protected health information for St. Luke’s, e.g., billing or transcription services. Our contracts with the business associates require them to protect your health information.
- Military. If you are in the military, we may disclose protected health information as required by military command authorities.
- Inmates or Persons in Police Custody. If you are an inmate or in the custody of law enforcement, we may disclose protected health information if necessary for your health care, for the health and safety of others, or for the safety or security of the correctional institution.
II. Uses and Disclosures of Information That We May Make Unless You Object
There are certain uses and disclosures we may make where you will have the opportunity to agree or object to the sharing of information. A written authorization is not required. Any use and disclosure we make would be relevant to your current situation and in your best interests. Unless you instruct us otherwise, we may disclose information as follows:
- Facility Directories. Unless you object, we will include your name, your location in the hospital, your general condition, and your religious affiliation in our facility directory. If a person asks for you by name and you are listed in the directory, we will only disclose your name, general condition, and location in our directory. We may disclose your religious affiliation, if you listed it, to clergy.
- Persons Involved in Your Health Care. Unless you object, we may disclose protected health information to a member of your family, relative, close friend, or other person identified by you who is involved in your health care or the payment for your health care. We will limit the disclosure to the protected health information relevant to that person’s involvement in your health care or payment.
- Notification. Unless you object, we may use or disclose protected health information to notify a family member or other person responsible for your care of your location and condition. Among other things, we may disclose protected health information to a disaster relief agency to help notify family members.
III. Uses and Disclosures of Information That We May Make With Your Written Authorization
We will obtain a written authorization from you before using or disclosing your protected health information for purposes other than those summarized above. Examples of where your authorization would be required include, but are not limited to: disclosure of psychotherapy notes, marketing purposes that require authorizations, or if any of your health information would be sold. You may revoke your authorization by submitting a written notice to the Health Information Management Department (Medical Records). The revoke of the authorization will not be effective for disclosures we have already made while the authorization was in effect.
IV. Your Rights Concerning Your Protected Health Information
You have the following rights concerning your protected health information. To exercise any of these rights, you must submit a written request to the Privacy Contact identified below or to the Health Information Management Department (Medical Records).
- Right to Request Additional Restrictions to uses and disclosures.
You may request additional restrictions on the use or disclosure of your protected health information for treatment, payment, or health care operations.
- We are required to review the restriction; however, we are not required to agree to a requested restriction except for a request to restrict disclosure of information to your insurance carrier or health plan, if the services that you do not want billed are paid for in full at the time of service.
- If we agree to a restriction, we will comply with the restriction unless an emergency situation or the law prevents us from complying with the restriction, or until the restriction is terminated by you.
- Right to Receive Communications by Alternative Means.
We normally contact you by telephone or mail at your home address. You may request that we contact you by some other method or at some other location. We will not ask you to explain the reason for your request. We will accommodate reasonable requests. We will provide information on any payment that may be applicable to the alternative communication request and discuss how you will handle this payment.
- Right to Inspect and Copy Records.
You may inspect and/or obtain a copy of protected health information that is used to make decisions about your care or payment for your care. We may charge you a reasonable cost-based fee for providing the records. We may deny your request under limited circumstances, e.g., if you seek psychotherapy notes; information prepared for legal proceedings; or if disclosure may result in substantial harm to you or others.
- Right to Authorize a Copy of Records to a Third Party.
You may authorize a copy of your protected health information be given to a third party. We may charge a reasonable cost based fee for providing the records. The authorization must be signed by the patient or personal representative.
- Right to Request Amendment to Record.
You may request that your protected health information be amended. You must explain the reason for your request in writing. We may deny your request if we did not create the record unless the originator is no longer available; if you do not have a right to access the record; or if we determine that the record is accurate and complete. If we deny your request, you have the right to submit a statement disagreeing with our decision and to have the statement attached to the record.
- Right to an Accounting of Certain Disclosures.
You may receive an accounting of certain disclosures we have made of your protected health information within the last six years from the date of your request. We are not required to account for disclosures for treatment, payment, or health care operations; to family members or others involved in your health care or payment; for notification purposes; or pursuant to our facility directory or your written authorization. You may receive the first accounting within a 12-month period free of charge. We may charge a reasonable cost-based fee for all subsequent requests during that 12-month period.
- Right to a Copy of This Notice.
You have the right to obtain a paper copy of this Joint Notice upon request. You have this right even if you have agreed to receive the Joint Notice electronically.
V. Changes to This Joint Notice
We reserve the right to change the terms of our Joint Notice of Privacy Practices at any time, and to make the new Notice provisions effective for all protected health information that we maintain. If we materially change our privacy practices, we will prepare a new Joint Notice of Privacy Practices, which shall be effective for all protected health information that we maintain. We will post a copy of the current Joint Notice in all registration areas and on our website. You may obtain a copy of the current Joint Notice in our registration area, or by contacting the Privacy Contact identified below.
VI. Entities Covered by This Joint Notice
This Joint Notice of Privacy Practices applies to all entities and the workforce members of St. Luke’s Health System including hospitals, critical access hospitals, outpatient clinics, surgery centers, urgent care locations, their departments and units wherever located, their employees, staff, and other hospital personnel, and volunteers whom we allow to help you while you are receiving care at St. Luke’s. This Joint Notice of Privacy Practices also applies to physicians and other members of the Medical Staff who have agreed to abide by its terms concerning the services they perform on behalf of the entities listed above. Members of the Medical Staff, including your personal physician, may have different privacy policies or practices relating to their use or disclosure of protected health information created or maintained in their clinic or office.
VII. Questions, Concerns or Complaints:
- St. Luke’s Privacy Contact: If you have any questions about this Notice, or if you want to object to or complain about any use or disclosure or exercise any right as explained above, please call:
- The System Privacy Officer at 208-493-0383 or
- The Compliance Line at 1-800-729-0966.
- You may also raise complaints with the Secretary of Health and Human Services if you believe your privacy rights have been violated. All complaints must be in writing and may be sent by mail, fax, email, or electronically. St. Luke’s will not retaliate against you for filing a complaint.