Effective Date: September 30, 2019
THIS NOTICE OF PRIVACY PRACTICES (“NOTICE”) DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
This Notice applies to the Wilmette Pediatric Ambulatory Facility (the “Facility”) operated by both Advocate Aurora Health, through its subsidiary, Advocate Health Care Network, and NorthShore University HealthSystem (“we” or “us”). We are operating the Facility as an Organized Health Care Arrangement (“OHCA”) to enable us to deliver improved health care by combining our resources. As an OHCA, we may provide you with this single Notice and allow the physicians and staff at Advocate and NorthShore to have shared access to certain protected health information for purposes of treatment, payment, and health care operations, and as otherwise permitted by law. Each member of the OHCA retains its own legal identity and is committed to compliance with the Health Insurance Portability and Accountability Act of 1996 and its regulations (“HIPAA”). This Notice describes certain rights you have with respect to your health information pursuant to HIPAA. This Notice further describes how you may exercise your rights and certain obligations we have.
UNDERSTANDING YOUR MEDICAL INFORMATION
We understand that medical information about you and your health is personal. We are committed to protecting your medical information. Each time you visit a hospital, physician, or other health care provider, they document information about you and your visit. Typically, this record contains, among other information, your name, symptoms, health history, examination and test results, diagnoses, current and future treatment, and billing-related information (“Medical Information”). This Medical Information is used to provide you with quality care and to comply with certain legal requirements. This Notice will tell you how we may use and disclose Medical Information about you. It also describes your rights and certain obligations we have regarding the use and disclosure of your Medical Information. We are required by law to:
- Maintain the privacy of your Medical Information.
- Notify you following a breach of unsecured Medical Information.
- Provide you with this Notice of our legal duties and privacy practices with respect to information we collect and maintain about you.
- Follow the terms of this Notice or a Notice that is in effect at the time we use or disclose your Medical Information.
USES AND DISCLOSURES OF YOUR MEDICAL INFORMATION
The following categories describe different ways in which we may use and disclose your Medical Information without your written permission. With respect to use and disclosure of your Medical Information for Treatment, Payment and Health Care Operations, we may share your Medical Information with any of the entities referenced in this Notice, or any physician or other health care provider as allowed by law.
For Treatment. We may use your Medical Information to provide, coordinate or manage your medical treatment and related services. Your Medical Information can be shared with physicians, nurses, technicians and others involved in your care and these individuals will collect and document information about you in your medical record. To assure immediate continuity of care, we may disclose information to a physician or other health care provider who will be assuming your care. For example, different departments may share your Medical Information to coordinate the different services you may need such as prescriptions, lab work, meals and X-rays or other diagnostic tests. To facilitate access to information for the treatment purposes of shared patients, we may participate in the electronic exchange of health information with other entities.
For Payment. In most cases, we may use and disclose your Medical Information so that the treatments and services you receive may be billed and payment may be collected from you, an insurance company or a third party. For example, we may need to give information about the surgery you received to your health plan so your health plan will pay us or reimburse you for the surgery. We also may tell your health plan about a treatment you are going to receive to obtain prior approval or to determine whether your plan will cover the treatment. In certain situations, we may disclose your Medical Information to a collection agency if a bill is not paid. Additionally, we may also disclose your health information to another health care provider for their payment related activities.
For Health Care Operations. We may use and disclose your Medical Information in connection with our health care operations including, but not limited to the following:
- Quality assessment and improvement activities.
- Related functions that do not include treatment.
- Competence or qualification reviews of health care professionals.
- Training programs, accreditation, certification, licensing or credentialing activities.
Additionally, we may also disclose your Medical Information to another covered entity that you have seen so they may improve their quality or cost, or for their other health care operations purposes.
Joint Electronic Medical Record. In an effort to improve the quality and efficiency of health care in our surrounding communities through the adoption of interoperable electronic medical records, we may allow other health care providers to participate in a joint electronic medical record. As an example, by allowing other health care providers to share an electronic medical record, they can improve the efficiency of a patient’s health care with the ability to electronically prescribe medications or order tests. These health care providers are also held to the same high standards for protecting the privacy and security of Medical Information. Health care provider participants are expected to ensure that users of the joint electronic medical record only access, use, and disclose the Medical Information only in accordance with applicable law and policies.
Directory (Hospitals Only). When you are a patient in one of our hospitals, we may list your name, room location, general condition (such as fair or stable), and religious affiliation in the hospital’s inpatient directory. This directory information, except for your religious affiliation, may be provided to people who ask for you by name. We may disclose your name, room location, general condition, and religious affiliation to a member of the clergy who asks for you by your name or by your listed religious affiliation. We may also disclose your name and general condition to a member of the media who asks for you by name. If you do not want to be listed in our hospital directory or do not want us to give such information to members of either the clergy, media, or general public, you must inform your nurse or a registration representative. Please note that if you are not listed in our hospital directory, we will not confirm to those who ask for you at the visitors’ desks or who call the operator that you are currently a patient. In addition, you will not be able to receive mail or flower deliveries.
If you are receiving mental health or substance use services in an inpatient behavioral health unit during this hospitalization, we will not disclose any information without your prior written authorization.
Individuals Involved in Your Care or Payment for Your Care. We may disclose the minimum necessary Medical Information about you to a family member, other relative, close personal friend or any other person you identify who is involved in your medical care. We also may disclose the minimum necessary information to someone who helps pay for your care. If you are able and available to agree or object, we will give you the opportunity to agree or object to such uses and disclosures. If you are not available or in the event of an emergency or other situation where you are not able to identify your chosen person(s) to receive communications about you, we may exercise our professional judgment to determine whether such a disclosure is in your best interest, who is the appropriate person(s) and what Medical Information is relevant to their involvement with your health care. We may also disclose your Medical Information to an organization, such as the American Red Cross which is assisting in a disaster relief effort, so that your family can be notified about your condition, status and location. We will also use our professional judgement and our experience with common practice to make reasonable inferences of your best interest in allowing a person to pick up filled prescriptions, medical supplies, X-rays or other similar forms of Medical Information.
Research. Under certain circumstances, we may use or disclose your Medical Information to identify you as a potential candidate for a research study that has been approved by an Institutional Review Board. This approval is given after an evaluation of a proposed research project and its uses of Medical Information, and always with an effort to balance the requirements of sound research with patients’ need for privacy of their Medical Information. We may disclose Medical Information about you to people preparing to conduct a research project, for example, to help them look for patients with specific medical needs, so long as the Medical Information they review does not leave the site. We may use or disclose your Medical Information without your consent or authorization if an Institutional Review Board or Privacy Board approves a waiver of authorization for disclosure.
To Avert a Serious Threat to Health or Safety. We may use or disclose your Medical Information to prevent or lessen a serious and imminent threat to a person’s or the public’s health or safety.
Business Associates. We provide some services through other persons or companies that need access to your health information to carry out these services. The law refers to these persons or companies as our Business Associates. We may disclose, as allowed by law, your health information to our Business Associates so that they can do the job we have contracted with them to do. Examples of Business Associates include companies that assist with billing services or copying medical records. We may send other business associates called registries (such as a Cancer Registry) summarized information about patients who have been treated with similar problems such as cancer or trauma, to help physicians improve the quality of care for other patients with similar problems. We require through a written contract that our Business Associates use appropriate safeguards to ensure the privacy of your Medical Information.
Fundraising. We are not-for-profit organizations that rely on charitable gifts to support our missions. In the continuing effort to enhance our capacity to conduct our mission of service to patients and families, periodic fundraising communications may be sent to you. The law allows us to share minimal information about you with our fundraising foundations; however, we will not share your information with other organizations for fundraising purposes. If you do not wish to receive these communications you may tell us by contacting us in writing at: 1033 University Place, #450, Evanston, IL 60201; by email to: email@example.com; or by phone: 224.364.7200.
Other Communications with You. We may use and disclose your Medical Information to contact you at the address and telephone numbers you give us about scheduled or canceled appointments with your physicians or other health care team members, registration or insurance updates, billing and/or payment matters, information about patient care issues, treatment choices and follow-up care instruction, and other health-related benefits and services that may be of interest to you. This may include leaving messages at your home or on voicemail or mailing you postcard reminders. Such communications may be sent to you via text message or email, to the extent that we have been provided with a cell phone number or email address.
We may also use and disclose your Medical Information without your written permission for the following purposes:
Lawsuits and Disputes. We may disclose your Medical Information in the course of a judicial and administrative proceeding, in response to an order of a court or other tribunal to the extent that such disclosure is authorized and, in certain conditions, in response to a subpoena, discovery request or other lawful process.
Law Enforcement. We may disclose your Medical Information to the police or other law enforcement officials as part of law enforcement activities, in investigations of criminal conduct, in response to a court order, in emergency circumstances, or when otherwise required to do so by law.
Required by Law. We may disclose your Medical Information when required by law to do so.
Disaster Relief Efforts. We may disclose your Medical Information to organizations for the purpose of disaster relief efforts.
Coroners, Medical Examiners and Funeral Directors. We may release Medical Information about you to a coroner or medical examiner as necessary to identify a deceased person or to determine the cause of death. We also may release your Medical Information to funeral directors as necessary for them to carry out their duties.
Organ and Tissue Donation. If you are an organ donor, we may release your Medical Information to organizations that obtain organs or handle organ, eye or tissue transplantation. We may also release your Medical Information to an organ bank to arrange for organ or tissue donation and transplantation.
Military and Veterans. If you are a member of the military or a veteran, we may release your Medical Information to the proper authorities so they may carry out their duties under the law.
Inmates. If you are an inmate in a correctional institution or in the custody of a law enforcement official, we may disclose Medical Information about you to the correctional institution or law enforcement official as necessary so that their duties can be carried out under the law.
Workers Compensation. We may disclose your Medical Information as allowed or required by state law relating to workers’ compensation benefits for work-related injuries or illness or to other similar programs.
Public Health Activities. We may disclose your Medical Information for the following public health activities: (1) to report health information to public health authorities for the purpose of preventing or controlling disease, injury or disability; (2) to report child abuse and neglect to public health authorities or other government authorities authorized by law to receive such reports; (3) to report information about products and services under the jurisdiction of the U.S. Food and Drug Administration; (4) to alert a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition; and (5) to report information to your employer as required under laws addressing work-related illnesses and injuries or workplace medical surveillance. The appropriate government authorities may also be notified if we reasonably believe a patient has been the victim of elder abuse, neglect or domestic violence.
Health Oversight Activities and Specialized Government Functions. We may disclose your Medical Information to local, state or federal government authorities or agencies that oversee health care systems and ensure compliance with the rules of government health programs, such as Medicare or Medicaid and, under certain circumstances, to the U.S. Military or U.S. Department of State.
Uses and Disclosures Not Covered in this Notice. Other uses and disclosures of your Medical Information will be made only with your written permission unless otherwise permitted or required by law. If you provide us with permission to use or disclose Medical Information about you, you may revoke that permission in writing at any time. If you revoke your permission, we will no longer use or disclose Medical Information about you for the reasons covered by your written permission. Please understand that we are unable to take back any disclosures already made with your permission and that we are required to retain the records of the care provided to you.
USES AND DISCLOSURES REQUIRING YOUR WRITTEN AUTHORIZATION
Use or Disclosure with Your Authorization. We must obtain your written authorization for most uses and disclosures of psychotherapy notes, uses and disclosures of Medical Information for marketing purposes and disclosures that constitute the sale of Medical Information. Additionally, other uses and disclosures of Medical Information not described in this Notice will be made only when you give us your written permission on an authorization form (“Your Authorization”). For instance, you will need to sign and complete an authorization form before we can send your PHI to a life insurance company.
Uses and Disclosures of Your Highly Confidential Information. Federal and state laws require special privacy protections for certain highly confidential information about you (“Highly Confidential Information”). This Highly Confidential Information may include the subset of your Medical Information that is maintained in psychotherapy notes. Other Highly Confidential Information may include HIV test results, mental health or substance use information regulated by other laws. These state and federal laws may have more restrictive requirements. In most cases, in order for us to disclose your Highly Confidential Information for a purpose other than those permitted by law, we must have Your Authorization.
Revocation of Your Authorization. You may withdraw (revoke) Your Authorization or any written authorization regarding your Highly Confidential Information (except to the extent we have taken action in reliance upon it) by delivering a written statement to the Privacy Officer identified below.
YOUR RIGHTS REGARDING YOUR MEDICAL INFORMATION
You have the following rights regarding the Medical Information we maintain about you:
Right to Inspect and Copy. You may request access to your medical record and billing records maintained by us in order to inspect and request copies of the records. Under limited circumstances, we may deny you access to a portion of your records. If you would like to access your records, you must submit your request in writing.
- To obtain a copy of your Medical Information contact the medical records department at the facility where you receive care.
- To obtain your billing information, contact the billing department.
- To request information from a retail pharmacy or vision center, inquire at the counter.
If you request a copy of your Medical Information, we may charge you a cost-based fee, consistent with applicable state law, that includes labor for copying the Medical Information; supplies for creating the paper copy or electronic media if you request an electronic copy on portable media; our postage costs, if you request that we mail the copies to you; and if you agree in advance, the cost of preparing an explanation or summary of the Medical Information. If you are denied access to your Medical Information, you may request that the denial be reviewed. A licensed health care professional chosen by us will review your request and the denial. The person conducting the review will not be the person who denied your request. We will comply with the decision that is the outcome of the review.
Right to Amend. If you feel that the Medical Information we have on record is inaccurate or incomplete, you have the right to request an amendment as long as the information is kept by or for us. If the Medical Information is kept by another hospital or provider, we cannot act on your request. You must contact them directly. Your request for an amendment must be in writing and must state the reasons for the request. The written request can be made using the amendment request form available at your site of care. We may deny your request for an amendment if it is not in writing or does not include a reason to support the request. We are not obligated to make all requested amendments, but will give each request careful consideration. If your request is denied, you have the right to send a letter of objection that will then be attached to your permanent medical record. Please note that even if we accept your request, we may not delete any information already documented in your medical record.
Right to an Accounting of Disclosures. You have the right to ask us for an “accounting of disclosures.” This is a listing of certain individuals or entities that have received your Medical Information from us. The listing will not cover Medical Information that was given to you or your personal representative or to others with your permission. In addition, it will not cover Medical Information that was given in order to:
- Provide or arrange care for you;
- Facilitate payment for your healthcare services; and/or
- Assist us in our operations.
Your request for an accounting of disclosures must be made in writing. The list you receive will include only the disclosures made for the time period indicated in your request, but may not exceed a six-year period prior to the date of your request. The first list you request within a 12-month period will be free. For additional lists, we may charge you for the reasonable costs associated with providing the list. We will notify you of costs involved. You may choose to withdraw or modify your request at any time before costs are incurred.
Right to Request Restrictions. You have the right to ask us to restrict or limit the Medical Information we use or disclose about you for treatment, payment or healthcare operations. In addition, if you pay for a particular service in full, out-of-pocket, on the date of service, you may ask us not to disclose any related Medical Information to your health plan for payment or health care operations purposes. Unless required by law, we are not required to agree to all requests. If we do agree, we will comply unless the information is needed to provide emergency treatment. Requests for a restriction must be made in writing and may be submitted to the medical record department at the location where you receive health services, or at the point of care for requests for restrictions to your health plan for services that were paid out-of-pocket.
Right to Request Confidential Communications. You have the right to ask us to communicate with you about medical matters in a certain way or at a certain location. For example, you may ask that we contact you only by sending materials to a P.O. Box instead of your home address. We will not ask the reason for your request and we will accommodate all reasonable requests. Your request should be made at the point of care at the location where you receive health services and must specify how or where you wish to be contacted.
Right to a Paper Copy of this Notice. Upon your request, you may obtain a copy of this Notice, either by email or in paper format. To do so, please submit your request to the privacy officer of either NorthShore or Advocate at the contact information listed at the bottom of this notice. You also may access a copy of this Notice on our web sites at https://www.AdvocateAuroraHealth.org or https://www.northshore.org/anpp-npp.
EFFECTIVE DATE AND DURATION OF THIS NOTICE
This Notice is effective on September 30, 2019, unless and until it is revised by us.
We reserve the right to change our privacy practices, policies and procedures and our Notice of Privacy Practices at any time. We also reserve the right to make the revised privacy policies, procedures and Notice effective for Medical Information we already have about you as well as any information we receive in the future. We will post a copy of the current Notice in our facilities and on our Internet site. You may also obtain any new notice by contacting either of our Privacy Officers. In addition, each time you register or visit our Facility, a copy of the current Notice will be available.
RIGHT TO FILE A COMPLAINT
If you would like more information about your privacy rights, if you are concerned that we may have violated your privacy rights, or if you disagree with a decision that we made about access to your Medical Information, you may contact one of our Privacy Officers. You may also file written complaints with the Director, Office for Civil Rights of the U.S. Department of Health and Human Services by visiting www.hhs.gov/ocr/privacy/hipaa/complaints. We will not retaliate against you if you file a complaint with us or the Director.
If you have any concerns or questions about NorthShore or Advocate Aurora Health’s HIPAA compliance or this Notice, please contact the applicable Privacy Officer noted below:
If to NorthShore:
NorthShore’s Health Information Management Department
4901 Searle Parkway, Suite 170
Skokie, IL 60076
If to Advocate Aurora Health:
Chief Privacy Officer
Advocate Aurora Health
750 W. Virginia Street
Milwaukee, WI 53204 Phone: