Notice of Privacy Practice
Effective Date: April 2003; Revised September 24, 2013; Revised September 4, 2015; Revised August 5, 2016
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
We are required by law to protect the privacy of health information that may reveal your identity, and to provide you with a copy of this notice which describes the health information privacy practices of St. Mary’s health care professionals who provide treatment or care for St. Mary’s patients, and affiliated health care providers that jointly perform payment activities and business operations with St. Mary’s. A copy of our current notice will always be available in the reception area of all of our sites. You or your personal representative may also obtain a copy of this notice by requesting a copy from St. Mary’s staff or Thomas DeCaneo, Privacy Officer at (718) 281-8587.
Generally, when this notice uses the words, “you” or “your,” it is referring to the patient which is the subject of patient information. However, when this Notice discusses rights regarding patient information, including rights to access or authorize the disclosure of patient information, “you” and “your” may refer to a minor-patient’s parent(s), legal guardian or other personal representative, or, as applicable, an adult patient’s personal representative.
If you have any questions about this notice or would like further information, please contactThomas DeCaneo, Privacy Officer at (718) 281-8587.
Important Summary Information
Requirement for Written Authorization. We will generally obtain your written authorization before using your health information or sharing it with others outside St. Mary’s Healthcare System. You may also initiate the transfer of your records to another person by completing an authorization form. Your written authorization is required prior to the use or sharing of psychotherapy notes. We will not sell or receive anything of value in exchange for your medical information without your written authorization. Your information will not be used for marketing purposes without your written authorization. If you provide us with written authorization, you may revoke that authorization at any time, except to the extent that we have already relied upon it. To revoke an authorization, please contact Thomas DeCaneo, Privacy Officer at (718) 281-8587.
Exceptions to Requirement. There are some situations when we do not need your written authorization before using your health information or sharing it with others. They are:
- Exception for Treatment, Payment, and St. Mary’s Operations. For more information, see page 3-4 of this notice.
- Exception for Disclosure to Friends and Family Involved in Your Care. We will ask you whether you have any objection to sharing information about your health with your friends and family involved in your care. For more information, see page 4 of this notice.
- Exception in Emergencies or Public Need. We may use or disclose your health information in an emergency or for important public needs. For example, we may share your information with public health officials at the New York State or city health departments who are authorized to investigate and control the spread of diseases. For more examples, see pages 4-6 of this notice.
- Exception if Information Does Not Identify You. We may use or disclose your health information if we have removed any information that might reveal who you are.
How to Access Your Health Information. You generally have the right to inspect and to receive a copy your health information. For more information, please see page 6 of this notice.
How to Correct Your Health Information. You have the right to request that we amend your health information if you believe it is inaccurate or incomplete. For more information, please see page 7 of this notice.
How to Keep Track of the Ways Your Health Information Has Been Shared with Others. You have the right to receive a list from us, called an “accounting list,” which provides information about when and how we have disclosed your health information to outside persons or organizations. Many routine disclosures we make will not be included on this list, but the list will identify non-routine disclosures of your information. For more information, please see page 7 of this notice.
How to Request Additional Privacy Protections. You have the right to request further restrictions on the way we use your health information or share it with others. We are not required to agree to the restriction you request, but if we do, we will be bound by our agreement. For more information, please see page 8 of this notice.
How to Request More Confidential Communications. You have the right to request that we contact you in a way that is more confidential for you. We will try to accommodate all reasonable requests. For more information, please see page 8 of this notice.
How Someone May Act on Your Behalf. You have the right to name a personal representative who may act on your behalf to control the privacy of your health information. Parents and guardians will generally have the right to control the privacy of health information about minors unless the minors are permitted by law to act on their own behalf.
How to Learn About Special Protections for HIV, Alcohol and Substance Abuse, Mental Health and Genetic Information. Special privacy protections apply to HIV-related information, alcohol and substance abuse information, mental health information, and genetic information. Some parts of this general Notice of Privacy Practices may not apply to these types of information. If your treatment involves this information, you will be provided with separate notices explaining how the information will be protected. To request copies of these other notices now, please contact Thomas DeCaneo, Privacy Officer at (718) 281-8587.
How to Obtain a Copy of this Notice. You have the right to a paper copy of this notice. You may request a paper copy at any time. To do so, please ask a St. Mary’s staff member or Thomas DeCaneo, Privacy Officer at (718) 281-8587. You or your personal representative may also obtain a copy of this notice by requesting a copy from St. Mary’s staff.
How to Obtain a Copy of Revised Notices. We may change our privacy practices from time to time. If we do, we will revise this notice so you will have an accurate summary of our practices. The revised notice will apply to all of your health information, and we will be required by law to abide by its terms. We will post any revised notice in St. Mary’s reception area. You or your personal representative will also be able to obtain your own copy of the revised notice by requesting a copy from a St. Mary’s staff member or Thomas DeCaneo, Privacy Officer at (718) 281-8587. The effective date of the notice will always be located in the top right corner of the first page.
How to File a Complaint. If you believe your privacy rights have been violated, you may file a complaint with us or with the Secretary of the Department of Health and Human Services. To file a complaint with us, please contact Thomas DeCaneo, Privacy Officer at (718) 281-8587. No one will retaliate or take action against you for filing a complaint.
What Health Information Is Protected
We are committed to protecting the privacy of information we gather about you while providing health-related services. Some examples of protected health information are:
- information about your health condition (such as a disease you may have);
- information about health care services you have received or may receive in the future (such as an operation);
- information about your health care benefits under an insurance plan (such as whether a prescription is covered);
- geographic information (such as where you used to live or work);
- demographic information (such as your race, gender, ethnicity, or marital status);
- unique numbers that may identify you (such as social security number, phone number, or driver’s license number); and
- other types of information that may identify who you are.
How We May Use And Disclose Your Health Information Without Your Written Authorization
1. Treatment, Payment and St. Mary’s Business Operations
St. Mary’s staff and other health care professionals in the St. Mary’s Healthcare System may use your health information or share it with others for the purposes of your treatment or care, obtaining payment for treatment or care, and conducting St. Mary’s normal business operations. Your health information may also be shared with affiliated health care facilities and providers so that they may jointly perform certain payment activities and business operations along with St. Mary’s. Below are further examples of how your information may be used with your consent.
Treatment. We may share your health information with health care providers at St. Mary’s who are involved in taking care of you, and they may in turn use that information to diagnose or treat you. A health care provider at St. Mary’s may share your health information with another health care provider inside St. Mary’s, or at another health care facility, to determine how to diagnose or treat you. A health care provider may also share your health information with another health care provider to whom you have been referred for further health care.
Payment. We may use your health information or share it with others so that we obtain payment for your health care services. For example, we may share information about you with your health insurance company in order to obtain reimbursement for treatment or care we have provided to you. In some cases, we may share information about you with your health insurance company to determine whether it will cover your future treatment or care.
Business Operations. We may use your health information or share it with others in order to conduct our normal business operations. For example, we may use your health information to evaluate the performance of our staff in caring for you, or to educate our staff on how to improve the care they provide to you. We may also share your health information with another company that performs business services for us, such as a billing company. If so, we will have a written contract to ensure that this company also protects the privacy of your health information.
Treatment Alternatives, Benefits and Services. We may use your health information when we contact you in order to recommend possible treatment alternatives or health-related benefits and services that may be of interest to you.
Fundraising. We may use your information when deciding whether to contact you or your personal representative to raise money to help us operate. We may also share this information with a charitable foundation that will contact you or your personal representative to raise money on our behalf. If you do not want to be contacted for these fundraising efforts, please contact Thomas DeCaneo, Privacy Officer at (718) 281-8587.
2. Friends and Family
We may share your information with friends and family involved in your care, without your written authorization or consent. We will always give you an opportunity to object. We will follow your wishes unless we are required by law to do otherwise.
Friends and Family Involved in Your Care. If you do not object, we may share your health information with a family member, relative, or close personal friend who is involved in your care or payment for that care. We may also notify a family member, personal representative or another person responsible for your care about your location and general condition here at the St. Mary’s, or about the unfortunate event of your death. In some cases, we may need to share your information with a disaster relief organization that will help us notify these persons. If you object to sharing your information with your family members, personal representative, or other person responsible for your care, please contact Thomas DeCaneo, Privacy Officer (718)281-8587.
3. Emergencies or Public Need
We may use your health information, and share it with others, in order to treat you in an emergency or to meet important public needs. We will not be required to obtain your written authorization, consent or any other type of permission before using or disclosing your information for these reasons.
Emergencies. We may use or disclose your health information if you need emergency treatment or if we are required by law to treat you but are unable to obtain your consent. If this happens, we will try to obtain your consent as soon as we reasonably can after we treat you.
Communication Barriers. We may use and disclose your health information if we are unable to obtain your consent because of substantial communication barriers, and we believe you would want us to treat you if we could communicate with you.
As Required by Law. We may use or disclose your health information if we are required by law to do so. We also will notify you of these uses and disclosures if notice is required by law.
Public Health Activities. We may disclose your health information to authorized public health officials (or a foreign government agency collaborating with such officials) so they may carry out their public health activities. For example, we may share your health information with government officials that are responsible for controlling disease, injury or disability. We may also disclose your health information to a person who may have been exposed to a communicable disease or be at risk for contracting or spreading the disease if a law permits us to do so.
Victims of Abuse, Neglect or Domestic Violence. We may release your health information to a public health authority that is authorized to receive reports of abuse, neglect or domestic violence. For example, we may report your information to government officials if we reasonably believe that you have been a victim of abuse, neglect or domestic violence. We will make every effort to obtain your permission before releasing this information, but in some cases we may be required or authorized to act without your permission.
Health Oversight Activities. We may release your health information to government agencies authorized to conduct audits, investigations, and inspections of our facility. These government agencies monitor the operation of the health care system, government benefit programs such as Medicare and Medicaid, and compliance with government regulatory programs and civil rights laws.
Product Monitoring, Repair and Recall. We may disclose your health information to a person or company that is required by the Food and Drug Administration to: (1) report or track product defects or problems; (2) repair, replace, or recall defective or dangerous products; or (3) monitor the performance of a product after it has been approved for use by the general public.
Lawsuits and Disputes. We may disclose your health information if we are ordered to do so by a court that is handling a lawsuit or other dispute.
Law Enforcement. We may disclose your health information to law enforcement officials for the following reasons:
- To comply with court orders or laws that we are required to follow;
- To assist law enforcement officers with identifying or locating a suspect, fugitive, witness, or missing person;
- If you have been the victim of a crime and we determine that: (1) we have been unable to obtain your consent because of an emergency or your incapacity; (2) law enforcement officials need this information immediately to carry out their law enforcement duties; and (3) in our professional judgment disclosure to these officers is in your best interests;
- If we suspect that your death resulted from criminal conduct;
- If necessary to report a crime that occurred on our property;
To Avert a Serious Threat to Health or Safety. We may use your health information or share it with others when necessary to prevent a serious threat to your health or safety, or the health or safety of another person or the public. In such cases, we will only share your information with someone able to help prevent the threat. We may also disclose your health information to law enforcement officers if you tell us that you participated in a violent crime that may have caused serious physical harm to another person (unless you admitted that fact while in counseling), or if we determine that you escaped from lawful custody (such as a prison or mental health institution).
National Security and Intelligence Activities or Protective Services. We may disclose your health information to authorized federal officials who are conducting national security and intelligence activities or providing protective services to the President or other important officials.
Inmates and Correctional Institutions. If you later become incarcerated at a correctional institution or detained by a law enforcement officer, we may disclose your health information to the prison officers or law enforcement officers if necessary to provide you with health care, or to maintain safety, security and good order at the place where you are confined. This includes sharing information that is necessary to protect the health and safety of other inmates or persons involved in supervising or transporting inmates.
Workers’ Compensation. We may disclose your health information for workers’ compensation or similar programs that provide benefits for work-related injuries.
Coroners, Medical Examiners and Funeral Directors. In the unfortunate event of your death, we may disclose your health information to a coroner or medical examiner. This may be necessary, for example, to determine the cause of death. We may also release this information to funeral directors as necessary to carry out their duties.
Organ and Tissue Donation. In the unfortunate event of your death, we may disclose your health information to organizations that procure or store organs, eyes or other tissues so that these organizations may investigate whether donation or transplantation is possible under applicable laws.
Research. In most cases, we will ask for your written authorization before using your health information or sharing it with others in order to conduct research. However, under some circumstances, we may use and disclose your health information without your authorization if we obtain approval through a special process to ensure that research without your authorization poses minimal risk to your privacy. Under no circumstances, however, would we allow researchers to use your name or identity publicly. We may also release your health information without your authorization to people who are preparing a future research project, so long as any information identifying you does not leave our facility. In the unfortunate event of your death, we may share your health information with people who are conducting research using the information of deceased persons, as long as they agree not to remove from our facility any information that identifies you.
Your Rights To Access And Control Your Health Information
We want you to know that you have the following rights to access and control your health information. These rights are important because they will help you make sure that the health information we have about you is accurate. They may also help you control the way we use your information and share it with others, or the way we communicate with you about your medical matters.
1. Right to Inspect and Obtain a Copy of Records
You have the right to inspect and obtain a copy of any of your health information that may be used to make decisions about your treatment for as long as we maintain this information in our records. This includes medical and billing records. To inspect or obtain a copy of your health information, please submit your request to Thomas DeCaneo, Privacy Officer (718)281-8587. Upon your request, we will provide you with a copy of your record in the format you request, if it is available. This includes a paper copy or electronic copy of your record, if it is available. If you request a copy of your record, we may charge a fee for the cost of copying, mailing or other supplies we use to fulfill your request. The standard fee is $0.75 per page for paper and $10.00 for an electronic copy. The fee must generally be paid before or at the time we give the copies to you. For St. Mary’s Hospital for Children residents, we will respond to your request for inspection of records within twenty-four hours and we ordinarily will respond to requests for copies within two working days. For patients and clients of all other St. Mary’s programs, access to your records will be made within ten days of your request.
Under certain very limited circumstances, we may deny your request to inspect or obtain a copy of your information. If we do, we will provide you with a summary of the information instead. We will also provide a written notice that explains our reasons for providing only a summary, and a complete description of your rights to have that decision reviewed and how you can exercise those rights. The notice will also include information on how to file a complaint about these issues with us or with the Secretary of the Department of Health and Human Services. If we have reason to deny only part of your request, we will provide complete access to the remaining parts after excluding the information we cannot let you inspect or copy. You may be charged a fee for the cost of preparing the summary of your record.
2. Right to Amend Records
If you believe that the health information we have about you is incorrect or incomplete, you may ask us to amend the information. You have the right to request an amendment for as long as the information is kept in our records. To request an amendment, please contact Thomas DeCaneo, Privacy Officer (718)281-8587. Your request should include the reasons why you think we should make the amendment. Ordinarily we will respond to your request within 60 days. If we need additional time to respond, we will notify you in writing within 60 days to explain the reason for the delay and when you can expect to have a final answer to your request.
If we deny part or your entire request, we will provide a written notice that explains our reasons for doing so. You will have the right to have certain information related to your requested amendment included in your records. For example, if you disagree with our decision, you will have an opportunity to submit a statement explaining your disagreement which we will include in your records. We will also include information on how to file a complaint with us or with the Secretary of the Department of Health and Human Services. These procedures will be explained in more detail in any written denial notice we send you.
3. Right to an Accounting of Disclosures
After April 14, 2003, you have a right to request an “accounting of disclosures” which is a list with information about how we have shared your information with others. An accounting list, however, will not include:
- Disclosures we made to you;
- Disclosures we made in order to provide you with treatment or care, obtain payment for that treatment or care, or conduct our normal business operations;
- Disclosures made to your friends and family involved in your care;
- Disclosures made to federal officials for national security and intelligence activities;
- Disclosures about inmates to correctional institutions or law enforcement officers; or
- Disclosures made before April 14, 2003.
To request this list, please contact Thomas DeCaneo, Privacy Officer at (718) 281-8587. Your request must state a time period for the disclosures you want us to include. For example, you may request a list of the disclosures that we made between January 1, 2004 and January 1, 2005. You have a right to one list within every twelve-month period for free. However, we may charge you for the cost of providing any additional lists in that same twelve-month period. We will always notify you of any cost involved so that you may choose to withdraw or modify your request before any costs are incurred.
Ordinarily we will respond to your request for an accounting list within 60 days. If we need additional time to prepare the accounting list you have requested, we will notify you in writing about the reason for the delay and the date when you can expect to receive the accounting list. In rare cases, we may have to delay providing you with the accounting list without notifying you because a law enforcement official or government agency has asked us to do so.
4. Right to be Notified in the Event of a Breach.
We will notify you if your medical information has been “breached” which means that the privacy or security of your information has been compromised (used or shared in a way that violates the law).
5. Right to Request Additional Privacy Protections
You have the right to request that we further restrict the way we use and disclose your health information to provide you with treatment or care, collect payment for that treatment or care, or to conduct St. Mary’s normal business operations. You may also request that we limit how we disclose information about you to family or friends involved in your care. For example, you could request that we not disclose information about a surgery you had. If you pay for services or health care items out-of-pocket in full, you can ask us not to share that information for the purpose of payment or our operations with your health insurer. We may agree unless a law requires us to share that information.
To request restrictions, please contact Thomas DeCaneo, Privacy Officer at (718) 281-8587. Your request should include (1) what information you want to limit; (2) whether you want to limit how we use the information, how we share it with others, or both; and (3) to whom you want the limits to apply.
We are not required to agree to your request for a restriction, and in some cases the restriction you request may not be permitted under law. However, if we do agree, we will be bound by our agreement unless the information is needed to provide you with emergency treatment or comply with the law. Once we have agreed to a restriction, you have the right to revoke the restriction at any time. Under some circumstances, we will also have the right to revoke the restriction as long as we notify you before doing so; in other cases, we will need your permission before we can revoke the restriction.
6. Right to Request Confidential Communications
You have the right to request that we communicate with you or your personal representative about your medical matters in a more confidential way. To request more confidential communications, please contact Thomas DeCaneo, Privacy Officer at (718) 281-8587. We will not ask you the reason for your request, and we will try to accommodate all reasonable requests. Please specify in your request how you or your personal representative wishes to be contacted, and how payment for your health care will be handled if we communicate with your personal representative through this alternative method or location.
FOR FURTHER INFORMATION, PLEASE CONTACT:
THOMAS DECANEO, PRIVACY OFFICER
5 DAKOTA DRIVE, SUITE 200
NEW HYDE PARK, NY 11042