Joint Notice of Privacy Practices

Note: Throughout this notice, all numbers shown with the “§” symbol designate applicable sections of Title 45 Code of Federal Regulations (45 CFR, Subpart E, §§164.500-164.534).

Effective Date September 16, 2013

Our pledge to protect your privacy

At Hillsboro Medical Center, we understand that medical information about you and your health is personal. We are committed to protecting medical information about you. We create a record of the care and services you receive at Tuality. We need this record to provide you with quality care and to comply with certain legal requirements.

This notice describes your rights to access and control your protected health information (PHI). PHI is individually identifiable health information, including demographic information, that is collected from you or created or received by a healt hcare provider, your health plan, your employer, or a health care clearinghouse and that relates to: (1) your past, present, or future physical or mental health or condition; (2) the provision of health care to you; and/or (3) the past, present or future payment for the provision of health care to you.

We and other health care providers are required by law to maintain the privacy of your protected health information. We also are required to notify you of our legal duties and privacy practices regarding your protected health information, and abide by the practices described in this notice.

Who will follow this notice?

This notice applies to the following individuals and organizations:

  • Members of our medical staff, employees, volunteers, trainees, students and other health care personnel who provide services at Tuality or affiliated patient care settings listed below.
  • All of Hillsboro Medical Center clinics, departments and units.
  • Patient care settings affiliated with Tuality (such as Orenco Station Medical Plaza and Westside Medical Clinic), and all medical staff, employees, volunteers, trainees, students or other personnel providing services in those patient care settings. Tuality patient care settings include: the hospitals, home health, outpatient services, rehabilitation services, urgent care, medical equipment rental and supply, managed physician’s offices, and our affiliates (Tuality/OHSU Cancer Center, Tuality Health Alliance and Raines Dialysis Center).

Note: Tuality may provide services to you in an integrated way with our medical staff and the affiliated patient care settings referenced above. However, Tuality accepts no legal responsibility for activities solely attributable to these other providers or care settings.

How we may use and disclose your medical information

The following sections and categories describe different ways we use and disclose your protected health information. For each category, we explain what we mean, and for some categories we try to give you a meaningful example about the use or disclosure. All of the ways we are permitted to use and disclose your protected health information will fall into the listed categories. Other parts of this notice describe uses and disclosures that require your authorization, and the rights you have to restrict our use and disclosure of your protected health information.

Primary uses and disclosures allowed without your express permission

This section discusses the requirements of federal privacy laws. Oregon law provides additional protections in some circumstances.

For treatment. We are permitted to use and disclose your protected health information within Tuality and its affiliates as necessary to provide you with medical treatment and services. For example:

  • A doctor treating you for a broken leg may need to know if you have diabetes because the disease may slow the healing process. In addition, the doctor may need to tell the dietitian if you have diabetes so that we can arrange for appropriate meals.
  • Different Tuality departments may also share medical information about you in order to coordinate the different things you need, such as prescriptions, lab work and x-rays.
  • Your doctor may be treating you for a heart condition and may need to know if you have other health problems that could complicate your treatment. The doctor may use your medical history to decide what treatment is best for you. The doctor may also tell another doctor about your condition so that doctor can help provide care or consultation to determine the most appropriate care for you. On occasion, we may need to communicate with your physician’s answering service in order to expedite your care and to provide timely information for a physician who is “on-call.”
  • We also may disclose medical information about you to people outside Tuality who may be involved in your medical care after you leave Tuality, such as long-term care facilities, personal caregivers, or home health agencies.

For payment. We are permitted to use and disclose your protected health information so that the treatment and services you receive at Tuality may be billed and payment may be collected from you or an insurance company, health plan, or other third-party payer. For example:

  • We may need to give your health plan information about a service you receive here, so we may be paid or you may be reimbursed for the service.
  • We may also tell your health plan about a treatment you are going to receive to determine whether your health plan will cover the service.
  • We may release medical information to emergency responders to allow them to obtain payment or reimbursement for services provided to you.

For health care operations. We are permitted to use and disclose medical information about you so that quality assessment and improvement, reviews of provider performance, licensing, business planning, and business development may occur. For example:

  • We are permitted to use and disclose medical information about you for our own organization’s operations. These uses and disclosures are necessary to run Tuality and our affiliates, and ensure that all of our patients receive quality care.
  • We are allowed to provide you with information about our services and programs.
  • We also are permitted to disclose your medical information for the health operations of another health care provider or health plan, as long as it has a relationship with you and needs the information for its own quality assurance purposes, for purposes of reviewing the qualifications of its health care professionals, or for conducting skill improvement programs.
  • We may use your medical information to ensure we are complying with all federal and state compliance requirements.
  • We may use your medical information to review the quality of medical services being provided to you.
  • We may use your medical information to conduct audits or medical review of claims activity.

Business associates

Tuality may contract with individuals and entities (known as “business associates”) to perform various functions on Tuality’s behalf or to provide certain types of services. Some of the functions they provide are billing, management consultation, quality assurance review, and accounting.

To perform these functions or to provide services, business associates will receive, create, maintain, use or disclose protected health information, but only after Tuality requires the business associate to agree in writing to appropriately safeguard the privacy of your information and to use it only to assist Tuality for the purposes identified above involving treatment, payment or operations.

Other uses and disclosures allowed without your express permission

Family or friends involved in your care. Unless you object, Tuality may disclose your protected health information to a friend or family member that you have identified as being in involved in your health care. Tuality may also disclose your information to an entity assisting in a disaster relief effort so that your family can be notified about your condition, status, and location. If you are not present or able to agree to these disclosures of your protected health information, then Tuality may—using its professional judgment—determine whether the disclosure is in your interest.

Research when approved by an Institutional Review Board. Under certain circumstances, we may use and disclose your protected health information for research purposes. Your protected health information would only be available if you had signed a consent to participate in the research project. For example, a research project may involve comparing the health and recovery of all patients who received one medication to those who received another for the same condition. All research projects, however, are subject to a special approval process through an Institutional Review Board. Before we use or disclose your protected health information for research without your authorization, the project will have been approved through this research approval process.

As required by law. We will disclose your protected health information when required to do so by federal, state or local law. (See “To support public health activities” below.)

To support public health activities. These activities typically include reports to such agencies as the Oregon Health Authority as required or authorized by state law. hese reports may include, but are not necessarily limited to, the following:

  • To prevent or control disease, injury or disability.
  • To report births and deaths.
  • To report suspected child abuse or neglect.
  • To report suspected elderly abuse or neglect.
  • To report reactions to medications or problems with products.
  • To notify people of recalls of products they may be using.
  • To notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition.

Organ and tissue donation. We may release your protected health information to organizations that handle organ procurement or organ, eye or tissue transplantation, or to an organ donation bank, as necessary to facilitate organ or tissue donation and transplantation. Donations cannot occur without your family’s consent.

Military and veterans. If you are a member of the armed forces, we may release your protected health information as required by military command authorities. We may also release medical information about foreign military personnel to the appropriate foreign military authority.

Workers’ compensation. We will only release your protected health information for Workers’ Compensation or similar programs in accordance with applicable law. These programs provide benefits for work-related injuries or illness.

Health oversight activities. We may disclose your protected health information to a health oversight agency for activities authorized by law. These oversight activities include, for example, audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws.

Lawsuits and disputes. We may disclose your protected health information in response to a court or administrative order. We may also disclose your protected health information in response to a subpoena, discovery request, or other lawful process.

Law enforcement. We may release your protected health information if asked to do so by a law enforcement official:

  • In response to a court order, subpoena, warrant, summons or similar process.
  • To identify or locate a suspect, fugitive, material witness, or missing person.
  • About the victim of a crime if, under certain limited circumstances, we are unable to obtain the person’s agreement.
  • To report suspected elderly abuse or neglect.
  • About a death we believe may be the result of criminal conduct.
  • About criminal conduct at Tuality.
  • In emergency circumstances to report a crime, the location of the crime or victims, or the identity, description or location of the person who committed the crime.

Coroners, medical examiners and funeral directors. We may release protected health information to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death. We may also release protected health information about patients of Tuality to funeral directors as necessary for them to carry out their duties.

National security and intelligence activities. We may release your protected health information to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law.

Protective services for the President of the United States and others. We may disclose your protected health information to authorized federal officials so they may provide protection to the President, other authorized persons, or foreign heads of state, or so they may conduct special investigations.

Inmates. If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may release your protected health information to the correctional institution or law enforcement official. This release would be necessary: (1) for the institution to provide you with health care; (2) to protect your health and safety or the health and safety of others; or (3) for the safety and security of the correctional institution.

When required to avert a serious threat to health or safety. We may use and disclose your protected health information when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person.

As required by federal, state or local law. We will disclose your protected health information when required to do so by federal, state or local law.

Incidental disclosures. Certain incidental disclosures of your protected health information occur as a byproduct of lawful and permitted use and disclosure of your medical information. For example, a visitor may inadvertently overhear a discussion of your care occurring at the nurses’ station. These incidental disclosures are permitted if we apply reasonable safeguards to protect your medical information.

Limited data set information. We may disclose limited health information to third parties for purposes of research, public health and health care operation purposes. This health information includes only the following identifiers:

  • Admission, discharge, and service dates.
  • Age.
  • Five-digit ZIP Code or any other geographic subdivision, such as state, county, city, precinct and their equivalent geocodes (except street address).

Before disclosing this information, we must enter into an agreement with the recipient of the information that limits who may use or receive the data, and that requires the recipient to agree not to re-identify the data or contact you. The agreement must contain assurances that the recipient of the information will use appropriate safeguards to prevent inappropriate use or disclosure of the information.

Oregon law: Oregon law provides additional confidentiality protections in some circumstances. For example, in Oregon a health care provider generally may not release the identity of a person tested for HIV or the results of an HIV-related test without consent, and you must be notified of this confidentiality right. Drug and alcohol records are specially protected and typically require your specific consent for release under both federal and state law. Mental health records are specially protected in some circumstances, as is genetic information.

For more information on Oregon law related to these and other specially protected records, please contact our Privacy Officer, or refer to the Oregon Revised Statutes and the Oregon Administrative Rules. These documents are available online at www.oregon.gov.

Uses and disclosures for which you have the right to object

Health-related benefits and services. We may use and disclose protected health information to tell you about health-related benefits or services that may be of interest to you. [§164.520]

Fundraising activities. We may use information about you to contact you in an effort to raise money for Tuality and its operations. We may disclose protected health information to the Tuality Healthcare Foundation so that it may contact you. This may include contact information, such as your name, address, phone number, and when you received treatment. If you do not want Tuality to contact you for fundraising purposes, you must notify our Privacy Officer in writing. [§164.514]

Hospital directory. We may include limited information about you in Tuality’s directory while you are a patient in the hospital. This information may include your name, location in the hospital, general condition (e.g., fair, serious, etc.), and religious affiliation. The directory information, except for your religious affiliation, may be released to people who ask for you by name. Your religious affiliation may be given to members of the clergy, such as a priest or rabbi, even if they don’t ask for you by name. This is so your family, friends and clergy can visit you at Tuality and generally know how you are doing. In addition, we may disclose your protected health information to an entity assisting in a disaster relief effort so that your family can be notified about your condition, status and location. If you do not want us to make these disclosures, you must notify the Privacy Officer in writing. [§164.510]

Uses and disclosures that require your written authorization

Uses and disclosures for purposes other than described above require your express written authorization. We will not use or disclose your protected health information without your authorization: (i) for marketing purposes; (ii) disclosures that constitute a sale of protected health information; (iii) most uses and disclosures of psychotherapy notes; and (iv) other uses and disclosures not described in this notice. For example, we must obtain your authorization before disclosing your medical information to a life insurance company or to an employer, except under special circumstances such as when disclosure to the employer is required by law. You have the right to revoke an authorization at any time, except to the extent we have already relied on it to make an authorized use of disclosure. Your revocation of an authorization must be in writing and addressed to the Privacy Officer.
Tuality hopes that if you choose to revoke an authorization, you will help us comply with your wishes by identifying the authorization you are choosing to revoke. Ways of telling us which authorization you are revoking might include indicating who you authorized to receive information and the approximate timeframe in which you signed the authorization.

Your rights

The following is a description of your rights with respect to your protected health information:

Right to request, to inspect, and to receive a copy. You have the right to inspect and obtain a copy of your protected health information that is contained in a “designated record set.” Usually, this includes medical and billing records that are used to make decisions about your health care, but does not include psychotherapy notes or information created for use in a legal proceeding. [§164.524]

To inspect and receive a copy of your medical information, you must submit your request in writing to:

Hillsboro Medical Center
Medical Records Department
Release of Information Desk
335 SE 8th Ave.
Hillsboro, OR 97123

If you request a copy of the information, we may charge a fee for the costs of copying, mailing or supplies associated with your request. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time before any costs are incurred.

We may deny your request to inspect and copy in certain very limited circumstances. If you are denied access to medical information, you may request that the denial be reviewed. Another licensed health care professional chosen by Tuality will review your request and the denial. The person conducting the review will not be the person who denied your request. We will comply with the outcome of the review.

Right to an electronic copy of electronic medical records. If your protected health information is maintained in an electronic format (known as an electronic medical record or an electronic health record), you have the right to request that an electronic copy of your record be given to you or transmitted to another individual or entity. We will make every effort to provide access to your protected health information in the format you request, if it is readily producible in such format. If the protected health information is not readily producible in the format you request, your record will be provided in either our standard electronic format or an alternative electronic format agreed to by us and you. We may charge you a reasonable, cost-based fee for the labor associated with transmitting the electronic medical record.

Right to amend. If you feel that information we have about you is incorrect or incomplete, you may ask us to amend the information. You have the right to request an amendment for as long as the information is kept by or on behalf of Hillsboro Medical Center. [§164.526]

To request an amendment, your request must be made in writing and submitted to the Privacy Officer at the address below. In addition, you must provide a reason that supports your request.

Hillsboro Medical Center
Privacy Officer
335 SE 8th Ave.
Hillsboro, OR 97123

We may deny your request for an amendment if it is not in writing or does not include a reason to support the request. In addition, we may deny your request if you ask us to amend information that:

  • Was not created by us, unless the person or entity that created the information is no longer available to make the amendment.
  • Is not part of the information kept by or on behalf of Hillsboro Medical Center.
  • Is not part of the information you would be permitted to inspect and copy.
  • Is accurate and complete.

Right to request restrictions. You have the right to request a restriction or limitation on the protected health information we use or disclose about you for treatment, payment or health care operations. You also have the right to request a limit on the protected health information we disclose about you to someone who is involved in your care or the payment for your care, like a family member or friend. For example, you could ask that we not use or disclose information about a surgery you had. To request a restriction you must put your request in writing. We are not usually required to agree to your request. If we do agree, we will comply with your request unless the information is needed to provide you with emergency treatment or we are required by law to release the information. [§164.522(a)]

To request restrictions, you must make your request in writing to:

Hillsboro Medical Center
Privacy Officer
335 SE 8th Ave.
Hillsboro, OR 97123

In your request, you must tell us: (1) what information you want to limit; (2) whether you want to limit our use, disclosure or both; and (3) to whom you want the limits to apply, for example, disclosures to your spouse.

Out-of-Pocket-Payments. If you paid out-of-pocket (or in other words, you have requested that we not bill your health plan) in full for a specific item or service, you have the right to ask that your protected health information with respect to that item or service not be disclosed to a health plan for purposes of payment or health care operations, and we will honor that request, unless we are required by law to release the information.

Right to request confidential communications. You have the right to request that we communicate with you about medical matters in a certain way or at a certain location. For example, you may ask that we only contact you at work or by mail. [§164.522(b)]

To request confidential communications, you must make your request in writing to:

Hillsboro Medical Center
Privacy Officer
335 SE 8th Ave.
Hillsboro, OR 97123

We will not ask you the reason for your request. We will accommodate all reasonable requests. Your request must specify how or where you wish to be contacted.

Right to a paper copy of this notice. You have the right to a paper copy of this notice even if you have agreed to accept this notice electronically. You may ask us to give you a copy at any time at most of our registration desks. You may also view a copy of this notice at our website, tuality.org. [§164.522]

Right to an accounting of disclosures. You have a right to an accounting of most disclosures of your protected health information that are for reasons other than treatment, payment or health care operations. An accounting will include the date(s) of the disclosure, to whom the disclosure was made, a brief description of the information disclosed, and the purpose of the disclosure. You must request an accounting by submitting your request in writing. Your request may be for disclosures made up to six years before the date of your request. The first disclosure requested within a 12-month period will be provided free of charge. For additional disclosures, we may charge you for the costs of providing the lists. [§164.528]

To request this list or accounting of disclosures of services provided to you, you must submit your request in writing to:

Hillsboro Medical Center
Medical Records Department
Release of Information Desk
335 SE 8th Ave.
Hillsboro, OR 97123

For services provided at your physician’s office, contact your physician directly.

Right to notification of breach. You have the right to be notified upon discovery of a breach of unsecured protected health information. The Privacy Officer will make such notifications to you in writing without unreasonable delay in the event that such a breach occurs. [45 CFR, Subpart D, §164.400 – §164.414]

Changes to this notice

We reserve the right to change this notice. We reserve the right to make the revised notice effective for medical information we already have about you, as well as any information we receive in the future. We will post a copy of the current notice at Hillsboro Medical Center. The notice will contain the effective date identified on the first page of this document. The notice will also be available at Tuality registration desks and on our website at tuality.org. [§164.530]

Complaints

If you believe your privacy rights have been violated, you may file a complaint with:

Hillsboro Medical Center
Privacy Officer
335 SE 8th Ave.
Hillsboro, OR 97123

Or with:

Region X, Office for Civil Rights
U.S. Department of Health and Human Services
2201 Sixth Ave., Suite 900
Seattle, WA 98121-1831

Or you may call 206-615-2287 or fax 206-615-2297. Or you may file a complaint by e-mail to OCRComplaint@hhs.gov.

Complaints filed directly with the Office for Civil Rights must: (1) be in writing; (2) contain the name of the entity against which the complaint is lodged; (3) describe the relevant problems; and (4) be filed within 180 days of the time you became or should have become aware of the problem.

Hillsboro Medical Center will not penalize or in any other way retaliate against you for filing a complaint, either with either us or with the Secretary of the U.S. Department of Health and Human Services. [§164.530]