HIPAA Notice of Privacy Practices
This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.
Our Legal Responsibility
As your health care provider, we are legally required to protect the privacy of your health information, and to provide you with this Notice about our legal duties, privacy practices, and your rights with respect to your health information. This requirement applies to all patients served by University of Iowa (UI) State Hygienic Laboratory.
UI State Hygienic Laboratory describes the partnership between the University of Iowa and the UI State Hygienic Laboratory. This Notice applies to health information held by both entities.
UI State Hygienic Laboratory is legally required to follow the privacy practices described in this Notice. If you have any questions or want more information about this Notice, please contact our Privacy Officer at the contact information listed at the end of this Notice.
Your Protected Health Information
Throughout this Notice we will refer to your protected health information as PHI. Your PHI includes data that identifies you and reports about the care and services you receive at UI State Hygienic Laboratory. For example, it includes information about your diagnosis, medications, insurance status and policy number, payment information, social security number, address, and other demographic information.
This Notice about our privacy practices explains how, when, and why we use and share your PHI. We may not use or disclose any more of your PHI than is necessary for the purpose of the use or disclosure, with some exceptions.
Changes to this Notice
We are required to follow the terms of the Notice currently in effect. We reserve the right to change the terms of this Notice and our privacy policies and practices. Any changes will apply to your past, current, or future PHI. When we make an important change to our policies, we will change this Notice and post a new Notice on our website (http://www.shl.uiowa.edu/). We will post the Notice as required by law and will have available a copy of the revised Notice in the places where we provide medical services. The Notice will contain the effective date on the last page. You may also request a copy of our current Notice at any time from the UI State Hygienic Laboratory Offices
Uses and Disclosures of Protected Health Information Without Your Authorization
We are allowed by law to use and share your health information with others without your consent for many reasons. The following examples describe the categories of our uses and disclosures we may make without your permission. Please note that not every use or disclosure in each category is listed and these are general descriptions only. Where state or federal law restricts one of the described uses or disclosures, we follow the requirements of such law.
- Treatment – We may use and disclose medical information about you to physicians, nurses, technicians, physicians in training, or other health care professionals who are involved in your care. For example, if you are being treated for a knee injury, we may disclose your PHI to the Department of Rehabilitation Therapies. Different health care professionals, such as pharmacists, lab technicians, and x-ray technicians, also may share information about you in order to coordinate your care. In addition, we may send information to the physician who referred you to UI State Hygienic Laboratory, or other health care providers not affiliated with UI State Hygienic Laboratory who are involved in your care. At all times, we will comply with any regulations that apply.
- Payment – We may use and disclose your PHI in order to bill and collect payment for the treatment and services we provided to you. For example, we may provide PHI to an insurance company or other third party payor in order to obtain approval for treatment or admission to the hospital. We may also share your health information with another doctor or hospital that has treated you so that they can bill you, your insurance company, or a third party.
- Health care operations – We may use and disclose your PHI as part of our routine operations. For example, we may use your PHI to evaluate the quality of health care services you received or to evaluate the performance of health care professionals who cared for you. We may also disclose information to physicians, nurses, technicians, medical, nursing and other health professional students, and other hospital personnel as part of our educational mission. In some cases, we will furnish other qualified parties with your medical information for their health care operations.
- Business associates – We may share your health information with others called “business associates,” who perform services on our behalf. The business associate must agree in writing to protect the confidentiality of the information. For example, we may share your health information with a billing company that bills for the services we provide.
- Appointment reminders and health-related benefits or services – We may use your PHI to provide appointment reminders or give you information about treatment alternatives or other health care services. If you provide us with your mobile telephone number, we may contact you by phone or text message at that number for treatment-related purposes such as appointment reminders, wellness checks, registration instructions, etc. We will identify UI State Hygienic Laboratory as the sender of the communication and provide you with a way to “opt out” and not receive further communication in this manner. With your consent, we may contact you on your mobile phone for certain other purposes.
- Public health activities – We may disclose medical information about you for public health activities. These activities may include disclosures:
- To a public health authority authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability;
- To appropriate authorities authorized to receive reports of child abuse and neglect;
- To FDA-regulated entities for purposes of monitoring or reporting the quality, safety, or effectiveness of FDA-regulated products;
- To notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition; and
- With parent or guardian permission, to send proof of required immunization to a school.
- Law enforcement – We may disclose certain medical information to law enforcement authorities for law enforcement purposes, such as:
- As required by law, including reporting certain wounds and physical injuries;
- In response to a court order, subpoena, warrant, summons, or similar process;
- To identify or locate a suspect, fugitive, material witness, or missing person;
- About the victim of a crime if we obtain the individual’s agreement, or under certain limited circumstances, if we are unable to obtain the individual’s agreement;
- To alert authorities of a death we believe may be the result of criminal conduct;
- Information we believe is evidence of criminal conduct occurring on our premises; and
- In emergency circumstances to report a crime; the location of the crime or victims or the identity, description, or location of the person who committed the crime.
- Abuse, neglect, or domestic violence – We may notify the appropriate government authority if we believe you have been the victim of abuse, neglect, or domestic violence. Unless such disclosure is required by law (for example, to report a particular type of injury), we will only make this disclosure if you agree.
- Judicial and administrative proceedings – If you are involved in a lawsuit or a dispute, we may disclose medical information about you in response to a court or administrative order. We may also disclose medical information about you in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if reasonable efforts have been made to notify you of the request or to obtain an order from the court protecting the information requested.
- Health oversight activities – We may disclose PHI to a health oversight agency for audits, investigations, inspections, licensure, and other activities, as authorized by law. For example, we may disclose PHI to the Food and Drug Administration, state Medicaid fraud control, or the U.S. Department of Health and Human Service Office for Civil Rights.
- Research studies – Under certain circumstances, we may disclose your PHI to help conduct research, subject to certain safeguards. Research may involve finding a cure for an illness or helping to determine how effective a treatment is. In research studies, a Privacy Board or Institutional Review Board determines that measures are in place to protect your identity from disclosure to organizations outside of UI State Hygienic Laboratory. We may disclose medical information about you to people preparing to conduct a research project but the information will stay on site.
- Organ or tissue donation – We may use your PHI to notify organ donation organizations, and to assist them in organ, eye, or tissue donation and transplants.
- Deceased individuals – We are required to apply safeguards to protect your medical information for 50 years following your death. Following your death we may disclose medical information to a coroner, medical examiner, or funeral director as necessary for them to carry out their duties and to a personal representative (for example, the executor of your estate). We may also release your medical information to a family member or other person who acted as personal representative or was involved in your care or payment for care before your death, if relevant to such person’s involvement, unless you have expressed a contrary preference.
- Workers’ compensation purposes – We may disclose PHI about you to your employer or others as authorized by law for workers’ compensation or similar programs that provide benefits for work-related injuries or illness.
- National security and intelligence activities – We may release PHI to authorized federal officials when required by law. This information may be used to protect the president, other authorized persons, or foreign heads of state, to conduct special investigations, for intelligence and other national security activities authorized by law.
- Threats to health or safety – Under certain circumstances, we may use or disclose your medical information to avert a serious threat to health and safety if we, in good faith, believe the use or disclosure is necessary to prevent or lessen the threat and is to a person reasonably able to prevent or lessen the threat (including the target) or is necessary for law enforcement authorities to identify or apprehend an individual involved in a crime.
- Incidental uses and disclosures – There are certain incidental uses or disclosures of your information that occur while we are providing service to you or conducting our business. For example, after surgery the nurse or doctor may need to use your name to identify family members that may be waiting for you in a waiting area. Other individuals waiting in the same area may hear your name called. We will make reasonable efforts to limit these incidental uses and disclosures.
- Required by law – We will use and disclose your information as required by federal, state, or local law.
Uses and Disclosures for Which You Have the Opportunity to Object
- Hospital directory – We will use your name, the location at which you are receiving care, your general condition, and your religious affiliation for directory purposes. All of this information, except religious affiliation, will be disclosed to people who ask for you by name. If you object to this use, we will not include this information in the directory and will not share it. To object, please notify us at registration or notify a member of your nursing staff.
- Health care affiliates/alliances – We participate in a variety of electronic health information data sharing agreements with other health care providers, public health organizations, and payors. These data sharing arrangements are to facilitate treatment, improve health care operations, and allow for an analysis of care provided in all settings. These data sharing arrangements are designed to assure appropriate protections are in place and prevent the inappropriate release of your PHI. If you do not wish to participate in these data sharing arrangements, please notify our Privacy Officer at the contact information listed at the end of this Notice.
- Fundraising – We may use your PHI in efforts to raise money for UI State Hygienic Laboratory. We may provide your PHI to the University of Iowa Center for Advancement for this purpose. If you do not want UI State Hygienic Laboratory to contact you for fundraising efforts, please notify our Privacy Officer at the contact information listed at the end of this Notice or respond to any opt out process provided with each fundraising communication.
- Disclosures to family, friends, or others – We may provide your PHI to a family member, friend, or other person you tell us is involved in your care or involved in the payment of your health care, unless you object in whole or in part. If you are unable to agree or object to such a disclosure, we may disclose such information as necessary if we determine that it is in your best interest. This could include sharing information with your family or friend so they can pick up a prescription or a medical supply. We may also share medical information about you with an organization assisting in a disaster relief effort.
Uses and Disclosures Requiring Your Authorization
There are many uses and disclosures we will make only with your written authorization. These include:
- Uses and disclosures not described above – We will obtain your authorization for any use of disclosure of your medical information that is not described in the preceding examples.
- Psychotherapy notes – These are notes made by a mental health professional documenting conversations during private counseling sessions or in joint or group therapy. Many uses or disclosures of psychotherapy notes require your authorization.
- Marketing – We will not use or disclose your medical information for marketing purposes without your authorization. Moreover, if we will receive any financial remuneration from a third party in connection with marketing, we will tell you that in the authorization form.
- Sale of medical information – We will not sell your medical information to third parties without your authorization. Any such authorization will state that we will receive remuneration in the transaction.
If you provide authorization, you may revoke it at any time by giving us notice in accordance with our authorization policy and the instructions in our authorization form. Your revocation will not be effective for uses and disclosures made in reliance on your prior authorization.
Your Rights Regarding PHI
You have the right to:
- Request restrictions – You can ask us not to use or share certain PHI for treatment, payment, or health care operations purposes. For example, when you have paid for your services out of pocket in full, at your request we will not share information about those services with your health plan (the organization that pays for your medical care), as long as such disclosure is not required by law. For all other requests, we will consider your request, but we are not legally required to accept it. If we accept your request, we will document any limits in writing and follow them except in emergency situations. You may not limit the uses and disclosures that we are legally required or allowed to make. To request a restriction, notify the Privacy Officer listed at the end of this Notice.
- Request confidential communications – You can ask that we send PHI to you at a different address or contact you about your health information in a certain way. For example, you may wish to have appointment reminders and test results sent to a PO Box or a different address than your home address. We will say “yes” to reasonable requests that provide specific directions of the alternative. To make a request, contact the Privacy Officer at the address listed at the end of this Notice. You do not need to provide a reason for your request.
- Inspect and copy – You have the right to inspect and obtain a copy of much of the medical information that we maintain about you, with some exceptions. Usually, this information includes the medical record and billing records, but also includes records used to make decisions about you. There are certain conditions on which we may deny your request. If we maintain the medical information electronically in one or more designated record sets and you ask for an electronic copy, we will provide the information to you in the form and format you request, if it is readily producible. If we cannot readily produce the record in the form and format you request, we will produce it in another readable electronic form we both agree to. If you direct us to transmit your medical information to another person, we will do so, provided your signed, written direction clearly designates the recipient and location for delivery. To see or obtain a copy of medical or billing information, please submit your request in writing to:
UI State Hygienic Laboratory email address email@example.com
2490 Crosspark Road
Coralville, IA 52241
- Accounting of disclosures – You have the right to obtain a list of certain instances in which we have disclosed your PHI. You may request this list for a period of six years prior to the date you ask for the list. We will provide the times we have shared your PHI, who we shared it with, and why. The list will not include uses or disclosures that you have specifically authorized in writing, such as copies of records to your attorney or to your employer, or disclosures for treatment, payment, or health care operations and certain other types of disclosures. Please submit your request in writing to the Privacy Officer listed at the end of this Notice. We will provide one list a year free, but will charge a reasonable cost-based fee if you ask for another list within twelve months.
- Amendment – You have the right to ask us to amend certain medical information that we keep in your records if you think that information is inaccurate or incomplete. You may request an amendment for as long as that record is maintained. You may submit a written request for an amendment to Release of Information listed at the end of this Notice. University of Iowa Health Care may say “no” to certain requests, but we will tell you in writing within 60 days why we denied your request.
- Paper copy of this Notice – You can ask for a paper copy of this Notice at any time, even if you have asked to receive it electronically. You may request a paper copy from the UI State Hygienic Laboratory office.
- Notification in the case of breach – We are required by law to notify you of a breach of your unsecured medical information. We will provide such notification to you without unreasonable delay but in no case later than 60 days after we discover the breach.
- How to exercise these rights – All requests to exercise these rights must be in writing. We will respond to your request on a timely basis in accordance with our written policies and as required by law. Contact the offices noted below in this Notice to obtain request forms or ask questions.
Revocation of Permission
If you provide us with permission to use or disclose your medical information, you may revoke that permission at any time. Please make your request in writing to Release of Information at the contact information listed at the end of this Notice.
If you revoke your permission, we will no longer use or disclose medical information about you for the reasons covered by your written revocation. We are unable to take back any disclosures previously made with your permission.
Complaints and Questions
If you believe your privacy rights have been violated, you may file a complaint with UI State Hygienic Laboratory or with the Secretary of the U.S. Department of Health and Human Services.
To file a complaint about our privacy practices with UI State Hygienic Laboratory or questions about this Notice, notify:
UI State Hygienic Laboratory at firstname.lastname@example.org
2490 Crosspark Road
Coralville, IA 52241
University of Iowa Hospitals & Clinics Privacy Officer
200 Hawkins Drive, 1309B JCP
Iowa City, Iowa 52242-1009
You will not be penalized for filing a complaint, and your care will not be compromised.
- For: Requesting a restriction
Requesting an accounting of disclosures opting out of fundraising
Opting out of data sharing
Contact: Privacy Officer listed above
- For: Inspection and copying of your billing records
Contact: SHL Accounting
2490 Crosspark Road
Coralville, IA 52241
- For: Inspection and copying of your medical record amending your record
Revoking your permission to disclose your medical information
Contact: UI State Hygienic Laboratory
2490 Crosspark Road
Coralville, IA 52241
If you would like to file a complaint with the Secretary of the U.S. Department of Health and Human Services, please contact:
- U.S. Department of Health and Human Services Office for Civil Rights
200 Independence Avenue, S.W.
Washington, D.C. 20201