Privacy Practices

NOTICE OF PRIVACY PRACTICES

Effective Date:  08/13/2013

In accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA)

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.  PLEASE REVIEW IT CAREFULLY.

If you have any questions about this notice, please contact Coffeyville Regional Medical Center, Attn: Privacy Officer, 1400 West Fourth, Coffeyville, Kansas 67337; 620-251-1200.

WHO WILL FOLLOW THIS NOTICE:

This notice describes our hospital’s practices and that of:

  • Any healthcare professional authorized to enter information into your hospital chart.
  • All departments and units of the hospital.
  • Any member of a volunteer group we allow to help you while you are in the hospital.
  • All employees, staff and other hospital personnel.
  • All these entities, sites and locations follow the terms of this notice. In addition, these entities, sites and locations may share medical information with each other for treatment, payment or hospital operations purposes described in this notice.

OUR PLEDGE REGARDING MEDICAL INFORMATION:

We understand that medical information about you and your health is personal. We are committed to protecting medical information about you. We create a record of the care and services you receive at the hospital. We need this record to provide you with quality care and to comply with certain legal requirements. This notice applies to all of the records of your care generated by the hospital, whether made by hospital personnel or your personal doctor. Your personal doctor may have different policies or notices regarding the doctor’s use and disclosure of your medical information created in the doctor’s office or clinic.

This notice will tell you about the ways in which we may use and disclose medical information about you. We also describe your rights and certain obligations we have regarding the use and disclosure of medical information.

We are required by law to:

  • make sure that medical information that identifies you is kept private;
  • give you this notice of our legal duties and privacy practices with respect to medical information about you; and
  • follow the terms of our Notice of Privacy Practices that is currently in effect.

HOW WE MAY USE AND DISCLOSE MEDICAL INFORMATION ABOUT YOU:

The following categories describe different ways we use and disclose medical information. For each category of uses or disclosures we will explain what we mean and try to give some examples. Not every use or disclosure in a category will be listed.  However, all of the ways we are permitted to use and disclose information will fall within one of the categories.

  • For Treatment. We may use medical information about you to provide you with medical treatment or services. We may disclose medical information about you to doctors, nurses, technicians, medical students, or other personnel who are involved in taking care of you. For example, a doctor treating you for a broken leg may need to know if you have diabetes because diabetes may slow the healing process. In addition, the doctor may need to tell the dietitian if you have diabetes so that we can arrange for appropriate meals. Different departments of the hospital also may share medical information about you in order to coordinate the different things you need, such as prescriptions, lab work and x-rays. We also may disclose medical information about you to people outside the hospital who may be involved in your medical care after you leave the hospital, such as family members, clergy, long term care facility personnel, or others we use, or work together with, to provide services that are part of your care.
  • For Payment. We may use and disclose medical information about you so that the treatment and services you receive at the hospital may be billed to and payment may be collected from you, an insurance company or a third party. For example, we may need to give your health plan information about surgery you received at the hospital so your health plan will pay us or reimburse you for the surgery. We may also tell your health plan about a treatment you are going to receive to obtain prior approval or to determine whether your plan will cover the treatment.

For Healthcare Operations. We may use and disclose medical information about you for hospital operations. These uses and disclosures are necessary to run the hospital and make sure that all of our patients receive quality care. For example, we may use medical information to review our treatment and services and to evaluate the performance of our staff in caring for you. We may also combine medical information about many hospital patients to decide what additional services the hospital should offer, what services are not needed, and whether certain new treatments are effective. We may also disclose information to doctors, nurses, technicians, medical students, and other hospital personnel for review and learning purposes. We may also combine the medical information we have with medical information from other hospitals to compare how we are doing and see where we can make improvements in the care and services we offer. We may remove information that identifies you from this set of medical information so others may use it to study healthcare and healthcare delivery without learning who the specific patients are.

  • Activities of an Organized Health Care Arrangement (OHCA) in Which We Participate. For certain activities, the Hospital, members of its Medical Staff and other independent professionals are called an OHCA. We may disclose information about you to healthcare providers in our OHCA such as a managed care or physician hospital organization. Such disclosures would be made in connection with our services, your treatment under a health plan arrangement, and other activities of the OHCA.
  • For Marketing Purposes. Any uses and disclosures of protected health information for marketing purposes and disclosures that constitute the sale of protected health information will require a separate specific authorization by you.  Any other uses and disclosures of protected health in formation not specified in this Notice of Privacy Practices will also require a specific authorization.
  • Psychotherapy Notes. Any psychotherapy notes maintain by the Hospital will only be used and disclosed with your authorization.
  • If the Hospital contacts individuals for fundraising, you have the right to opt out of receiving any fundraising communications.
  • Restrictions from Disclosure to Health Plans. You have the right to have your provider restrict certain protected health information from disclosure to health plans where you pay out of pocket, in full for the care, and you request such restriction.
  • Notification upon Breach. You have the right to receive notifications whenever a breach of your unsecured protected health information occurs.

IMPORTANT NOTICE

The Hospital may share your medical information with members of the Hospital, Medical Staff, and other independent medical professionals in order to provide treatment and perform other activities such as peer review, quality improvement, medical education and other services for the Hospital. While those professionals my follow this Notice and otherwise participate in the privacy program of the Hospital, they are independent professionals. Neither Party assumes any liability or other obligations incurred by the other Party.

It is further understood that participation in the OHCA in no way creates, nor shall it be construed as creating any type of employment, partnership, joint venture, franchise or other relationship between the Parties, other than that of independent contractors and that each party expressly disclaims any responsibility or liability for the other Party’s acts, errors, and/or omissions.

  • Appointment Reminders. We may use and disclose medical information to contact you as a reminder that you have an appointment for treatment or medical care.
  • Treatment Alternatives. We may use and disclose medical information to tell you about or recommend possible treatment options or alternatives that may be of interest to you.
  • Health-Related Benefits and Services. We may use and disclose medical information to tell you about health-related benefits or services that may be of interest to you.
  • Fundraising Activities. We may use information about you to contact you in an effort to raise funds for the hospital. We may disclose demographic information to the CRMC hospital foundation so that the foundation may contact you in raising money for the hospital. We would only release contact information, such as your name, address and phone number and the dates you received treatment or services at the hospital. If you do not want the hospital to contact you for fund-raising efforts and you wish to have your name removed from the list to receive fund-raising requests supporting the hospital in the future, you must notify CRMC Foundation, Attn: Executive Director, P.O. Box 305, Coffeyville, KS 67337 in writing. In the event you contact us with this request, all reasonable efforts will be taken to ensure you will not receive any fund-raising communications from us in the future.
  • Hospital Directory. We may include certain limited information about you in the hospital directory while you are a patient at the hospital. This information may include your name, location in the hospital, your general condition (e.g., fair, stable, etc.) and your religious affiliation. The directory information, except for your religious affiliation, may also be released to people who ask for you by name. Your religious affiliation may be given to a member of the clergy, such as a priest or rabbi, even if they don’t ask for you by name. This is so your family, friends and clergy can visit you in the hospital and generally know how you are doing.
  • Individuals Involved in Your Care or Payment for Your Care. We may release medical information about you to a friend or family member who is involved in your medical care.We may also give information to someone who helps pay for your care. We may also tell your family or friends your condition and that you are in the hospital. In addition, we may disclose medical information about you to an entity assisting in a disaster relief effort so that your family can be notified about your condition, status and location.
  • Research. Under certain circumstances, we may use and disclose medical information about you for research purposes. For example, a research project may involve comparing the health and recovery of all patients who received one medication to those who received another, for the same condition. All research projects, however, are subject to a special approval process. This process evaluates a proposed research project and its use of medical information, trying to balance the research needs with patients’ need for privacy of their medical information. Before we use or disclose medical information for research, the project will have been approved through this research approval process. However, we may disclose medical information about you to people preparing to conduct a research project, for example, to help them look for patients with specific medical needs, so long as the medical information they review does not leave the hospital. We will almost always ask for your specific permission if the researcher will have access to your name, address or other information that reveals who you are, or will be involved in your care at the hospital.
  • As Required By Law. We will disclose medical information about you when required to do so by federal, state or local law.
  • To Avert a Serious Threat to Health or Safety. We may use and disclose medical information about you when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat.

SPECIAL SITUATIONS:

  • Organ and Tissue Donation. If you are an organ donor, we may release medical information to organizations that handle organ procurement or organ, eye or tissue transplantation or to an organ donation bank, as necessary to facilitate organ or tissue donation and transplantation.
  • Military and Veterans. If you are a member of the armed forces, we may release medical information about you as required by military command authorities. We may also release medical information about foreign military personnel to the appropriate foreign military authority.
  • Workers’ Compensation. We may release medical information about you for workers’ compensation or similar programs. These programs provide benefits for work-related injuries or illness.
  • Public Health Risks. We may disclose medical information about you for public health activities. These activities generally include the following:
  • to prevent or control disease, injury or disability;
  • to report births and deaths;
  • to report child abuse or neglect;
  • to report reactions to medications or problems with products;
  • to notify people of recalls of products they may be using;
  • to notify the statewide trauma registry
  • to notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition;
  • to notify the appropriate government authority if we believe a patient has been the victim of abuse, neglect or domestic violence. We will only make this disclosure if you agree or when required or authorized by law.
  • Health Oversight Activities. We may disclose medical information to a health oversight agency for activities authorized by law. These oversight activities include, for example, audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the healthcare system, government programs, and compliance with civil rights laws.
  • Lawsuits and Disputes. If you are involved in a lawsuit or a dispute, we may disclose medical information about you in response to a court or administrative order. We may also disclose medical information about you in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have been made to tell you about the request or to obtain an order protecting the information requested.
  • Law Enforcement. We may release medical information if asked to do so by a law enforcement official:
  • In response to a court order, subpoena, warrant, summons or similar process;
  • To identify or locate a suspect, fugitive, material witness, or missing person;
  • About the victim of a crime if, under certain limited circumstances, we are unable to obtain the person’s agreement;
  • About a death we believe may be the result of criminal conduct;
  • About criminal conduct at the hospital; and
  • In emergency circumstances to report a crime; the location of the crime or victims; or the identity, description or location of the person who committed the crime.
  • Coroners, Medical Examiners and Funeral Directors. We may release medical information to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death. We may also release medical information about patients of the hospital to funeral directors as necessary to carry out their duties.
  • National Security and Intelligence Activities. We may release medical information about you to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law.
  • Protective Services for the President and Others. We may disclose medical information about you to authorized federal officials so they may provide protection to the President, other authorized persons or foreign heads of state or conduct special investigations.
  • Inmates. If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may release medical information about you to the correctional institution or law enforcement official. This release would be necessary (1) for the institution to provide you with healthcare; (2) to protect your health and safety or the health and safety of others; or (3) for the safety and security of the correctional institution.

YOUR RIGHTS REGARDING MEDICAL INFORMATION ABOUT YOU:

You have the following rights regarding medical information we maintain about you:

  • Right to Inspect and Copy. You have the right to inspect and copy medical information that may be used to make decisions about your care. Usually, this includes medical and billing records, but does not include psychotherapy notes.

To inspect and copy medical information that may be used to make decisions about you, you must submit your request in writing to: Coffeyville Regional Medical Center, Attn: Release of Information, 1400 West Fourth, Coffeyville, Kansas 67337. If you request a copy of the information, we may charge a fee for the costs of copying, mailing or other supplies associated with your request.

We may deny your request to inspect and copy in certain very limited circumstances. If you are denied access to medical information, you may request that the denial be reviewed.  Another licensed healthcare professional(s) chosen by the hospital will review your request and the denial. The person(s) conducting the review will not be the person who denied your request.  We will comply with the outcome of the review.

  • Right to Amend. If you feel that medical information we have about you is incorrect or incomplete, you may ask us to amend the information. You have the right to request an amendment for as long as the information is kept by or for the hospital.

To request an amendment, your request must be made in writing and submitted to Coffeyville Regional Medical Center, Health Information Management Department, Attn: Director Health Information Management, 1400 West Fourth, Coffeyville, Kansas 67337.  In addition, you must provide a reason that supports your request.

We may deny your request for an amendment if it is not in writing or does not include a reason to support the request. In addition, we may deny your request if you ask us to amend information that:

  • Was not created by us, unless the person or entity that created the information is no longer available to make the amendment;
  • Is not part of the medical information kept by or for the hospital;
  • Is not part of the information which you would be permitted to inspect and copy; or
  • Is accurate and complete.
  • Right to an Accounting of Disclosures. You have the right to request an “accounting of disclosures” which is a list of the disclosures we made of medical information about you.

To request this list or accounting of disclosures, you must submit your request in writing to Coffeyville Regional Medical Center, Health Information Management Department, Attn:  Release of Information, 1400 West Fourth, Coffeyville, Kansas 67337. Your request must state a time period, which may not be longer than six years and may not include dates before April 14, 2003. Your request should indicate in what form you want the list (for example, on paper, electronically). The first list you request within a 12-month period will be free.  For additional lists, we may charge you for the costs of providing the list. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time before any costs are incurred.

  • Right to Request Restrictions. You have the right to request a restriction or limitation on the medical information we use or disclose about you for treatment, payment or healthcare operations. You also have the right to request a limit on the medical information we disclose about you to someone who is involved in your care or the payment for your care, like a family member or friend. For example, you could ask that we not use or disclose information about a surgery you had.

We are not required to agree to your request.  If we do agree, we will comply with your request unless the information is needed to provide you emergency treatment.

To request restrictions, you must make your request in writing to Coffeyville Regional Medical Center, Health Information Management Department, Attn:  Release of Information, 1400 West Fourth, Coffeyville, Kansas 67337. In your request, you must tell us (1) what information you want to limit; (2) whether you want to limit our use, disclosure or both; and (3) to whom you want the limits to apply, for example, disclosures to your spouse.

  • Right to Request Confidential Communications. You have the right to request that we communicate with you about medical matters in a certain way or at a certain location. For example, you can ask that we only contact you at work or by mail.

To request confidential communications, you must make your request in writing to Coffeyville Regional Medical Center, Health Information Management Department, Attn:  Release of Information, 1400 West Fourth, Coffeyville, Kansas 67337. We will not ask you the reason for your request.  We will accommodate all reasonable requests. Your request must specify how or where you wish to be contacted.

  • Right to a Paper Copy of This Notice. You have the right to a paper copy of this notice. You may ask us to give you a copy of this notice at any time. Even if you have agreed to receive this notice electronically, you are still entitled to a paper copy of this notice.

To obtain a paper copy of this notice, Coffeyville Regional Medical Center, Health Information Management Department, Attn:  Release of Information, 1400 West Fourth, Coffeyville, Kansas 67337.

YOUR RIGHTS REGARDING ELECTRONIC HEALTH INFORMATION EXCHANGE

Coffeyville Regional Medical Center participates in electronic health information exchange, or HIE. New    technology allows a provider or a health plan to make a single request through a health information organization, or HIO, to obtain electronic records for a specific patient from other HIE participants for purposes of treatment, payment, or health care operations. HIOs are required to use appropriate safeguards to prevent unauthorized uses and disclosures.

You have two options with respect to HIE.  First, you may permit authorized individuals to access your electronic health information through an HIO. If you choose this option, you do not have to do anything.

Second, you may restrict access to all of your information through an HIO (except access by properly authorized individuals as needed to report specific information as required by law).   If you wish to restrict  access,  you  must  complete  and  submit  a  specific  form  available  at http://www.khie.org.  You cannot restrict access to certain information only; your choice is to permit or restrict access to all of your information.

If you have questions regarding HIE or HIOs, please visit http://www.khie.org for additional information.

Even if you restrict access through an HIO, providers and health plans may share your information directly through other means (e.g., facsimile or secure e-mail) without your specific written authorization.

If you receive health care services in a state other than Kansas, different rules may apply regarding restrictions on access to your electronic health information. Please communicate directly with your out- of-state health care provider regarding those rules.

CHANGES TO THIS NOTICE:

We reserve the right to change the terms of this notice. We reserve the right to make the revised or changed notice effective for all medical information we already have about you i.e., prior to the effective date of the notice revision, as well as any information we receive in the future. We will post a copy of the current notice in the hospital. The notice will contain on the first page, in the top right-hand corner, the effective date. In addition, each time you register at or are admitted to the hospital for treatment or healthcare services as an inpatient or outpatient, we will offer to you a copy of the current notice that is in effect.

BREACH NOTIFICATION:

We have the responsibility to identify and respond to breaches of unsecured PHI including the completion of any required notifications to you and the Secretary of the Department of Health and Human Services (Secretary). For any breaches of unsecured PHI involving fewer than 500 individuals, we will inform you of the concern within 60 days of our discovery in written form by first class mail, by email if you have agreed to receive such notices electronically, and at our website www.crmcinc.org . For any breaches of unsecured PHI involving greater than 500 individuals, in addition to the previously mentioned notifications, we will also contact prominent media outlets in our area, via press release, notifying them of the breach.

Additionally, for any breaches of unsecured PHI involving greater than 500 individuals, we will notify the Secretary within 60 days of our discovery. Otherwise, if fewer than 500 individuals are involved, we will notify the Secretary on nothing greater than an annual basis via a governmental website dedicated to receiving such notifications.

COMPLAINTS:

If you believe your privacy rights have been violated, you may file a complaint with the hospital or with the Secretary of the Department of Health and Human Services. To file a complaint with the hospital, contact Coffeyville Regional Medical Center, Attn: Privacy Officer, 1400 West Fourth, Coffeyville, Kansas 67337; 620-251-1200. All complaints must be submitted in writing.

You will not be penalized or retaliated against for filing a complaint.

OTHER USES OF MEDICAL INFORMATION:

Other uses and disclosures of medical information not covered by this notice or the laws that apply to us will be made only with your written authorization, giving us permission for such uses and disclosures. If you provide us permission to use or disclose medical information about you, you may revoke that permission, in writing, at any time. To revoke an authorization, contact Coffeyville Regional Medical Center, Attn: Privacy Officer, 1400 West Fourth, Coffeyville, Kansas 67337; 620-251-1200.  If you revoke your permission, we will no longer use or disclose medical information about you for the reasons covered by your written authorization. You understand that we are unable to take back any disclosures we have already made with your permission, and that we are required to retain our records of the care that we provided to you.

The ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization, by stating either:

  1. CRMC may not condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorization when the prohibition on conditioning of authorizations of this policy applies; or
  2. The consequences to the individual of a refusal to sign the authorization when, in accordance with the prohibition on conditioning of authorizations of this policy, CRMC can condition treatment, enrollment in the health plan, or eligibility for benefits on failure to obtain such authorization.