Joint Notice of Privacy Practices
THIS JOINT NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.
PLEASE REVIEW IT CAREFULLY.
EFFECTIVE DATE: AUGUST 21, 2013
1. Who Must Follow This Notice?
This Joint Notice of Privacy Practices (Notice) must be followed by all faculty, doctors, nurses, administrators, employees and other workforce members, and business associates of The University of Texas MD Anderson Cancer Center (MD Anderson) and the Proton Therapy Center Houston (PTC).
This Notice applies to every patient’s personal medical information, or “protected health information,” with respect to MD Anderson or PTC.
“Protected health information” (or “PHI”) is a term used to describe your personal medical information and includes any information, whether oral, written or recorded in electronic form, that is created or received by us as health care providers that identifies you and relates to your past, present or future physical or mental health or condition, treatment, or payment for your health care.
From this point on, we will refer to your protected health information as “PHI.”
2. What is the Purpose of this Notice?
This Notice tells you about the uses and disclosures that we make with your PHI, and certain rights that you have, and obligations we are bound to, with respect to such information. MD Anderson and PTC care about the privacy and confidentiality of your PHI. We have developed policies, created procedures, and taken other steps to help keep your PHI confidential. This Notice gives a summary of those steps, explains your privacy rights, and gives you phone numbers and addresses you can use to ask questions or to make requests.
We are required by law to:
- Maintain the privacy of your PHI.
- Give you this Notice of our legal duties and privacy practices with respect to your PHI.
- Notify you in the event of a breach of your PHI.
MD Anderson and PTC follow the terms of this Notice as long as it is in effect. If we revise this Notice, we will make the revised Notice available to you upon request and will follow the terms of the revised Notice as long as it is in effect. The Notice is maintained on our website and in certain locations or sites where treatment, payment, and health care operations activities may occur.
This Notice applies to PHI created, maintained, used, or disclosed in records related to your care and services that you receive at MD Anderson or PTC, whether created or received by us or your physician.
MD Anderson and PTC maintain your PHI in records that are kept confidential, as required by law. However, we must use and disclose your PHI to the extent necessary to provide you with quality health care. To do this, MD Anderson and PTC must share your PHI with each other, as necessary, and with others, as appropriate, for treatment, payment, and health care operations.
3. We May Use and Disclose Your PHI Electronically.
MD Anderson and PTC create, receive, maintain, and in some instances, disclose your PHI in an electronic format. We will secure your authorization prior to electronically disclosing PHI for any reason other than treatment, payment, health care operations, or as otherwise authorized or required by law.
4. We May Use and Disclose Your PHI for Treatment.
We may use or disclose your PHI to provide you with medical treatment or services. Treatment includes sharing PHI among health care providers involved in your care. For example, your health care provider may share PHI about your condition with pharmacists to discuss appropriate medications, or with radiologists or other consultants in order to make a diagnosis. Different departments within our facilities may also share your PHI in order to coordinate such things as prescriptions, dietary needs, physical therapy, lab work, and diagnostic imaging. MD Anderson and PTC also communicate with your referring and follow-up physician and with post-acute care facilities to which you may be transferred, keeping them informed about your care.
We may contact you to provide appointment reminders by phone, email, text message, or mail.
We may contact you with information about treatment alternatives or other health-related benefits or services that may be of interest to you.
5. We May Use and Disclose Your PHI for Payment.
In addition, we may use and/or disclose your PHI as requested by your health plan, insurer, or other third party payor, to obtain payment for services we provided to you. We also may tell your health plan, insurer, or other payor about a treatment in order to obtain prior approval or to determine whether your health plan, insurer, or other payor will cover the treatment.
If you do not object, we may disclose your PHI to family members, other relatives, close personal friends, or others whom you have indicated are involved in your care when the PHI is directly relevant to that person’s involvement in obtaining payment for your care.
6. We May Use and Disclose your PHI for Health Care Operations.
We may use or disclose your PHI for health care operations. These include:
Quality Improvement and Review of Resources and Staff
We may use and/or disclose your PHI to improve the quality of care we provide (for example, for quality assessments, reviewing the qualifications and competence of our medical staff, and for selecting, educating, and training our employees and staff).
Case Management and Care Coordination
We may use or disclose your PHI for case management and care coordination in the effort to improve the effectiveness and efficiency of care delivered by us.
Risk Management, Legal Services, Compliance, and Audit Functions
We may use or disclose your PHI to assist us with risk management and legal reviews, compliance with laws and regulations, including accreditation and licensing, and audit functions.
Customer Service and Data Analysis
We may use or disclose your PHI to review and help improve our patient satisfaction and customer service levels, and for internal data analyses.
We may use and/or disclose limited portions of your PHI for our fundraising activities. This information includes your name, address and contact information, age, gender, insurance status, dates of service at MD Anderson or PTC, treating physicians and departments, and outcome information. This information allows us to be more specific with our fundraising efforts. You may opt out of fundraising communications by requesting to be removed from our fundraising list. Instructions on how to stop receiving future fundraising communications will be included on each fundraising solicitation.
7. We May Disclose Your PHI Business Associates.
We may disclose your PHI to certain other persons or companies with whom we contract to provide services on our behalf. These persons or companies are called “business associates.” We require our business associates to appropriately safeguard the PHI of our patients.
8. We May Use and Disclose Your PHI for Directory Purposes, for Notification Purposes, and to Individuals Involved in Your Care.
Unless an opportunity to agree or object cannot practicably be provided, we may use and/or disclose your PHI for directory purposes, for notification purposes, and to individuals involved in your care.
Certain Directory Information
If you do not object, we may disclose your location in MD Anderson or PTC facilities and your condition described in general terms that does not communicate specific medical information about you to people who ask for you by name. In addition to the above directory information, your name and your religious affiliation may be disclosed to members of the clergy (even if they do not ask for you by name), unless you object.
Unless you object, we may use or disclose your PHI to a public or private entity authorized by law, such as the American Red Cross, for the purpose of coordinating with such public or private entity to assist in disaster relief efforts related to you.
Family, Close Personal Friends, and Representatives Involved in Your Care
If you do not object, we may disclose your PHI to family members, other relatives, close personal friends, or others you have indicated are participating in your care when the PHI is directly relevant to that person’s involvement in your care.
If you do not object beforehand, we may also use or disclose your PHI to notify (or assist in the notification of) a family member, a personal representative, or other person responsible for your care about your location, general condition, or death.
9. We May Use and/or Disclose Your PHI When Required or Permitted by Law.
We may use and/or disclose your PHI without your written authorization as required or permitted by law. For example:
Public Health/Health Oversight Activities
We may use and/or disclose your PHI for public health activities, including for the reporting of disease, injury, vital events, and for conducting public health surveillance, investigation and/or intervention. We may disclose your PHI to a health oversight agency for oversight activities authorized by law, including for audits, investigations, inspections, licensure or disciplinary actions, and administrative and/or legal proceedings or actions.
Disclosure to the Secretary of the US Department of Health and Human Services
We may disclose PHI when required by the Secretary of the United States Department of Health and Human Services as part of an investigation or a determination of our compliance with relevant laws.
Abuse or Neglect
In accordance with federal and state law, we may disclose your PHI when it concerns abuse, neglect, or domestic violence to you, such as reporting to social welfare, law enforcement, or protective service agencies. Except in certain limited situations, we must promptly inform you that a report of abuse, neglect, or domestic violence has been or will be made.
Judicial or Administrative Proceedings
We may use or disclose your PHI in the course of lawful judicial or administrative proceedings, in accordance with a court order, warrant, subpoena, discovery request, or other legal process that complies with privacy and confidentiality requirements.
We may disclose your PHI to law enforcement personnel for law enforcement purposes. Examples include disclosing limited information to identify or locate a suspect, fugitive, material witness, or missing person; reporting crimes in emergencies; reporting deaths or certain violent injuries; and other mandatory reporting requirements.
Specialized Government Functions
We may disclose your PHI for specialized governmental functions, such as military and veterans’ activities, national security, intelligence activities, and for the provision of protective services to the President of the United States and other officials. We may also disclose your PHI for correctional institution and other law enforcement custodial purposes.
Coroners, Medical Examiners, and Funeral Directors
We may disclose your PHI to a coroner, medical examiner, or a funeral director, as necessary for them to fulfill their duties.
Organ, Eye, and Tissue Donation
If you are an organ, eye, or tissue donor, we may disclose your PHI to an organ donation and procurement organization.
We perform research at MD Anderson and PTC. Our researchers may use and/or disclose your PHI to prepare a research protocol. Additionally, our researchers may use and/or disclose your PHI for research once the research protocol has been reviewed and approved by our Institutional Review Board (IRB). An IRB is a committee responsible for protecting individual research participants and ensuring that research is conducted ethically. Your PHI may be shared with other MD Anderson or PTC researchers and researchers outside of MD Anderson or PTC only after the IRB has approved the study or after getting your prior written permission.
We may use or disclose your PHI when we determine that it is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.
We may release your PHI for workers’ compensation or similar programs established by law to provide benefits for work-related injuries or illnesses.
10. We May Use or Disclosure Your PHI with Your Permission (Authorization).
The use or disclosure of your PHI for purposes or activities not listed above will be made only with your written permission, called an “Authorization.” If you permit us to use or disclose your PHI, you may revoke (cancel) that permission, in writing, at any time. If you revoke your permission, we will no longer use or disclose PHI about you for the reasons covered by your written permission. However, we are unable to take back any disclosures we have already made with your permission. If your PHI is disclosed to a third party with your permission, the PHI is no longer subject to this Notice, and the recipient may re-disclose your PHI.
Use or Disclosure of Psychotherapy Notes
Most uses and disclosures of your psychotherapy notes require your Authorization. Psychotherapy notes are notes taken by a mental health professional, such as a psychiatrist or a clinical psychologist, during a private counseling session. Psychotherapy notes are not notes or observations made about your mental state during your course of treatment by a doctor or practitioner who is not a mental health professional.
Use or Disclosure of Your PHI for Marketing
We will not use or disclose your PHI for marketing purposes without your written Authorization. Marketing does not include the following communications: refill reminders, appointment reminders, communications for purposes of case management or care coordination, recommendations for alternative treatments, therapies, care providers or care settings, or descriptions about health-related products and services offered by MD Anderson or PTC.
Sale of Your PHI
We may not sell your PHI without your written Authorization. However, when we disclose your PHI for any purpose permitted or required by law (such as for treatment, payment, or health care operations), we may charge a reasonable, cost-based fee to cover the cost of preparing and transmitting your PHI. For example, we may charge a reasonable, cost-based fee when disclosing your PHI for public health purposes, research purposes, treatment purposes, or payment purposes. We may also charge you a reasonable, cost-based fee when you request copies of your medical and billing records.
11. You Have Rights Regarding Your PHI.
You have the following rights regarding your PHI, provided that you make a written request to invoke the right on the forms provided by us.
Your Right to Request Restrictions
You have the right to request a restriction or limitation on the PHI we use or disclose about you for treatment, payment, or health care operations. You also have the right to request a restriction or limitation on the PHI we disclose about you to someone who is participating in your care or the payment for your care, such as a family member or friend. For example, you could ask that we not use or disclose information about a particular surgery that you have had. You may not request restriction of a disclosure that is required by law.
We will attempt to accommodate all reasonable restriction requests, but we are not obligated to agree to a restriction (except as noted in this paragraph) and in certain circumstances we may not be able to comply. We are required to comply with your request that we not disclose certain PHI to a health plan for payment or health care operations purposes if the PHI relates solely to healthcare treatment or services that have been fully paid out-of-pocket.
To request a restriction, you must make your request in writing to the Chief Privacy Officer at The University of Texas MD Anderson Cancer Center, Institutional Compliance Office, Unit 1640, PO Box 301407, Houston, Texas, 77230-1407. In your request, you must tell us: (1) what information you want to limit; (2) whether you want to limit our use or disclosure of the information (or both use and disclosure); and (3) to whom you want the limits to apply (for example, disclosures to your spouse).
Your Right to Request Alternate Communication Methods or Locations
You have the right to request that we communicate with you about medical matters in a certain way or at a certain location. For example, you can ask that we only contact you by telephone at work or that we only contact you by mail at home or an alternative address. To request such alternative methods or locations, you must make your request in writing to the Chief Privacy Officer at The University of Texas MD Anderson Cancer Center, Institutional Compliance Office, Unit 1640, PO Box 301407, Houston, Texas, 77230-1407. We will not ask you the reason for your request. We will attempt to accommodate all reasonable requests, but we may condition our approval, when appropriate, upon receiving information as to how payment, if any, for your care will be handled. Your request must also specify how or where you wish to be contacted.
Your Right to Inspect and Copy
You have the right to inspect and copy PHI that may be used to make decisions about your care. Usually, this PHI includes medical and billing records and excludes psychotherapy notes. To inspect and copy PHI that may be used to make decisions about you, you must submit your request in writing to The University of Texas MD Anderson Cancer Center, 7007 Bertner Avenue, Unit 1632, Houston, TX 77030, Attention: Release of Information. If you request a copy of the information, we may charge a fee for the costs of copying, mailing, or other delivery costs associated with your request. We will make available your PHI within fifteen days after your written request and payment of any applicable fees are received. We may deny your request to inspect and copy in certain very limited circumstances. In most cases, when you are denied access to PHI, you may request that the denial be reviewed. Another licensed health care professional chosen by us will review your request and the denial. The person conducting the review will not be the person who denied your request. We will comply with the outcome of the review.
Your Right to Request Amendment
If you feel that the information in your medical and billing records is incorrect or incomplete, you may ask us to amend the information. You have the right to request an amendment for as long as the information is kept by or for MD Anderson or PTC. Your request must be made in writing and submitted to The University of Texas MD Anderson Cancer Center, 7007 Bertner Avenue, Unit 1632, Houston, TX 77030, Attention: HIM. In addition, you must provide a reason that supports your request. We may deny your request for an amendment if it is not in writing or does not include a reason to support the request. In addition, we may deny your request if you ask us to amend information that: (1) was not created by us, unless you provide us with information showing that the person or entity that created the information is no longer available to make the amendment; (2) is not part of the medical, billing, or other designated record sets kept by or for MD Anderson or PTC; (3) is not part of the information that you would be permitted to inspect and copy; or (4) is accurate and complete. We will act upon your request for amendment within 60 days of our receipt of your written request.
Your Right to an Accounting of Disclosures
You have the right to receive an accounting, or list, of certain disclosures made by us regarding your PHI, including disclosures made to or by our business associates. The accounting of disclosures will include: (1) the date of the disclosure; (2) the name of the entity or person who received the PHI and, if known, the address; (3) a brief description of the PHI disclosed; and (4) a brief statement of the purpose of the disclosure. However, this list will not include, for example, disclosures made to carry out treatment, payment, or health care operations, nor will it include disclosures made pursuant to a valid authorization.
To request this list, you must submit your request in writing to The University of Texas MD Anderson Cancer Center, 7007 Bertner Avenue, Unit 1632, Houston, TX 77030, Attention: Release of Information. Your request should state a time period that may not be longer than six years prior to your request. The first list you request within a 12 month period will be free of charge. For additional lists, we may charge you for the costs of providing the list. We will notify you of the cost involved, and you may choose to withdraw or modify your request at that time and before any costs are incurred. We will act upon your request for accounting within 60 days after received your written request.
Your Right to a Paper Copy of This Notice
You have the right to a paper copy of this Notice. You may ask us to give you a copy of this Notice at any time. Even if you have agreed to receive this Notice electronically, you are still entitled to a paper copy of this Notice. To obtain a paper copy of this Notice, contact the Chief Privacy Officer at The University of Texas MD Anderson Cancer Center, Institutional Compliance Office, Unit 1640, PO Box 301407, Houston, Texas, 77230-1407.
12. We are Required to Notify You If Your PHI is Breached.
A breach is an unpermitted use or disclosure of PHI in which there is more than a low probability that such PHI has been compromised. We will notify you in the event of a breach of your PHI. If you agree, we may notify you of a breach via email.
13. Submitting Privacy Complaints.
If you believe your privacy rights have been violated, you may file a complaint with us by calling the Privacy Hotline at 1-888-337-7497 or MD Anderson’s Institutional Compliance Office at 713-745-6636, or by contacting the Chief Privacy Officer at The University of Texas MD Anderson Cancer Center, Institutional Compliance Office, Unit 1640, PO Box 301407, Houston, TX, 77230-1407.
You may also file a complaint with the Secretary of the United States Department of Health and Human Services by contacting the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and submitting the complaint in writing (whether paper or electronically, by mail, fax, or email at OCRMail@hhs.gov). You may also request additional information about how to file a complaint with the OCR at http://www.hhs.gov/ocr/privacy/hipaa/complaints/, by emailing OCRMail@hhs.gov, or by calling 1-800-368-1019. You have 180 days from the date you found out about the privacy incident to file your complaint with OCR. OCR may extend the 180-day period if you can show “good cause.”
Anyone can file a complaint. And you will not be penalized or retaliated against in any way for filing a complaint.
14. We May Make Changes to This Notice.
We reserve the right to change this Notice at any time. We reserve the right to make the revised or changed Notice effective for PHI we already have about you as well as any information we receive in the future. We will post a copy of the current Notice in MD Anderson and PTC facilities, as well as on our website. The Notice will include the effective date. In addition, the updated Notice will be given to each new patient, and is available to all returning patients upon request.
Should you have any questions...
Should you have any questions about the contents of this Notice, please contact the Chief Privacy Officer at The University of Texas MD Anderson Cancer Center, Institutional Compliance Office, Unit 1640, PO Box 301407, Houston, Texas, 77230-1407, or at 713-745-6636, or through the Privacy Hotline at 1-888-337-7497.
Effective Dates: Our Notice of Privacy Practices was originally issued on April 14, 2003. Since that time, the Notice has been revised on December 1, 2006, and August 21, 2013.
You may also view this Notice on our web site.