NOTICE OF PRIVACY PRACTICES

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY

There are two federal laws that protect the privacy of health information. These are the Family Education Rights and Privacy Act (FERPA), and the Health Insurance Portability and Accountability Act (HIPAA).

For students of The University of Tulsa (TU), the applicable federal privacy regulations are found in FERPA. However, it is our goal to comply with the standards of HIPAA.  For all other individuals, the applicable federal privacy regulations are found in HIPAA.  We are committed to protecting your medical information under HIPAA.  Under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), we are required by law to:

► Maintain the privacy of your medical information
► Give you a Notice of our legal duties and privacy practices with respect to your medical information; and
► Follow the terms of the Notice currently in effect.

We reserve the right to change our practices and to make the new provisions effective for all protected health information we maintain. Any change we make to our privacy practices will be made available to you.

YOUR RIGHTS REGARDING YOUR PERSONAL HEALTH INFORMATION (PHI)

Although your health information is the physical property of the University of Tulsa, the information belongs to you. The following describes your rights:

  1. You may request a restriction to the use and disclosure of your Personal  Health Information for circumstances involving treatment, payment or healthcare operations.  You may also restrict disclosure of any part of your PHI to family members or individuals involved in your care.  Those restrictions must be in writing and specific.  However, these restrictions may not be appropriate.  (See Examples of Disclosures for Treatment, Payment, and Healthcare Operations.)
     

  2. You have the right to see and request a copy of your PHI.  This request must be in writing and we do reserve the right to charge for the copy request.  There may be circumstances in which we are not required to comply with your request.  If such circumstances should arise, we will provide you, in writing, an explanation.
     

  3. You have the right to amend your PHI.  If you believe that there is a mistake or missing information in our record of your PHI, you may request, in writing, that we correct or add to the record,  We will respond within 60 days of receiving your request.  We may deny the request if we determine that the PHI is (1) correct and complete, (2) not created by us and/or not part of our records, or (3) not permitted to be disclosed.
     

  4. You have the right to a listing of disclosures we have made.  As state, FERPA is the primary federal law with respect to student health records.  However, there may be incidents where disclosures of your PHI are required by law.  (See Special Circumstances for Disclosures of PHI.)
     

  5. You have the right to receive a copy of the Notice.  This Notice will be available at www.utulsa.edu/alexhealth .

FILING A COMPLAINT

We are required to place in the Notice, contact information for filing a complaint if you feel that your privacy rights have been violated. Please contact:

HIPAA Privacy Officer--Wayne Paulison
Office of Human Resources and Risk Management
The University of Tulsa
800 S. Tucker Drive
Tulsa, OK 74104
918-631-2259

Secretary of Health and Human Services
200 Independence Avenue SW
Washington, D.C. 20201
1-877-696-6775

To file a complaint with the Secretary of Health and Human Services, you must do so within 180 days of the date on which that action that caused concern happened.  There will be no punishment or penalty for filing a complaint. The effective date for this Notice is April 14, 2003.

EXAMPLES OF DISCLOSURES FOR TREATMENT, PAYMENT AND HEALTH OPERATIONS

1. Providing health care treatment to you – We will use your health information for diagnosis and treatment. For example, information obtained by a nurse, physician assistant, physician or other member of the healthcare team will be recorded in your record and used to determine the course of treatment that would work best for you.

2. To obtain payment for services – There are some services provided in our organization through contacts with business associates. Examples include physician services and laboratory services. When these services are contracted, we may disclose your health information to our business associate so that they can perform the job we have asked them to do. To protect your health information, however, we require the business associate to appropriately safeguard your information.

3. Performance of health care operations – Health care operations are those functions that include utilization review, receiving and responding to complaints, compliance programs, audits, etc.

4. When required by law – For example, the U.S. Department of Health & Human Services may want to audit our records to ensure HIPAA is being invoked.

5. Individuals Involved With Your Care – We will only communicate with family if we have a signed release from you authorizing the communication that has been executed in compliance with FERPA or if is it a life threatening medical condition.

6. Appointment Reminders – Unless you provide us with alternative instructions, we may send appointment reminders and other similar materials to your home, or notify you of appointments by phone.

EXAMPLES OF SPECIAL CIRCUMSTANCES FOR DISCLOSURES OF PHI WITHOUT YOUR AUTHORIZATION

There may be special circumstances that require us to use and disclose your protected health information. Those circumstances may include some or all of the following:

1. Public health activities – The use and disclosure of PHI for public health activities and purposes to a public health authority that is permitted by law to collect or receive the information. The disclosure will be made for the purpose of controlling disease, injury, or disability. We may also disclose PHI if so directed by the Public Health Authority. For example, it is required by Oklahoma State law to report any positive lab reports on patients who are infected with the sexually transmitted infections of Chlamydia, gonorrhea, and HIV. There are other infectious diseases that require reporting and examples of those would be Hepatitis A, Meningitis, E-coli, and Salmonella.

2. Any incident relating to abuse, neglect or domestic violence – The use and disclosure of PHI to a public health authority that is authorized by law to receive reports of child abuse or neglect. We may also disclose PHI if we believe you have been a victim of abuse, neglect or domestic violence to the governmental agency authorized to receive such information.

3. Health oversight activities – Use and disclosure of PHI to a public health authority for activities authorized by law, such as audits, investigations, and inspections. These oversight agencies would include government agencies that oversee the healthcare system, government benefit programs, or other government regulatory programs, and civil rights laws.

4. For judicial and administrative proceedings – The use and disclosure of PHI to any judicial or administrative proceeding, in response to an order of a court or administrative tribunal, and in certain conditions, a subpoena, discovery request or other lawful process.

5. For law enforcement purposes – The use and disclosure of PHI, so long as applicable legal requirements are met. Law enforcement purposes are legal processes required by law; limited information requests for identification and location purposes; issues pertaining to victims of a crime, and suspicion that death has occurred as a result of criminal conduct.

6 For purposes relating to decedents – The use and disclosure of PHI to a coroner or medical examiner for identification purposes, determining cause of death or for the coroner or medical examiner to perform other duties authorized by law.

7 For purposes of organ, eye or tissue donation – The use and disclosure of PHI for recipients of your organs.

8 To avert a serious threat of health safety – For example, outbreaks of communicable diseases such as smallpox, SARS, etc.

9 For specialized government functions – Specialized government functions could involve authorized federal officials who are conducting national security and intelligence activities.

10 For purposes relating to correctional institutions and in other law enforcement custodial situations – The use and disclosure of PHI if you are an inmate of a correctional facility and your physician created or received PHI in the course of providing care to you.

11. Individual use and disclosure – The use and disclosure of PHI to you and when required by the Secretary of the Department of Health and Human Services to investigate or determine our compliance with HIPAA