Patient Privacy & HIPAA
Cabrini University Health Services is required by law to:
- protect the privacy of medical information
- provide this notice about information practices
- follow the information practices described in this notice
- seek acknowledgement by patients of receipt of this notice
Before a significant amendment in policy takes effect, it will be adjusted and posted online here and in the reception area.
Paitents can request a copy of this notice at any time (email@example.com, 610.902.8400).
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) covers privacy, security, and notification rules.
- Learn more at hhs.gov/ocr/privacy.
Disclosure of Protected Health Information
The following categories describe different ways that Cabrini University Health Services uses and discloses protected health information.
The examples and explanations are not all-inclusive. However, all the ways permitted to use and disclose information fall within one of the categories.
For Treatment: to provide, coordinate, or manage health care and any related services
For example, protected health information may be disclosed to a doctor to whom a patient is referred, providing necessary information for diagnosis and treatment.
For Payment: in activities related to obtaining payment for health care services
For example, a patient may receive an itemized bill for insurance or direct billing from the Cabrini University Business Office (itemized simply as Health Service charge).
For Healthcare Operations: to support business activities
For example, during clinician performance evaluations, Health Services may review what the clinician has documented in medical charts.
To Business Associates:
Cabrini University Health Services may share protected health information with a third-party ‘business associate,’ e.g., medical transcribers.
Whenever an arrangement with a business associate involves such disclosure, a written contract contains terms that protect the privacy of protected health information.
Cabrini University Health Services may disclose protected health information in telephone or written reminders about appointments.
It is policy to be as discreet as possible, though there might be times when specifics are divulged, e.g., a reminder to fast 12 hours before drawing blood.
The following categories describe different ways that Health Services may use and disclose protected health information with a patient's opportunity to object.
When a patient is not present or able to object, medical providers may use professional judgment to determine whether the disclosure is in the patient’s best interest.
Others Involved in Healthcare:
Unless the patient objects, Health Services may disclose protected health information that directly relates to another person’s involvement in the patient’s health care.
This could include a family member, relative, close friend, or any other person that the patient identifies.
In an emergency treatment situation, Health Services will provide patients with a Notice of Privacy Practices as soon as reasonably practical after the delivery of treatment.
Health Services may use and disclose protected health information after attempting to inform the patient’s about privacy practices and being unable to do so because of substantial communication barriers.
This is only done after Health Services uses professional judgment to determine that the patient would agree.
Health Services may use or disclose protected health information in the following situations without authorization or opportunity to object.
Public Health: for public health activities, including disease prevention or control, injury or disability, births and deaths, abuse or neglect of children, elders and dependent adults, and exposure notification
Health Oversight: to a health‑oversight agency for activities authorized by law (e.g., audits, investigations, inspections)
Health Services also may disclose protected health information to the Department of Health and Human Services to investigate compliance with privacy regulations.
Abuse or Neglect: to an appropriate authority to report suspicions or validation that the patient is a victim of abuse, neglect, or domestic violence
Food and Drug Administration: to report reactions to medication or problems with products, or to notify people of recalls of products they could be using
Legal Proceedings: in response to a court or administrative order, subpoena, discovery request, or other lawful process by someone else involved in the dispute
This is done only if efforts to inform the patient have been made in writing.
Law Enforcement: if asked to do so by a law-enforcement official, e.g., when pertaining to victims of a crime or to prevent a crime
Coroners, Funeral Directors, and Organ Donation:
- for the coroner, medical examiner, or funeral director to perform duties authorized by law and for organ‑donation purposes
Soldiers, Inmates, and National Security:
- to military command authorities if patient is a member of the armed forces and foreign military personnel to the appropriate foreign military authority
- to custodians of inmates for the institution to provide for your ongoing health care, to protect the health and safety of the patient or others, or for the safety and security of the correctional institution
- to authorized federal officials for intelligence, counter-intelligence, and other national security activities authorized by law
- to comply with workers’ compensation laws that provides benefits for work related injuries or illness.
In general, Health Services may use or disclose protected health information as required by law and limited to the relevant requirements of the law.
This includes the prevention of a serious threat to the health and safety of the patient, another person, or the public. Any disclosure would only be to someone able to help prevent that threat.
Rights Regarding Medical Information
Patients have the right to:
- inspect their protected health information during business hours and/or obtain a copy of their record
Health Services may refuse to provide access for a civil or criminal proceeding and to protected health information that is subject to the Clinical Laboratory Improvements Amendments (CLIA) of 1988.
- request restriction of their protected health information
If patients do not want a particular treatment or condition to be disclosed to insurance companies or employers, they should submit a written directive to that fact.
Patients written permission is required in most situations regarding sensitive information, such as HIV test results, substance-abuse treatment, or psychiatric care.
Patients also may request that information not be disclosed to family members or friends involved in care.
The written request must state specific restrictions and to whom the restrictions apply.
- request to receive confidential communications from Health Services by alternative means or at an alternate location
Health Services will accommodate reasonable requests, but may also condition this accommodation by asking for information about how payment will be handled or requiring an alternative address or other method of contact.
An explanation of the basis for the request is not required.
- ask Health Services to amend the protected health information
This request may be denied if:
- not in writing, inaccurate, or incomplete
- not including a reason to support the request
- the information was not created or kept by Health Services
- the information would not be subject to inspection by the client under access laws
If denied, Health Services will send a ‘letter of denial’ and include a copy in the patient's chart.
Patients have the right to file a statement of disagreement with Health Services and have their medical record note the disputed information.
This statement becomes a part of the patient’s medical record and must be included whenever health care providers discole medical records to a third party.
- receive an accounting of certain disclosures Health Services has made
This right applies to disclosures for the purposes other than treatment, payment, or healthcare operations. It excludes disclosures made to the patient, the ‘facility directory,’ family members or friends involved in care, or for notification purposes.
Patients have the right to receive specific information about these disclosures and will receive an ‘accounting of disclosures’ within 60 days of Health Services receiving a written request.
- obtain a paper copy of this notice from Cabrini University Health Services
Law Pertaining to Minors
In the case of records that were created as a result of the consent of the parent or legal guardian of a minor, access is only to those records of care to which the minor consented.
In the case of records that were created as a result of the consent of a minor—e.g., emancipated minor, self‑sufficient minor, or minor seeking sensitive services—only the minor has the right to access (or release).
- Information is not shared with foster parents, probation, or a social service until their authority to access by the courts is verified.
- Cabrini University Health Services upholds the minor’s right to authorize in writing the release of protected health information to a patient rights advocate under the Minor Consent Law and to the parent or legal guardian in all other cases.
- Records of deceased minor patients maintain similar privacy protection as existed when the minor was alive.
Patients who are concerned that Cabrini University Health Services has violated privacy rights, or who disagree with a decision about access to records may contact:
- Susan Fitzgerald, BSN, RN
Director of Health Services
610 King of Prussia Road
Radnor, PA 19087
- U.S. Dept. of Health and Human Services
>200 Independence Ave., S.W.
Washington, DC 20201