HIPAA Privacy Rule

Effective Date: April 14, 2003
Amendment Effective Date: April 14, 2013
Revision Date: September 23, 2013

THIS NOTICE DESCRIBES HOW PATIENT HEALTH INFORMATION MAY BE USED AND DISCLOSEDAND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE, READ THE CONTENTS CAREFULLY.

The Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act (found in Title XIII of the American Recovery and Reinvestment Act of 2009), (jointly referred as “HIPAA”), as amended in due course, require Metro Pavia Health System and its affiliated hospitals to maintain the privacy of “protected health information” (hereinafter referred as “PHI.”). The HIPAA Privacy Rule requires us to provide detailed written notice of our privacy practices.

We understand the importance of privacy and are committed to maintaining the confidentiality of your medical information. Please read this Notice of Privacy Practices carefully. This notice describes how we may use and disclose your medical information to third parties. It also describes your rights and our legal obligations with respect to your medical information.

As required by law we must: 

  • Maintain the privacy of your Protected Health Information. Provide you with notice of our legal duties and privacy practices with respect to protected health information.
  • Comply with the terms of this notice that are currently in effect.

This Notice applies to the provision of medical care by Metro Pavia Health System affiliated hospitals, medical personnel, outpatient departments, and clinics. This Notice also applies to the utilization review and quality assessment activities of Metro Pavia Health System and its affiliated hospitals.

I. Authorization for Use or Disclosure

The following categories describe different ways that we use and disclose medical information. Not every use or disclosure in a category will be listed. However, all of the ways we are permitted to use and disclose information will fall within one of the following categories:

  1. For Treatment: We may use your medical information to provide you with medical care. We may disclose medical information about you to doctors, nurses, technicians, medical students, or other staff members who are involved in taking care of you in order to coordinate the different things you need, such as prescriptions, lab work and x-rays. We also may disclose medical information about you to people outside Metro Pavia Health System and its affiliated hospitals, as with the doctors who referred you and those who treat you.
  2. For payment matters: We may use your information and / or transfer it to your health insurance policy or other persons who help you pay for your care. For example, we may tell your health insurance about a treatment you will receive to determine if your health insurance would pay for that treatment.
  3. For Healthcare Operations: We may use your medical information to improve the quality of care we provide. These activities help us carry out our programs to ensure that all of our patients receive quality medical care. For example, we may use your information to perform quality assessment of our treatments and services. Also, to evaluate the performance of our employees and their care for you. We may also disclose your health information to physicians, nurses, technicians, students, and other health care employees for educational purposes or in preparation for an investigation.
  4. Other Uses and Disclosures: As part of treatment, payment and medical care operations, Metro Pavia Health System and its affiliated hospitals may also use the patient’s PHI information for the following purposes:
    • Business Associates: We may hire third parties to provide certain types of services. For example, we may use services from transcription and collection companies. With Business Associates agreements, we can disclose your information so the third party can perform the functions, activities, or the contracted services. Also, the business associate agreements require these entities to protect the medical information we provide. Business partners may receive, create, maintain, use and disclose PHI only after obtaining a legal agreement with Metro Pavia Health System and its affiliated hospitals that establishes the business partner relationship and its obligations to comply with the provisions of the HIPAA Act (45 CFR Part 160 and 164).
    • Appointment reminders: We can contact you to remind your medical appointments.
    • Health promotion information and activities: Metro Pavia Health System and its affiliated hospitals may use and disclose some of the patient’s PHI information for certain health promotion activities. For example, the patient’s name and address maybe used to send a general newsletter or specific information related to the patient’s own health interests.
    • Treatment Alternatives: We may use and disclose your health information to inform you or recommend possible treatment options or alternatives that may be of interest to you.
    • Medical research: We may share your medical information with medical researchers who request it for medical research projects previously approved by an institutional review board that has reviewed the research proposal and established protocols to ensure the privacy of your medical information. We may also use and share your health information to communicate with you about enrolling in a research study. Researchers are required to protect all PHI information they receive.
    • Fundraising Notices: We may use your medical information to contact you in an effort to raise money for our Hospitals or clinics. For example, we can send you a letter asking if you would like to contribute with donation. You can choose not to contact us for our fundraising efforts. If we send you information about our fundraising efforts, we will include a simple way for you to request not to receive subsequent fund-raising materials.
    • Genetic Information: Metro Pavia Health System and its affiliated hospitals may not use or disclose genetic information for risk analysis purposes. However, we may use genetic information, for example, to determine medical necessity when you request a benefit under the plan or coverage.

II. Uses and Disclosures that Require us to Give You an Opportunity to Object

  1. Persons involved in your care: When appropriate, we may share Health Information with a person who is involved in your medical care or payment for your care, such as your family or a close friend. We also may notify your family about your location or general condition or disclose such information to an entity assisting in a disaster relief effort. If you do not want us to use or disclose your Protected Health Information in these ways, you must notify our Privacy Office. using the contact information at the end of this Notice.
  2. Hospital Directory: We may include certain limited information about you in the hospital directory while you are in the hospital. This information may include your name, your location in the hospital, your general medical condition (regular, stable, etc.) and your religious affiliation. We may disclose information from the directory, excluding religion, to those people who ask for you giving your full name. The patient must be informed about the information to be included in the directory, and to whom the information may be released, and must have the opportunity to restrict the information or to whom it is disclosed, or opt out of being included in the directory. We may provide the appropriate directory information, except for religious affiliation, to anyone who asks for the patient by name. Religious affiliation may be disclosed to members of the clergy.
  3. Spiritual Care: The information on the directory, including religious affiliation of the patient, maybe given to a member of the clergy, even if he does not ask for his name. Spiritual care providers are members of the healthcare team at the affiliated hospital and may be consulted upon regarding your care. You have the right to request that your name not be given to any member of the clergy.

III. Use or Disclosure that Requires Patient Authorization

The following uses and disclosures of your Protected Health Information will be made only with your written authorization:

  1. Marketing: Subject to certain limited exceptions, your written authorization is required in cases where Metro Pavia Health System and its affiliated hospitals receives any direct or indirect remuneration in exchange for making the communication to you which encourages you to purchase a product or service or for a disclosure to a third party who wants to market their products or services to you.
  2. Investigations: Metro Pavia Health System and its affiliated hospitals will obtain written authorization from the patient to use or disclose PHI information for research purposes as required by HIPAA law.
  3. Notes on Psychotherapy: With limited exceptions, psychotherapy notes will not be released without the express authorization of the patient.
  4. Sale of PHI information: Subject to certain limited exceptions, disclosures that constitute a sale of PHI require your written authorization.
  5. Other Uses and Disclosures: Any other use or disclosures of PHI that is not described in this Notice of Privacy Practices require your written authorization Written authorizations will let you know why we are using your PHI. You have the right to revoke an authorization at any time.

If you authorized us to use or share your medical information, you have the right to revoke, at any time, the authorization. The revocation must be in writing, and is not effective until we receive it. In addition, a written revocation is not effective with respect to actions we took in reliance on a valid Authorization, if you decide to terminate this permission, we will not use or share your medical information prospectively.

IV. Use or Disclosure Permitted or Required by Public Policy or Law Without Patient Authorization

  1. Lawsuits and litigation: If you are involved in a lawsuit or litigation, we may disclose your information in response to a court order, a lawsuit, or other legal process.
  2. Law enforcement agency: We may disclose your medical information to a law enforcement officer as required by law, such as:
    • Reporting on certain types of wounds.
    • In response to a court order, subpoena, arrest warrant, or other similar proceeding.
    • To identify or locate a suspect, a fugitive, a material witness, or a missing person.
    • In certain circumstances, in order to give information about a crime victim in case of not being able to obtain the consent of the victim.
    • To report the cause of a death that we believe has been caused by criminal conduct.
    • To report suspicious criminal conduct within our facility.
    • In case of emergency, to report a crime, the place of the same or the victims or their identity, description or place where the person who committed the crime is located
  3. Abuse, Neglect or Domestic Violence: We may notify designated government authorities, including social service or protective services agencies, if there is a reasonable belief that a patient is a victim of abuse, neglect or domestic violence. We will make such disclosure to the extent that it is expressly authorized by law or when the patient agrees to such disclosure.
  4. Public health risks: As required by law, we may disclose your health information for public health issues, such as:
    • To control or prevent illness, injury or disability.
    • To report vital events of births or deaths.
    • To report negligence or abuse of minors to designated government authorities.
    • To provide information about products or services within the jurisdiction of the Food and Drug Administration of the United States.
    • To notify you if you have been exposed to a disease or if you could be at risk of contracting or spreading a disease or condition.
    • To provide information to your employer, as required by laws that address occupational illnesses and injuries or workplace safety.
  5. Prosecutors, forensic pathologists and funeral directors: We may disclose your medical information to a prosecutor, or a forensic pathologist. For example, this will be necessary to identify a deceased or to determine a cause of death. We may also disclose your medical information to funeral directors as necessary to carry out their duties.
  6. Donation of organs and tissue: We may disclose PHI to an organ procurement organization or entity for organ, eye or tissue donation purposes.
  7. Military and Veterans of the Armed Forces: If you are a member of the US military or another country, we may disclose your PHI as required by the military commanding officers.
  8. Work compensation: We may disclose your health information for work compensation or similar programs. We will do this as far as the law requires.
  9. Health Oversight Activities: We may disclose PHI to government health oversight agencies, such as the Puerto Rico Department of Health, for activities authorized by law. These activities include: audits, investigations, inspections and licenses. The government uses these activities to monitor the health system, government programs and compliance with civil rights laws.
  10. National security: We may disclose your health information to authorized federal agents for national security purposes.
  11. Student Immunization Records: Metro Pavia Health System affiliated hospitals may disclose proof of immunization to a school where the law requires it prior to admitting a student.
  12. Prisoners: If you are an inmate of a correctional institution or under the custody of a law enforcement officer, we may disclose your PHI to the correctional officer or law enforcement officer.
  13. As required by law: We may disclose your PHI when required by federal or state law.

V. Patient’s Health Information Rights

You have the following individual rights concerning your PHI:

  1. Right to inspect and copy: You have the right to inspect and request copies of medical information that has been used to make health decisions. To review or obtain copies of your medical information, you must make a written request to the Hospital Health Information Management Department. You will be charged a reasonable copying fee in accordance with applicable federal or state law. You will also have the right to request your health information in electronic format, in cases where the hospital utilizes electronic health records. Otherwise you will be provided with the information in ¨hard copy¨ format. If the copies provided are in electronic format, we will only charge you for labor costs. For more information, please call the Hospital Health Information Management Department. In certain situations, you may be denied access to medical information (for example, mental health records or information collected for court proceedings), as provided by law. In such a case, you may request that your case be reviewed, please contact the Hospital Information Management Department.
  2. Right to Amend: You have the right to request an amendment regarding your protected health information or your medical record. You must make your request for amendment of your PHI in writing, including your reason to support the requested amendment. We can deny the request in case it has not been submitted in writing or for not including the reason for your request. We may also deny your request for amendment if:
    • It was not created by us.
    • The information is not part of the designated record set.
    • The information would not be available for patient inspection (due to its condition or nature).
    • The information is accurate and complete. If Metro Pavia Health System affiliated hospitals denies the patient the request to change PHI information, the patient will be notified in writing with the reason for the denial. Metro Pavia Health System affiliated hospitals will also inform the patient of his right to submit a written statement expressing their disagreement with the denial. The patient may ask that Metro Pavia Health System affiliated hospitals include the request for amendment and the denial any time that Metro Pavia Health System affiliated hospitals subsequently discloses the information that the patient wanted changed. Metro Pavia Health System affiliated hospitals may prepare a rebuttal to your statement of disagreement and will provide you with a copy of that rebuttal.
  3. Right to an accounting: The patient has the right to receive an accounting of the disclosures of PHI information that the Hospital has made, except in the following disclosures: to carry out treatment, payment or healthcare operations; disclosure to the patient; disclosure to persons involved in patient care; for national security or intelligence purposes; or to correctional institutions or law enforcement officials. The patient must make the request for an accounting of disclosure of PHI in writing to the Hospital. The patient should include the time period of the accounting, which may not be longer than six years. In any given 12-month period, the Hospital will provide the patient with an accounting of the disclosures of PHI at no charge. Any additional requests for an accounting within that time period will be subject to a reasonable fee for preparing the accounting.
  4. Right to request restrictions: You have the right to request restrictions on certain uses and disclosures of your PHI to carry out treatment, payment or healthcare operations functions or to prohibit such disclosure. You may also request a restriction on disclosure of your PHI to a health plan (for purposes of payment or healthcare operations) in cases where you paid out of pocket, in full, for the items received or services rendered. However, Metro Pavia Health System affiliated hospitals will consider your request but is not required to agree to the requested restrictions. The request must be submitted in writing by filling in a form which will be delivered at your request. You must add:
    • What type of information do you want to restrict?
    • How do you want us to restrict it?
    • To whom you want the restrictions to be applied?
  5. Right to request confidential communications: You have the right to receive confidential communications of your PHI by alternative means or at alternative locations. For example, you may request that the Hospital only contact you at work or by email. We will accept all reasonable requests.
  6. Right to receive a copy of this Notice: You have the right to receive a paper copy of this Notice of Privacy Practices, upon request.
  7. Rights Concerning the Electronic Exchange of Health Information

    Once we have the electronic record we will be able to participate in the electronic exchange of health information with other medical professionals and health plans through an approved Health Information Organization (HIO). Through our participation, other medical professionals and health plans may access your PHI for treatment, payment, or health care operations. The approved HIO is required to maintain safeguards to protect the privacy and security of PHI. The approved agency will only allow access through its agency exclusively to authorized personnel. You have the right to decide whether medical professionals and health plans can access your health information through this agency. You have two options. The first is that you can allow authorized persons access to your PHI maintained through an agency for treatment, payment, or health care operations. If you choose this option, you do not have to do anything.The second is that you can restrict access to your PHI. To do so, you must submit a request for exclusion and restriction in writing. You can apply for it at the Admissions Department or at the Hospital Health Information Management Department. Even if you restrict access to your PHI, medical professionals and health plans may share your information through other legal means already available without your specific authorization. Understand that your decision to restrict access to your electronic health information may limit the ability of your health care providers to provide you with the most effective care. When submitting a restriction request, you accept the risks associated with that decision.

VI. Violation of PHI Information

In compliance with the law, we will keep your PHI private and safe. If someone acquires, accesses, uses or transfers part of your PHI in a manner not allowed by law, we will notify you without unreasonable delay, meaning within 60 days of discovery.

VII. Changes to this Notice

Metro Pavia Health System and its affiliated hospitals will abide by the terms of the Notice currently in effect. Metro Pavia Health System and its affiliated hospitals reserves the right to make substantial changes to the terms of this Notice and to make the new Notice provisions effective for all PHI that it maintains. Metro Pavia Health System and its affiliated hospitals will distribute/provide the patient with a revised Notice at the first visit following the revision of the Notice in cases where it makes a material change in the Notice. The patient may also request a current copy of the Notice at any time.

VIII. Complaints

If the patient believe that his privacy rights have been violated, he may file a complaint with the Hospital Compliance Officer or the Secretary of the Department of Health. All complaints must be submitted in writing directly to the hospital Compliance Officer. The hospital ensures that the patient will not be subject to retaliation for filing a complaint.

IX. Questions, Concerns or Additional Information

If the patient have any questions, concerns or want further information regarding the issues covered by this Notice of Privacy Practices or seek additional information regarding Metro Pavia Health System and its affiliated hospitals privacy policies and procedures , please contact the Director of Corporate Compliance to the hotline free of charge 1-888-882-0882, to fulfillment@metropaviahealth.com.

You may write to Metro Pavia Health System, Maramar, Plaza Building 101, San Patricio Ave. Suite 950-960 Guaynabo, PR, OO968 OR CALL 787-999-8944.

PUBLIC LAW 104–191—AUG. 21, 1996
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996