DECH Notice of Privacy Practices
DOWN EAST COMMUNITY HOSPITAL
Our Legal Duty
NOTICE OF PRIVACY PRACTICES
This Notice describes how medical information about you may be used and disclosed and how you can get access to this information.
Please review it carefully.
Under State and Federal law, Down East Community Hospital (“DECH”) is required to protect and maintain your health information and keep it confidential, to provide this Notice about our legal duties and privacy practices regarding protected health information, to notify affected patients following a breach of unsecured protected health information and to abide by the terms of the Notice in effect.
Who Must Comply with this Notice
This Notice applies to DECH, its departments, units, all employees, staff and other hospital personnel. This notice applies to volunteers whom we allow to help you while you are at the hospital. It also applies to all health care professionals authorized to enter information in your medical record.
Protected Health Information
We create records of the care and service you receive at DECH. These records contain your protected health information which is needed to provide you with quality care and comply with certain legal requirements. “Protected health information” or “PHI”
is individually identifiable health information about you, including demographic information collected from you, that is created or received by DECH and that relates to (i) your past, present, or future physical or mental health or condition, (ii) the provision of health care to you, or (iii) the past, present or future payment of your health care. PHI also includes any health information and records provided to DECH by other health care providers and facilities that have provided care to you or are involved in your care.
How We May Use Your Protected Health Information
We use your PHI for treatment
, to obtain payment
, and for health care operations,
including administrative purposes and evaluation of the quality of care you receive, without your authorization. For example:
: We will use and disclose your PHI to provide you with medical treatment or services. For example, nurses, physicians and other members of your treatment team will record information in your record and use it to determine the most appropriate course of care. We may also disclose the information to other health care providers who are participating in your treatment, or to people outside of the hospital who may be involved in your medical care after you leave the hospital, such as home health nursing or family members.
We may use and disclose your PHI to bill and receive payment from third party payors for healthcare services we provide to you. For example, we may need to give your health plan insurer information about surgery you received at the hospital so your health plan payor will pay or reimburse us for the surgery. We may also tell your health plan payor about a treatment you are going to receive to obtain prior approval or to determine whether your plan will cover the treatment.
Health Care Operations:
We will use and disclose your PHI to conduct our internal operations, including but not limited to quality review and improvement activities, risk management activities, and to conduct and process patient satisfaction surveys.
DECH may also use and disclose your PHI without your authorization in the following additional circumstances
Hospital Directory: Unless you or your personal representative notify DECH that you object to and wish to prohibit or restrict any such uses and disclosures, DECH may use and disclose the following limited PHI about you for the following hospital directory purposes:
DECH may use limited PHI about you to maintain a hospital directory—namely, your presence and room location in a DECH facility, a brief general description of your health status and condition that does not communicate specific medical information about you, and your religious affiliation.
DECH may disclose such hospital directory information about you (except for your religious affiliation) to persons who ask for you by name, including members of the public and law enforcement officials.
DECH may also disclose such hospital directly information about you, including your religious affiliation, to members of the clergy.
DECH may also disclose a brief general description of your health status and condition that does not communicate specific medical information about you (but not your room number) to members of the media who ask for you by name.
Abuse, Neglect, and Exploitation Reporting: DECH may disclose your PHI to government authorities, such as Child Protective Services or Adult Protective Services that are authorized by law to receive reports of actual or suspected cases of abuse, neglect, or exploitation of children and incapacitated or dependent adults.
Family Members and Others Involved with Your Care: DECH may disclose your PHI to a family member or friend who is involved in your medical care, or to someone who helps pay or secure payment for your care. If you do not want us to disclose your PHI to family members or friends, you may let us know this when you register at the hospital.
Disaster Relief: We also may disclose your medical information to disaster relief organizations to help locate a family member or friend in a disaster.
Personal Representatives: DECH may disclose your PHI to a personal representative, such as your guardian, health care power of attorney agent, or health care surrogate, who is authorized to make health care decisions on your behalf when you lack the capacity to make your own health care decisions.
As Required by Law: DECH may use or disclose your PHI when required or authorized by state and federal law.
Public Health Activities: DECH may use and disclose your PHI to public health authorities for public health activities, such as to comply with mandatory communicable disease and vital statistics reporting laws.
Uses and Disclosures to Avert Threats of Harm or Safety: DECH may disclose your PHI when necessary to prevent or lessen a direct threat of serious, imminent harm to health or safety.
Judicial and Administrative Proceedings. DECH may disclose your PHI in judicial or administrative proceedings when required or authorized by law, for example, in response to an order of a court or pursuant to a subpoena served by a governmental entity authorized by law to have access to your PHI.
Law Enforcement Purposes. DECH may disclose your PHI, so long as applicable legal requirements are met, for certain law enforcement purposes such as to report gunshot wounds, crimes committed on DECH’s premises, or crimes committed against DECH personnel.
Health Oversight Activities: DECH may disclose information to a health oversight agency for activities as authorized by law, such as inspections and licensure. These activities are necessary for the government to monitor the health care system and compliance with government regulatory programs.
Research: DECH may disclose your PHI for research purposes, so long as the research and any uses and disclosures related to such research are approved by appropriate review boards and no identifying information about you is disclosed in any reports arising from or published in connection with the research.
Coroners, Medical Examiners, Funeral Directors, and Organ and Tissue Donation: DECH may disclose PHI regarding deaths to coroners, medical examiners, funeral directors and organ donation agencies.
Special Government Functions: DECH may disclose your PHI for the following specialized government functions when such disclosures are authorized or required by applicable law:
Armed Forces and Foreign Military Personnel: DECH may disclose the PHI of persons who are members of the Armed Forces and of foreign military personnel for activities deemed necessary by appropriate military command authorities to assure the proper execution of a military mission.
National Security and Intelligence Activities: DECH may disclose your PHI to authorized federal officials for the conduct of lawful intelligence, counter-intelligence, and other national security activities authorized by the National Security Act and related Executive Orders.
Protective Services for the President and Others: DECH may disclose your PHI to authorized federal officials for the provision of protective services to the President or other persons, or for the conduct of investigations, authorized under applicable federal law.
Correctional Institutions and Law Enforcement Custodians: DECH may disclose to a correctional institution or a law enforcement official having lawful custody of an inmate or other individual, PHI about the inmate or other person when necessary (i) to provide health care to the inmate or person in custody, (ii) for the health and safety of the inmate or person in custody, (iii) for the health and safety of correctional personnel, (iv) for the health and safety of persons responsible for transporting the inmate or person in custody, (v) for law enforcement on correctional facility premises, and (vi) for administering and maintaining the safety, security and good order of the correctional institution.
Worker’s Compensation: DECH may disclose your PHI for worker’s compensation or similar programs providing benefits for work-related injuries or illness.
Business Associates: DECH may disclose your PHI to business associate contractors performing services for or on behalf of DECH when such contractors have agreed in writing to appropriately protect your PHI.
Uses and Disclosures of Protected Health Information Requiring Your Authorization
Health InfoNet: DECH participates in a state-designated, state-wide electronic health information exchange called HealthInfoNet. HealthInfoNet allows participating Maine hospitals, physicians, and other healthcare providers to share with each other on an as-needed basis certain limited PHI about you for treatment and coordination of care purposes. For example, if you are involved in a car accident and are being treated at a non-DECH facility that also participates in HealthInfoNet, your treating healthcare providers will have electronic access to certain PHI in your DECH medical records to better enable them to treat you in a medical emergency. PHI stored on HealthInfoNet’s network may also be disclosed to governmental entities for certain required public health reporting purposes. Participating healthcare providers may only access your PHI if they are involved in your care, need the information in order to provide you with medical care or healthcare services, and have an authorized computer ID and password. HealthInfoNet’s computer system will track all persons who electronically access your PHI, and you can request an accounting of all such persons from HealthInfoNet. The PHI that will be accessible to other participating HealthInfoNet providers includes: (i) patient registration information such as your name, address, gender, date of birth and telephone number, (ii) a list of known allergies, (iii) a list of your prescription medications, (iv) laboratory test results, (v) x-ray and other diagnostic test results, and (vi) a brief description of your health conditions and medical diagnoses. However, the following types of especially sensitive healthcare information will not be made accessible to other participating HealthInfoNet providers: (i) substance abuse information maintained by substance abuse treatment programs, (ii) mental health information maintained by licensed mental health facilities or mental health professionals, (iii) HIV information, and (iv) genetic test results. Mental health and substance abuse information derived from services you receive from primary care, general practice, and emergency care providers (i.e. providers other than substance abuse programs and licensed mental health facilities and providers) will be accessible to participating HealthInfoNet providers. If You Do Not Want to Participate: If you do not want your PHI information accessible to other participating HealthInfoNet providers, you may opt out of participating by contacting HealthInfoNet (www.hinfonet.org) and completing an Opt Out form. If you opt out, HealthInfoNet will delete your PHI from its network except for certain demographic information necessary to ensure that no further information about you is disclosed to HealthInfoNet or made accessible to other participating providers. However, there are risks associated with a decision not to participate. If you choose to opt out, your treating healthcare providers may not have access to the most current and complete information about you when they need it to treat you or to coordinate your care in an urgent situation. Choosing to opt out could also affect the efficiency of the healthcare services you receive due to the time it takes to get paper copies of your medical records to your treating healthcare providers. If you choose not to participate at this time, you can always elect to participate at a later time. However, if you choose to participate at a later time, the only healthcare information that will be made accessible to participating HealthInfoNet providers will be PHI created after the time you choose to participate. Risks of Participating: If you choose not to opt out, it is possible that HealthInfoNet personnel and participating HealthInfoNet providers could infer that you are a recipient of mental health, substance abuse, or HIV services, or that you are pregnant or have been diagnosed with a sexually transmitted disease, based on the information available to them through HealthInfoNet such as the types of medications you are taking. Other risks of participating in HealthInfoNet include the possibility that an unauthorized person might access the information disclosed to HealthInfoNet, or that inaccurate information about you might be accidentally disclosed to HealthInfoNet, which could result in misdiagnoses or medication errors on the part of the treating healthcare providers who access and rely upon the information disclosed to HealthInfoNet.
: For other types of uses and disclosures not described in this Notice, DECH will obtain your written authorization before using or disclosing your PHI. For example, the following uses and disclosures require DECH to obtain your written authorization:
Right to Revoke Authorization
Marketing: DECH will obtain your written authorization for any use or disclosure of your PHI to sell or market products or services, except in limited circumstances (for example, in face-to-face marketing communications with you).
Sale of PHI: DECH will obtain your written authorization for any disclosure of your PHI that involves a sale of your PHI, unless an exception applies under applicable law.
Photographs and Videorecordings: DECH will not photograph or videorecord you, or use or disclose any photographs and videorecordings of you, for non-treatment related purposes, for marketing or public relations purposes, without your written authorization, unless the creation, use or disclosure of such photographs or videorecordings are authorized by law (e.g., for DECH facility security surveillance purposes).
: You may revoke an authorization to disclose your PHI at any time, to the extent that DECH or others have not already relied upon your authorization, by giving written notice of your revocation to DECH’s Privacy Officer.
Special Protections for Certain Types of Protected Health Information
Confidentiality of Mental Health Information
: If DECH maintains information about you derived from mental health services provided to you by a DECH psychiatrist, psychologist, clinical nurse specialist, social worker or counseling professional, DECH will not disclose such mental health information to another health practitioner or facility outside of DECH or its organizational affiliates for a diagnostic, treatment or continuity of care purpose, without your written authorization, unless such disclosure is necessary in an emergency or is otherwise authorized or required by law. If a DECH licensed mental health facility, program or agency maintains mental health information about you, DECH will not use or disclose such mental health facility PHI about you except as authorized or required by applicable mental health confidentiality laws and regulations.
Confidentiality of HIV Information
: If DECH maintains any information regarding your HIV status (such as HIV test results or medical records containing HIV information), such information is afforded heightened protection under Maine law and DECH will maintain the confidentiality and privacy of such information, and will not use or disclose such information, except as specifically authorized or required by Maine’s HIV confidentiality laws.
Confidentiality of Substance Use Disorder Program Records and Information
: If DECH maintains, or receives from another provider or facility, any substance use disorder program records or information about you that is subject to protection under 42 C.F.R. Part 2, DECH will maintain the privacy, confidentiality and security of such records/information in accordance with the requirements of 42 C.F.R. Part 2. DECH will not use or disclose such records/information, except as authorized by 42 C.F.R. Part 2. If DECH creates, acquires or maintains any substance use disorder information about you that is not
subject to protection under 42 C.F.R. Part 2, DECH will protect the privacy, confidentiality and security of such information, and use and disclose such information, in the same manner as DECH protects, uses and disclosures your other PHI.
Your Rights Regarding Protected Health Information
Right to Access, Inspect and Copy: You have the right to inspect at reasonable times and obtain a copy of your clinical records and billing records within 30 days of receipt of your written request. If we need extra time, we may extend the time once for an additional 30 days and we will provide you written notice of the extension. You have the right to receive your health information in the form and format of your choosing, if such information can be readily produced in such form and format, or in a readable hardcopy form, or in another format agreed to between you and DECH. You may be charged reasonable costs (including labor and supplies) associated with providing copies of your records, or of preparing any summaries that you request. In certain limited circumstances, you may be denied access to your health information and records. However, you may request that a decision denying you access to your PHI and records be reviewed. Please contact DECH’s Privacy Officer if you have questions about your right to access your PHI.
Right to an Electronic Copy of Electronic Medical Records: If your PHI is maintained in an electronic format, you have the right to request an electronic copy of your record in the form or format you request. If we are unable to accommodate such a request, we will provide the information in our standard electronic format or readable hard copy. The request for electronic copies must be submitted in writing and subject to a reasonable fee.
Right to Revoke Authorization: You may revoke an authorization for use or disclosure of your PHI to the extent that we have not already taken action based on the original authorization. Any request for revocation must be done in writing.
Right to Amend, Correct or Clarify: You may request amendments, corrections and clarifications to PHI contained in your medical records. Your request must be in writing and you must provide a reason supporting your request. If you are requesting a change to the PHI in your treatment record, we will place your requested amendment, correction or clarification in your record. DECH may add a response to your record, and will provide to you a copy of our response. If you are requesting a change in other records (that are neither medical nor billing records), DECH may deny your request. If your request is denied, we will notify you in writing and provide our reasons for the denial. You have the right to file a statement of disagreement with DECH’s Privacy Officer and DECH may prepare a response to your statement. DECH will provide you with a copy of our response. Please contact DECH’s Privacy Officer if you have any questions about modifying your PHI.
Right to an Accounting of Disclosures: You have the right to request an accounting of certain disclosures of your PHI made by DECH in the six years prior to the date of your request. The accounting will not include disclosures made directly to you, disclosures made to others pursuant to your written authorization, disclosures made to carry out treatment, payment, and health care operations for which your written authorization was not required, incidental uses and disclosures, and uses and disclosures for which an accounting is not required by law. However, you have the right to request an accounting of disclosures made for purposes of treatment, payment, or health care operations through an electronic health record during the three years prior to your request. To request an accounting of disclosures, you must submit the request in writing to DECH’s Privacy Officer.
If you authorize the disclosure of substance use disorder information subject to protection under 42 C.F.R. Part 2 to a general class of recipients who are health care providers with a treatment relationship with you, you have the right, upon request, to receive within 30 days a list of entities to whom your substance use disorder information has been disclosed pursuant to your general authorization within the last two years.
Right to Request Restriction: You have the right to request restrictions or limitations on our use and disclosure of your PHI for treatment, payment or health care operations. If you request that DECH not disclose your PHI to a third-party payor health plan for purposes of carrying out payment or health care operations, and you have paid DECH in full out of pocket for services provided to you, DECH is required to honor your requested restriction. Otherwise, DECH is not required to agree to your request. If we do agree, we will comply with your request unless the information is needed to provide you with emergency treatment. This request must be in writing and should include: (1) what information you wish to limit, (2) whether you want to limit our use, disclosure or both, and (3) to whom you want the limits to apply Disclosures of PHI authorized by you or permitted or required by law as described in this Notice, may include disclosures of PHI DECH has received from other health care providers and facilities, unless you request and DECH agrees to a requested restriction.
Right to Request Confidential Communications: You have the right to ask that we communicate with you about medical matters in a certain way or at a certain location. For example, you may wish us to contact you by mail only. To request confidential communications, you must make your request in writing.
Important Notice to Minors Regarding Minor’s Privacy Rights: If you are a minor authorized by law to consent to health care services on your own behalf and you in fact consent to such services on your own behalf, DECH is required to protect the privacy of your PHI with respect to health care services you have consented to on your own behalf in the same way that DECH protects the privacy of an adult’s PHI, unless a special exception applies under the law. For example, DECH is authorized by law to notify your parent or guardian if, in the judgment of your DECH provider failure to inform your parent or guardian would seriously jeopardize your health or would seriously limit the ability of your DECH provider to provide treatment to you. Additionally, if you want DECH to bill your parent’s insurance for services provided to you, your parents will receive from their insurance company an Explanation of Benefits regarding the services provided to you by DECH and, as a result, the fact that you received services from DECH will not be confidential from your parents. However, if you do not want your parents to know that you are receiving services from DECH, you must notify DECH of that fact at the time services are provided to you so that arrangements can be made for payment of such services privately or out-of-pocket, or to determine your eligibility for free or discounted care.
Right to a Paper Copy of this Notice: You have the right to a paper copy of this notice. You may ask that we give you a copy of this notice at any time. You may also obtain a copy of this notice at our web site: www.dech.org
All correspondence should be addressed to:
Health Information Director
Down East Community Hospital
11 Hospital Drive
Machias, Maine 04654
Changes to This Notice
We reserve the right to change this notice. We reserve the right to make the revised or changed notice effective for medical information we already have about you as well as any information we receive in the future. We will post a copy of the current notice in the hospital, physician offices and on our website. In addition, each time you register at or are admitted to the hospital we will offer you a copy of the current notice in effect.
Concerns or Complaints
Please contact us about any problems or concerns you have with your privacy rights or how the Hospital uses or discloses your medical information.
You may contact the Privacy Officer of Down East Community Hospital at 255-3356
You may use Down East Community Hospital’s Compliance hotline: 1-800-273-8452
You will not be penalized for filing a complaint.
If you have any questions about this Notice, please call the Health Information Department at: (207) 255-0272 or the Privacy Officer at: (207) 255-3356
You may file a complaint with the directly with the hospital or with the U.S Department of Health and Human Services Office for Civil Rights by sending a letter to 200 Independence Avenue, S.W, Washington, D.C. 20201, calling 1-877-696-6775, or visiting www.hhs.gov/ocr/privacy/hipaa/complaints.