Notice of Privacy Practices
Information about your stay is private, and is protected by state and federal laws. We work hard to respect your privacy, while at the same time complying with the laws that apply to us. In most cases, it's up to you whether we give out your information.
Community Health Network, Inc. Notice of Privacy Practices
This notice of privacy practices ("Notice") describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.
This Notice describes privacy practices of Community Health Network, Inc., Community Hospital North, Community Hospital East, Community Hospital South, Community Heart and Vascular Hospital (a facility of Community Hospital East), Community Howard Regional Health, Community Hospital Anderson, Fairbanks Hospital, Community Physician Network, Community Home Health, Community Surgery Center North, Community Surgery Center East, Community Surgery Center South, Community Surgery Center Hamilton, Community Surgery Center Howard, Community Surgery Center Northwest, Community Surgery Center Plus, Community Endoscopy Center Indianapolis, Community Digestive Center Anderson, and their affiliates, including: any medical staff members, employees, volunteers, and health care professionals authorized to enter information into your health/medical records (hereinafter referred to as "Community Health Network" or the "Network").
Our Duty to Safeguard Your Protected Health Information
Individually identifiable information about your past, present, or future health or condition, the provision of health care to you, or payment for your health care is considered Protected Health Information (“PHI”). We understand medical information about you and your health is personal and we are committed to protecting medical information about you. We are required by law to make sure your PHI is kept private and to give you this Notice about our legal duties and privacy practices. This Notice explains how, when and why we may use or disclose your PHI. In general, we must access, use or disclose only the minimum necessary PHI to accomplish the purpose of the access, use or disclosure. We use your health information (and allow others to have it) only as permitted by federal and state laws.
We must follow the privacy practices described in this Notice, though we reserve the right to change the terms of this Notice at any time. We reserve the right to make new Notice provisions effective for all PHI we currently maintain or receive in the future. If we change this Notice, we will post a new Notice in patient registration and/or patient waiting areas and post it on our website at www.eCommunity.com. Copies of the Notice currently in effect are available at the registration areas for the providers listed above.
How We May Use and Disclose Your Protected Health Information
We access, use and disclose PHI for a variety of reasons. The following section offers more descriptions and examples of our potential access/uses/disclosures of your PHI. Other uses/disclosures not described in this Notice will be made only with your authorization.
Uses and Disclosures Relating to Treatment, Payment, or Health Care Operations: Since we are an integrated system, we may share your PHI with designated caregivers within the Network and others outside our facilities, for treatment, payment or operations purposes. Generally, we may use or disclose your PHI:
- For treatment: Your PHI may be used or disclosed by the Network, our caregivers and others outside our facilities who are involved in your care and treatment for the purpose of providing or coordinating healthcare to you. For example, your PHI will be shared among members of your treatment team, referring providers, post-acute care facilities, pharmacies, etc. If you are an inpatient, your name may be posted outside the door of your room.
The Network participates in certain Health Information Exchanges or Organizations ("HIEs" or "HIOs"). Specifically, the Network participates in the Indiana Health Information Exchange ("IHIE") and Indiana Network for Patient Care ("INPC"), which help make your PHI available to other healthcare providers who may need access to it in order to provide care or treatment to you.
- To obtain payment: We may use or disclose your PHI in order to bill and collect payment for your health care services. For example, we may release portions of your PHI to Medicare/Medicaid, a private insurer or group health plan to get paid for services that we delivered to you. We may release your PHI to the state Medicaid agency to determine your eligibility for publicly funded services.
- For health care operations: We may use or disclose your PHI in the course of our operations. For example, we may use your PHI or your answers to a patient satisfaction survey in evaluating the quality of services provided by our caregivers or disclose your PHI to our auditors or attorneys for audit or legal purposes. We may also share PHI with health care provider licensing bodies like the Indiana State Department of Health. Further, we may allow other providers to use your PHI for some of their health care operations purposes, when you are also a patient of that provider. For example, we may share PHI with other providers for quality purposes.
We may use your PHI to tell you about appointments and other matters related to your care. We may contact you by mail, telephone or via MyChart, our patient portal. We may use the telephone number you provided to leave voice messages or send text messages.
- Fundraising: We or our Foundations may contact you to raise money for the Network and its operations, unless you tell us not to contact you for this purpose. You have the right to opt out of receiving fundraising communications from us and we will tell you how to opt out in every fundraising communication.
Uses and Disclosures Requiring Authorization: For other uses and disclosures not described in this Notice, we are required to have your written authorization, unless the use or disclosure falls within one of the exceptions described below. You may revoke an authorization by notifying us in writing. If you revoke your authorization, we will stop using or disclosing your PHI for the purposes covered by your written authorization as of the date we receive your revocation. Your revocation will not apply to information already released. We cannot refuse to treat you if you do not sign an authorization to release PHI, unless (a) services provided are solely to create health records for a third party, like physical exam and drug testing for an employer or insurance company; or (b) the treatment provided is research-related and authorization is required for the use of health information for research purposes. We will not sell or use your PHI for marketing purposes without your authorization. We will not disclose any psychotherapy notes (as defined by the Health Insurance Portability & Accountability Act (HIPAA)) without your authorization.
You may revoke an authorization to use or disclose your PHI by submitting your request in writing except: (1) to the extent action has been taken in reliance on the authorization; or (2) if the authorization was obtained as a condition of obtaining insurance coverage and the insurer is questioning a claim under the policy. Your written revocation must include the date of the authorization, the name of the person or organization authorized to receive the PHI, your signature and the date you signed the revocation. Written revocation must be addressed to: Health Information Management, Release of Information, 1500 N. Ritter Avenue, Indianapolis, IN 46219. Such revocation will not be effective until received by the Network.
Uses and Disclosures Not Requiring Authorization: The law allows us to use or disclose your PHI without your authorization in certain situations, including but not limited to:
- When required by law: We may disclose PHI when a law requires or allows us to do so. For example, we may report information about suspected abuse and/or neglect, relating to suspected criminal activity, for FDA-regulated products or activities, or in response to a court order. We must also disclose PHI to authorities monitoring compliance with these privacy requirements.
- For public health activities: We may disclose PHI when we are required or allowed to collect information about disease or injury or to report vital statistics to the public health authority, such as reports of tuberculosis cases or births and deaths.
- For health oversight activities: We may disclose PHI to the Indiana State Department of Health or other agencies responsible for monitoring the Network for such purposes as reporting or investigation of unusual incidents.
- To be a business associate: Certain services are provided to us through contracts with third party entities known as “business associates” that require access to your health information in order to provide such services. Examples include transcription agencies, copying services and cloud service providers. We require these business associates to agree to protect your health information in compliance with all laws.
- Relating to decedents: We may disclose PHI relating to an individual's death to coroners, medical examiners, funeral directors, and organ procurement organizations.
- For research purposes: In certain circumstances, and under supervision of an Institutional Review Board, we may disclose PHI in order to assist medical research, such as comparing the health and recovery of all patients who received one medicine to those who received another.
- To avert a threat to health or safety: In order to avoid a serious and imminent threat to the health or safety of an individual or the public, we may disclose PHI as necessary to law enforcement or other persons who can reasonably prevent or lessen the threat of harm.
- Law enforcement: We may disclose PHI to a law enforcement official in circumstances such as: in response to a court order; to identify a suspect, witness or missing person; about crime victims; about a death that we may suspect is the result of a crime; or a crime that takes place at our facility.
- For specific government functions: We may disclose PHI of military personnel and veterans in certain situations; to correctional facilities in certain situations; and for national security and intelligence reasons, such as protection of the President.
- Workers’ compensation: We may disclose your PHI to your employer or your employer’s insurance carrier for workers’ compensation or similar programs that provide benefits for work-related illness or injuries.
- Inmates: If you are an inmate of a correctional institution or under the custody of a law enforcement official, the Network may release your PHI in order for them to provide you with health care, to protect your health and safety or the health and safety of others, or to ensure the safety and security of the correctional institution.
- De-identified PHI: We may de-identify your health information as permitted by law. We may use or disclose to others the de-identified information for any purpose, without your further authorization or consent, including but not limited to research studies, development of artificial intelligence tools, and health care/health operations improvement activities.
Uses and Disclosures Requiring You to Have an Opportunity to Object: In the following situations, we may use or disclose your PHI if we tell you about the use or disclosure in advance and you have the opportunity to agree to, prohibit, or restrict the use or disclosure, and you do not object. However, if there is an emergency situation and you cannot be given the opportunity to agree or object, we may use or disclose your PHI if it is consistent with any prior expressed wishes and the use or disclosure is determined to be in your best interests - provided that you must be informed and given an opportunity to object to further uses or disclosures for patient directory purposes as soon as you are able to do so.
- Patient directories: If you are hospitalized, your name, location, general condition, and religious affiliation may be put into our patient directory for use by clergy or by callers or visitors who ask for you by name. If you ask to be a “No Information” patient, volunteers, caregivers and telephone operators will not tell anyone you are in the facility and flowers, mail, phone calls and visitors will be turned away and not accepted if your room number is not provided.
- To families, friends or others involved in your care: We may share with your family, your friends or others involved in your care information directly related to their involvement in your care or payment for your care. We may also share PHI with these people to notify them about your location, general condition, or your death.
- Disaster relief: In the event of a disaster, we may release your PHI to a public or private relief agency, for purposes of notifying your family and friends of your location, condition or death.
Safeguards: We are required to have appropriate safeguards in place to protect the privacy of your PHI to limit incidental uses or disclosures. Oral communication often must occur freely and quickly in treatment settings as in physician offices, nurses’ stations or emergency rooms. Overheard communications in these settings may be unavoidable and are considered incidental disclosures. Incidental disclosures are permitted when reasonable safeguards are in place.
Your Rights Regarding Your Protected Health Information
You have the following rights relating to your PHI:
- To request restrictions on uses and disclosures: You have the right to ask that we limit how we use or disclose your PHI. You must make your request in writing. If you have paid in full for a service and have requested we not share PHI related to that service with a health plan, we must agree to that request. For any other request to limit how we use or disclose your PHI, we will consider your request, but are not required to agree to the restriction. To the extent we agree to any restrictions, we will put the agreement in writing and abide by it except in emergency situations. If agreed upon, these restrictions will only apply to the Network affiliates listed in the beginning of this Notice. You understand restrictions will not apply to disclosures already made. We cannot agree to limit uses or disclosures required by law.
- To request confidential communication: You have the right to ask that we send you information at an alternative address or by an alternative means, such as contacting you only at work. You must make your request in writing. We must agree to your request as long as it is reasonably easy for us to do so.
- To inspect and copy your PHI: You have the right to inspect and obtain an electronic or paper copy of your PHI. You put your request in writing. If you want copies of your PHI, a reasonable, cost-based charge for copying may be imposed. If you request an electronic copy of your PHI that we maintain electronically, we will provide an electronic copy, and will do so in the electronic form or format you requested if the PHI is readily producible in that form or format. You have a right to choose what portions of your information you want copied and to have information on the cost of copying in advance. We will respond to your request within 30 days. In limited circumstances, we may deny your request. If we deny your access, we will give you written reasons for the denial and explain any right to have the denial reviewed.
- To request amendment of your PHI: If you believe there is a mistake or missing information in your health record, you may request, in writing, that we correct or add to the record. Written requests must include a reason supporting your request and identify who needs to be informed of any changes. We will respond within sixty (60) days of receiving your request. We may deny your request for an amendment if it is not in writing or does not include a reason to support the request. We may also deny your request if we determine the PHI is: (1) correct and complete; (2) not created by us or not part of our records; or (3) not permitted to be disclosed. Any denial will state the reasons for denial and explain your rights to have the request and denial reviewed. This information along with any written response you provide, will be added to your medical record. If we approve the request for amendment, we will inform you of the approval, change the PHI, and tell others who need to know about the change.
- To find out what disclosures have been made: You have a right to get a list of when, to whom, for what purpose, and what content of your PHI has been released, except as listed below - this is called an accounting of disclosures. The list will not include any disclosures made: (a) more than six (6) years ago; (b) for treatment, payment or health care operations purposes; (c) that you authorized; (d) for national security purposes; (e) through a facility directory; or (f) to certain law enforcement officials or correctional facilities. Your request must be in writing. We will respond to your written request for such a list within sixty (60) days of receiving it. There will be no charge for the first list requested each year. There may be a charge for subsequent requests.
- Right to receive notice of breach: We are required by law to maintain the privacy of your medical information, to provide you with notice of our legal duties and privacy practices with respect to your medical information and notify you following a breach of your unsecured medical information. We will give you written notice in the event we learn of any unauthorized use of your medical information that has not otherwise been properly secured as required by HIPAA. We will notify you without unreasonable delay but no later than sixty (60) days after the breach has been discovered.
- To receive a paper copy of this Notice: You have a right to receive a paper copy of this Notice and/or an electronic copy by e-mail upon request. To obtain a copy of this Notice, contact us at 317-621-7324 or at privacy@eCommunity.com.
Questions or Complaints About Our Privacy Practices
If you have questions about this Notice, think we may have violated your privacy rights or disagree with a decision we made about access to your PHI, you may contact the VP Compliance, 317-621-7324 or at privacy@eCommunity.com. You may also submit an anonymous complaint by calling 1-800-638-5071. You may file a written complaint with the Secretary of the U.S. Department of Health and Human Services. You will not be penalized if you file a complaint.