Notice of Privacy Practices
Effective date: 04/14/2003
Revised date: 09/23/2013
This notice describes how medical information about you may be used and disclosed and how you can get access to this medical information.
Please review it carefully.
For more information about Norton Healthcare’s privacy policies, contact Norton Healthcare Health Information Management Department at (502) 629-8527 or call the Norton Healthcare Privacy Hotline at (502) 629-8051 or (866) 264-4567.
Who will follow this notice
This notice describes Norton Healthcare’s practices and those of:
- Any health care professional authorized to enter information into a patient’s chart.
- All departments and units within Norton Healthcare facilities.
- Any member of a volunteer group that Norton Healthcare allows to help patients while they are in a Norton Healthcare facility.
- All employees, staff and other facility personnel and participating members of the medical staffs.
- Kosair Children’s Hospital, Kosair Children’s Medical Center – Brownsboro, Norton Audubon Hospital, Norton Brownsboro Hospital, Norton Hospital, Norton Suburban Hospital (future home of Norton Women’s and Kosair Children’s Hospital), Norton physician practices and any other owned or managed entities of Norton Healthcare.
All of these entities, sites and locations follow the terms of this notice. In addition, these entities, sites and locations may share with each other medical information related to patient treatment, payment or hospital operations described in this notice an as otherwise permitted by law.
Norton Healthcare's pledge regarding health information privacy
We understand that medical information about the health of our patients is personal. We are committed to protecting patients’ personal medical information. We create a record of the care and services you receive at Norton Healthcare facilities. We need this record to provide you with quality care and to comply with certain legal requirements.
This notice applies to patient care records generated by Norton Healthcare hospitals and facilities, whether made by facility personnel or by a patient’s physician. A patient’s doctor may have different policies or notices about the use and disclosure of medical information created in the doctor’s office or clinic.
This notice explains ways in which Norton Healthcare may use and disclose medical information about its patients. It also describes patients’ rights and certain obligations Norton Healthcare has regarding the use and disclosure of medical information.
Norton Healthcare is required by law to:
- Make sure medical information that identifies patients is kept private.
- Give patients this notice of our legal duties and privacy practices with respect to patients’ medical information.
- Obtain an acknowledgment from each patient regarding receipt of this notice.
- Follow the terms of the notice that are currently in effect.
How Norton Healthcare may use and disclose patient's medical information
The following categories describe different ways Norton Healthcare uses and discloses medical information. For each category of uses or disclosures, there is an explanation and examples. Not every use or disclosure in a category will be listed. However, all of the ways Norton Healthcare is permitted to use and disclose information will fall within one of these categories:
For treatment. Norton Healthcare may use medical information about patients to provide medical treatment or services. We may disclose medical information about patients to doctors, nurses, technicians, medical or health care professions students, or other facility personnel who are involved in care at a Norton Healthcare hospital or facility. For example, a doctor treating a patient for a broken leg may need to know if the patient has diabetes because diabetes may slow the healing process. In addition, the doctor may need to tell the dietitian if a patient has diabetes so that appropriate meals can be arranged. Different departments of the hospital also may share medical information about patients in order to coordinate the different things patients need, such as prescriptions, lab work and X-rays. We also may disclose medical information about patients to people outside the hospital or to other facilities who may be involved in a patient’s medical care after discharge, such as family members, clergy or others who will be providing continuing care.
For payment. Norton Healthcare may use and disclose medical information about patients so that the treatment and services rendered may be billed to and payment may be collected from patients, an insurance company, or a third party. For example, we may need to provide health plan information about the surgery received at the hospital so a patient’s health plan will pay the hospital or reimburse the patient for the surgery. We may also tell a patient’s health plan about a treatment he or she is going to receive to obtain prior approval or to determine whether the patient’s plan will cover the treatment.
Please note, we will comply with your request not to disclose your health information to your insurance company if the information relates solely to a health care item or service for which you have paid out of pocket and in full to us. This restriction does not apply to the use or disclosure of your health information for your medical treatment.
For health care operations. Norton Healthcare may use and disclose medical information about patients for health care operations. These uses and disclosures are necessary to run our facilities and make sure that all of our patients receive quality care. For example, we may use medical information to review our treatment and services and to evaluate the performance of our staff in caring for patients. We also may combine medical information about many hospital patients to decide what additional services the hospital should offer, what services are not needed and whether certain treatments are effective. We may disclose information to doctors, nurses, technicians, medical students and other hospital personnel for review and learning purposes.
Appointment reminders. Norton Healthcare may use and disclose medical information to remind patients of appointments for treatment or medical care at a Norton Healthcare hospital or facility.
Treatment alternatives. Norton Healthcare may use and disclose medical information to tell patients about or recommend possible treatment options or alternatives that may be of interest.
Health related benefits and services. Norton Healthcare may use and disclose medical information to tell patients about our own healthcare-related products and services that may be of interest so long as certain conditions set by law are satisfied. These communications may include information to help patients manage and improve their health, schedules of upcoming classes and health screenings, and Norton Healthcare’s magazine “Get Healthy”, among others. If patients do not want to receive this type of information, they can writer to Norton Healthcare, Marketing & Communications, 224 E Broadway, Third Floor, Mailbox 55-4, Louisville, KY 40202.
Fundraising activities. Norton Healthcare may use medical information to contact patients in an effort to support Norton Healthcare facilities and programs through one of our two foundations. We may disclose medical information to a business associate or to the foundation related to Norton Healthcare so that the business associate or foundation may contact patients in raising money for Norton Healthcare. We will only use the following information without your permission: your contact information, such as a name, address, phone number, dates of treatment or services, the general department in which you were treated, the name of your treating physician and, if you had a less than an optimal outcome that information as well. Note, Norton Healthcare does not require that you participate in receiving fundraising communications in order to receive treatment. Persons who do not want to be contacted for fundraising efforts must notify the Foundations Office in writing at: 234 E Grey St, Suite 450, Louisville, KY 40202.
Hospital directory. Norton Healthcare may include certain limited information about patients in a directory while they are patients in the hospital. This information may include name, location in the hospital and general condition (e.g. fair, stable, etc.). The directory information, except for religious affiliation, may be released to people who ask for patients by name. A patient’s religious affiliation may be provided to a member of the clergy, such as a priest or rabbi, even if they don’t ask for a patient by name. The release of information is so a patient’s family, friends, and clergy can visit the patient in the hospital and generally know how he or she is doing.
Individuals involved in care or payment for care. Norton Healthcare may release medical information about patients to a friend or family member who is involved in the patient’s medical care and provide information to someone who helps pay for the patient’s care. We may use or disclose a patient’s medical information to notify or assist in the notification of a patient’s family or other persons responsible for patient care about the patient’s location, general condition or death. In addition, we may disclose medical information about a patient to an entity assisting in disaster relief efforts so the patient’s family can be notified about the patient’s condition, status, and location.
Research. Medical research is vital to the advancement of medical science. Federal regulations permit use of patient medical information in research, either with patient authorization or when the research study is reviewed and approved by an Institutional Review Board before any medical research study begins. In some situations, limited information may be used before approval of the research study to allow a researcher to determine whether enough patients exist to make a study scientifically valid. Institutional Review Boards follow a special review process to protect patient safety, welfare, and confidentiality. Norton Healthcare will use and disclose medical information about patients for research purposes only as permitted by federal and state law.
As required by law. Norton Healthcare will disclose medical information about patients when required to do so by federal, state, or local law.
To avoid a serious threat to health or safety. Norton Healthcare may use and disclose medical information about patients when required by law to prevent a serious and imminent threat to a patient’s health and safety or the health and safety of another person. Any disclosure, however, would only be to the potential victim or to the police department closest to the patient’s and the victim’s residences or other persons, as required by state law.
Business associates. Norton Healthcare may contract with other entities, called business associates, for the provision of certain services that require the business associates to use and disclose medical information to perform a service on behalf of Norton Healthcare. Examples of business associates of Norton Healthcare include services that copy medical records, medical transcription providers and companies that assist with patient billing and collection activities. Norton Healthcare enters into “business associate agreements” with these types of entities. These agreements, as well as federal law, require business associates to protect patient medical information.
Participation in health information exchanges. We may participate in one or more health information exchanges (HIEs) and may electronically share your health information for treatment, payment, and permitted health care operations purposes with other participants in the HIE. You will be provided to opportunity to “opt-out” of HIE participation. HIEs allow your health care providers to efficiently access and use your pertinent medical information necessary for treatment and other lawful purposes. We will not share your information with an HIE unless we have entered into a business associate agreement with the HIE to protect the confidentiality of your information.
Organ and tissue donation. If a patient is an organ donor, Norton Healthcare may release medical information to organizations that handle organ procurement or organ, eye, or tissue transplantation or to an organ donation bank, as necessary to facilitate organ or tissue donation and transplantation.
Military. If a patient is a member of the armed forces, Norton Healthcare may release medical information about the patient as required by military command authorities. We may also release medical information about foreign military personnel to the appropriate foreign military authority.
Workers’ Compensation. Norton Healthcare may release medical information about patients for workers’ compensation or similar programs that provide benefits for work-related injuries or illness.
Public health risk. Norton Healthcare may disclose medical information about patients for public health activities. Generally, these activities include the following reports:
- To prevent or control disease, injury, or disability.
- Of births and deaths.
- Of suspected child abuse.
- Of reactions to medications or problems with medical devices.
- To notify people of recalls of products they may be using.
- To notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition.
- To notify the appropriate government authority if Norton Healthcare believes a patient has been the victim of abuse or neglect, as required by law.
- With your verbal permission, to notify the school(s) attended by your child(ren) concerning immunization records.
Health oversight activities. Norton Healthcare may disclose patients’ medical information to a health oversight agency for activities authorized by law. These oversight activities include, for example: audits, investigations, inspections, licensure, disciplinary actions, and legal proceedings or actions. These activities are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws.
Highly confidential information. Federal and state law require special privacy protections for certain highly confidential information about you (“highly confidential information”), including the subset of your protected health information that is maintained in psychotherapy notes or is about your: (1) mental health and/or developmental disabilities services; (2) alcohol and drug abuse prevention, diagnosis, treatment or referral; (3) HIV/AIDS testing, diagnosis or treatment; (4) communicable disease(s); (5) genetic testing; (6) child abuse and neglect; (7) domestic or elder abuse; and/or (8) sexual assault. In order for your highly confidential information to be disclosed for a purpose other than those permitted by law, Norton Healthcare will require your written authorization.
Lawsuits and disputes. Norton Healthcare may disclose medical information about the patient in response to a court order or administrative order. We also may disclose medical information about patients in response to a subpoena, discovery request or other lawful process.
Law enforcement. If asked to do so by law enforcement, and to the extent permitted or required by law, we may release medical information for the following reasons.
- In response to a court order, subpoena, warrant, summons, or similar process.
- To identify or locate a suspect, fugitive, material witness, or missing person.
- About a suspected victim of a crime if, under certain limited circumstances, we are unable to obtain the person’s agreement.
- About a death suspected to be the result of criminal conduct.
- About criminal conduct at any Norton Healthcare hospital or facility.
- In emergency circumstances to report a crime; the location of the crime or victims; or the identity, description or location of the person who committed the crime.
- In an investigation of a patient’s unlawful attempt to obtain a controlled substance at a Norton Healthcare hospital or facility.
Coroners, medical examiners and funeral directors. Norton Healthcare may release patient’s medical information to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death. We also may release medical information about patients to funeral home directors as necessary to carry out their duties.
National security and intelligence activities. Norton Healthcare may release medical information about patients to authorized federal officials for intelligence, counterintelligence and other national security activities authorized by law.
Protective services for the president and others. Norton Healthcare may disclose medical information about patients to authorized federal officials so they may provide protection to the president, other authorized persons or foreign heads of state or to conduct special investigations.
Inmates. If a person is an inmate of a correctional institution, Norton Healthcare may release medical information about the patient to the correctional institution or to a law enforcement official who has custody. This release would be necessary: (1) for the institution to provide the patient with health care; (2) to protect the patient’s health and safety or the health and safety of others; or (3) for the safety and security of the correctional institution.
Patient rights regarding their personal medical information
Patients have the following rights regarding medical information Norton Healthcare maintains about them:
Marketing activities. We may, without obtaining your authorization and so long as we do not receive payments from a third party for doing so: (1) provide you with marketing materials in a face-to-face encounter, (2) give you a promotional gift of nominal values, and/or (3) tell you about our own health care products and services. We will ask for you permission to use your health information for any other marketing activities.
Right to inspect and copy. Patients have the right to inspect and copy medical information that may be used to make decisions about their care. Usually, this includes medical and billing records but does not include psychotherapy notes.
To inspect and copy medical information while an inpatient in a Norton Healthcare hospital, patients may provide a written request to their nurse. Once they have left the facility, they must submit their request in writing to the Norton Healthcare Health Information Management Department at P.O. Box 35070, Louisville, KY 40232-5070 or to the office manager of the practice or other facilities. For billing records, contact the Norton Healthcare Health Information Management Department at the address above. The first copy of medical records is free; if a patient requests additional copies, a fee may be charged for the costs of copying, mailing or other supplies associated with the request. If the facility uses or maintains an electronic health record with respect to your medical information, you have the right to obtain an electronic copy of the information if you so choose. The facility may charge a fee equal to its labor cost in providing the electronic copy (for example, your cost may include the cost of a flash drive, if that is how you request a copy of your information be produced). If you request an electronic copy of your information, we will provide the information in the format requested if it is feasible to do so.
A patient’s request to inspect and copy personal information may be denied in certain circumstances. If access to medical information is denied, a person may request that the denial be reviewed. Another licensed health care professional chosen by the facility will review the request and the denial. The person conducting the review will not be the person who denied the request. Norton Healthcare will comply with the outcome of the review.
Right to amend. If a patient feels that medical information is incorrect or incomplete, the patient may ask that the information be amended. A patient has the right to request an amendment for as long as the information is kept by or for the facility.
Inpatients may request an amendment by making their request in writing and giving it to their nurse. Once patients have been discharged from the facility, requests for amendments must be made in writing and submitted to the Norton Healthcare Health Information Management Department at P.O. Box 35070, Louisville, KY 40232-5070 or to the office manager at the practice which the patient was treated. In addition, the patient must provide a reason that supports the request.
Request for an amendment will be denied if it is not in writing or does not include a reason to support the request. In addition, requests also may be denied if the information:
- Was not created by Norton Healthcare, unless the patient provides a reasonable basis to believe the person or entity that created the information is no longer available to make the amendment,
- Is not part of the medical information kept by or for the facility,
- Is not part of the information that the patients would be permitted to inspect or copy, or
- Is accurate and complete.
Right to an accounting of disclosures. Patients have the right to request an “accounting of disclosures.” This is a list of the disclosures Norton Healthcare made of medical information about the patient for purposes other than treatment, payment, and health care operations, inclusion of information in our directory, or to persons involved in care, for national security or intelligence purposes, to corrections institutions or law enforcement officials, or for disclosures made after April 14, 2003. For research disclosures, see the “Research” section in this notice.
To request this list or accounting of disclosures, patients must submit a request in writing to the Norton Healthcare Health Information Management Department at P.O. Box 35070, Louisville, KY 40232-5070 or to the office manager at the facility where they received care. Inpatients must give the written request to their nurse. Requests must state a time period that may not be longer than six years and may not include dates before April 14, 2003. Requests should indicate in what form the patient wants the list (for example, on paper or electronically). The first list request within a 12-month period will be provided free. For addition lists, patients may be charged the cost of providing the list. Patient’s will be notified of the cost involved and may choose to withdraw or modify the request before any costs are incurred.
Right to request restrictions. Patients have the right to request a restrictions on the medical information used or disclosed about them for treatment, payment, or health care operations. Patients also have the right to request a limit on the medication information Norton Healthcare discloses to someone who is involved in the patient’s care or the payment for care, like a family member or friend, or for other permitted purposes. For example, patients could ask that we not use or disclose information about a surgery they had. In addition, patient’s can request that we restrict the medical information we use in our hospital directory about them or its release to clergy. See information in this notice regarding research projects.
In most cases, Norton Healthcare is not required to agree to patient requests to restrict the use or disclosure of a patient’s medical information. If a patient has paid in full for treatment out of his/her own pocket, the patient may request that information regarding the out-of-pocket treatment not be disclosed to his/her health insurer, and Norton Healthcare must grant such a request. In all other cases, Norton Healthcare is not required to agree to requests. If we do agree, we will comply with the patient’s request unless the information is needed to provide emergency treatment and/or safe patient care.
To request restrictions, patients must make their request in writing to the Norton Healthcare Health Information Management Department at P.O. Box 35070, Louisville, KY 40232-5070 or to the office manager at the facility where they received care. Inpatients must give a written request to their nurse. In the request, the patient must tell us: (1) what information he or she wants to limit; (2) whether he or she wants to limit our use, disclosure, or both; and (3) to whom he or she wants the limits to apply (for example, disclosures to his or her spouse).
Right to request confidential communications. Patients have the right toask that Norton Healthcare communicate with them about medical matters in a certain way or at a certain location. For example, a patient can ask that we only contact him or her at work or by mail.
To request confidential communications, patients must make their requests in writing to the Norton Healthcare Health Information Management at P.O. Box 35070, Louisville, KY 40232-5070 or to the office manager at the facility where they received care. Inpatients should give the written request to their nurse. We will not ask the reason for the request. We will make every effort to accommodate all reasonable requests. Requests must specify how or where the patient wishes to be contacted and how payment will be handled.
Right to a paper copy of this notice. Patients have the right to a paper copy of this notice. Patients may ask us to provide a copy of this notice at any time. Even if the a patient has agreed to receive this notice electronically, he or she is entitled to a paper copy of this notice.
Patients may obtain an electronic copy of this notice online at NortonHealthcare.com. To obtain a paper copy of this notice, patients should contact the director of Patient Access at the hospital or the office manager at the facility where care was received.
Right to be notified following a breach of the patient’s unsecured protected health information. In the unlikely event that your protected health information has been compromised, Norton Healthcare will notify you of such an incident.
Changes to this Notice
Norton Healthcare reserves the right to change this notice and to make the revised or changed notice effective for medical information we already have about patients as well as any information we receive in the future. A copy of the current notice is posted in all our facilities. The notice contains the effective date on the first page in the top left-hand corner.
If patients believe their privacy rights have been violated, they may file a complaint with the facility or with the secretary of the Department of Health and Human Services. Additionally, some states may allow you to file a complaint with your state’s Attorney General, Office of Consumer Affairs or other state agency as specified by applicable state law. To file a complaint with the facility, submit your compliant to the facility’s privacy officer in writing. To filea complaint with a Norton Healthcare hospital or facility, patients should contact the risk manager at the hospital, the office manager of the facility or the compliance officer. All complaints must be submitted in writing. No one will be penalized for filing a complaint.
Other uses of medical information
Other uses and disclosures of medical information not covered by this notice or the laws that apply to Norton Healthcare will be made only with patients’ written permission or as otherwise permitted by law. If a patient provides us with permission to use or disclose medical information about him or her, he or she may revoke that permission, in writing, at any time. If a patient revokes permission, we will no longer use or disclose medical information about him or her for the reasons covered by his or her written authorization. We are unable to take back any disclosures we have already made with the patient’s permission, and we are required to retain our records of the patient care that we provide.