Notice of Privacy Practices

Caring Community Health Center (“CommunityCare”) Notice of Privacy Practices ("Notice")
Effective date: October 1, 2019

This Notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.

If you have any questions about this Notice, you may ask a member of the staff where you receive health care services. You may also contact the Privacy Office at:

System Privacy Office ¹
MC 30-03
100 N. Academy Ave.
Danville, PA 17822
570-271-7360
systemprivacyoffice@pacommunitycare.org

This Notice applies to all CommunityCare HIPAA covered entities/sites.

You may always obtain our most current Notice online at: pacommunitycare.org

You may also obtain a copy by calling or writing the System Privacy Office identified above.

Summary

Our Uses and Disclosures

We may use and share your information as we:

Treat you
Run our organization
Bill for services provided to you
Help with public health and safety issues
Do research
Comply with the law
Respond to organ and tissue donation requests
Work with a medical examiner or funeral director
Address workers’ compensation, law enforcement, and other government requests

¹ CommunityCare contracts with Geisinger System Services to provide certain support services, including support for privacy related issues.

Respond to lawsuits and legal actions

See “Our Uses and Disclosures” below for more information.

Your Rights

You have the right to:

Get a copy of your paper or electronic medical record
Correct your paper or electronic medical record
Request confidential communication
Ask us to limit the information we share
Get a list of those with whom we’ve shared your information
Get a copy of this privacy notice
Choose someone to act for you
File a complaint if you believe your privacy rights have been violated

See “Your Rights” below for more information.

Your Choices

You have some choices in the way that we use and share information as we:

Reach out to you via telephone, text, or e-mail
Provide disaster relief
Include you in a hospital directory
Provide mental health care
Market our services
Raise funds

See “Your Choices” below for more information.

Our Uses and Disclosures

How do we use and share your health information?

Under HIPAA, the information CommunityCare collects about you as a patient is generally considered protected health information (PHI). CommunityCare may only use and disclose your PHI pursuant to an authorization, or as otherwise permitted or required by law. We typically use or share your PHI in the following ways.

Treatment
We will share your PHI with other professionals who are treating you.

This includes disclosure of your PHI to doctors, hospitals, pharmacies and other third parties who are involved in your care. For example, we will disclose your PHI to another physician to whom you have been referred, to the physician who referred you to us or to a home health agency that will be caring for you. We will use your PHI during continuum of care rounds which may include, without limitation, physicians, nurses, care managers, social workers, pharmacists, physical therapists, spiritual care workers and nutrition staff who are involved in your care. We may call your name in our waiting room when your doctor or other provider is ready to see you.

Payment
We will share your PHI so that we may bill for health care services and receive payments for the services you receive. This includes activities such as communicating your PHI to an insurance company.

Health care operations
We will use and disclose your PHI as necessary for health care operations such as to run our business, improve your care, and contact you when necessary.

For instance, our providers may serve the region by participating in medical education programs. We may disclose your PHI to the students and faculty of such programs. We may use your information to evaluate the performance of our staff and for training and education purposes.

How else can we use or share your PHI?

We are allowed or required to share your information in other ways – usually in ways that contribute to the public good, such as public health and research. We have to meet many conditions in the law before we can share your information for these purposes. Some examples are provided below.

For more information U.S. Health and Human Services maintains a website for patients regard HIPAA at: www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html.

Business associates
Some of the services we provide are performed through contractual relationships with outside parties or business associates. These services may include (but are not limited to) financial, auditing and legal. We take efforts to only provide business associates with the minimum necessary amount of PHI to carry out their contractual duties. All business associate contracts restrict the ability of the business associate to further use or disclose your PHI so that it is appropriately safeguarded.

Individuals involved in your care
We may disclose your PHI to those people we reasonably believe are involved in your care, such as family members and friends.

To avert a serious threat to health or safety
We may use or disclose your PHI for reasons which include preventing a serious threat to your health and safety, or the health and safety of others.

Cadaveric organ, eye and tissue donation
We may share the PHI of organ donors to organizations that assist with such donations.

Specialized government functions
We may use or disclose your PHI for specialized government functions such as military, national security and presidential protective services.

Workers' compensation
We may disclose your PHI for purposes of handling your workers' compensation claims in compliance with applicable laws, rules and regulations.

Public health and safety
We may share your PHI for certain situations such as:

Preventing disease
Helping with product recalls
Reporting adverse reactions to medicine
Reporting suspected abuse, neglect, or domestic violence
Preventing or reducing a serious threat to anyone’s health or safety

Health oversight activities
We may disclose your PHI to agencies of the government for activities authorized by law. These activities include monitoring health care systems and participation in government programs.

Lawsuits and disputes
We can share PHI about you in response to a court or administrative order, or in response to a subpoena.

Law enforcement
We may disclose your PHI if asked to do so by a law enforcement official for reasons including (but not limited to) identifying or locating a suspect, a witness or a missing person, or investigating criminal activity.

Coroners, medical examiners and funeral directors
We can share PHI with a coroner, medical examiner, or funeral director when an individual dies.

Individuals in custody
If you are an inmate of a correctional institution or in the custody of a law enforcement official, we may disclose your PHI to the respective correctional institution or law enforcement official in accord with applicable laws, rules, regulations and our policies.

Research
We may share your PHI for health research.

As otherwise permitted or required by law or legal process
We will disclose your PHI when we are required to do so by local, state or federal law or process of law including with the Department of Health and Human Services if it wants to see that CommunityCare is complying with federal privacy law.

We may also disclose your PHI when we are otherwise permitted to do so under the law or pursuant to legal process.

Additional rights under Pennsylvania Law
Pennsylvania law may further limit how we use or share your PHI including HIV-related records, records of alcohol or substance use disorder, inpatient mental health records and mandatory outpatient mental health treatment records. If Pennsylvania law applies to your PHI, we will use and disclose your PHI in compliance with these more restrictive laws.

Patient reunions
We may hold reunions for various patient groups to celebrate their success in treatment. If you are or were part of such a patient group, we may use your PHI to invite you.

Receiving payment for PHI
Unless allowed by law, CommunityCare will not sell your PHI, and may not receive payment directly or indirectly for your PHI without your authorization.

Shared Electronic Health Record
Community Care participates in a shared electronic health record (EHR) that is maintained by Geisinger ². Entities that participate in the shared EHR, now and in the future, will be able to use and disclose your PHI as described in their Notice of Privacy Practices if they have a treatment relationship with you. A list of entities participating in our EHR is provided below.

² “Geisinger” refers to the separate legal covered entities of Geisinger Health. Geisinger is comprised of Geisinger Health as parent and its subsidiaries, affiliates and members. Although Geisinger Health does not provide medical care or employ physicians, it is the corporate parent of various corporate entities each of which is an individual corporate entity legally separate and distinct from Geisinger Health.

Universal Authorization
We believe that having a complete picture of your health status is important to providing quality medical care. This can be especially important in the case of an emergency room visit and when coordinating your care among covered entities (as defined by HIPAA).

The covered entities participating in the shared EHR (as described above) will only disclose PHI related to substance abuse disorder, your inpatient/involuntary mental health treatment records, or HIV/AIDs related treatment and testing records to covered entities outside the shared EHR as required or permitted by law or with your consent.

If you wish to share this PHI to facilitate treatment, payment and healthcare operations (each as defined by HIPAA), we ask that you review and sign a Universal Authorization (UA). The UA has recently been updated and is available at our offices or online at: https://www.pacommunitycare.org/policies/communitycare-privacy-policy

If you have previously signed a UA, you do not need to take any further action to share this information as acknowledgment of this Notice of Privacy Practices serves as your consent to continue to share this information. If you do not sign the acknowledgement, we will turn off the sharing of this sensitive data until you either sign a new UA or the acknowledgement of the updated UA.

You can revoke a UA at any time by contacting our Privacy Office.

Your Rights

Your right to inspect and copy
You have the right to inspect and receive a copy (paper or electronic) of your PHI that may be used to make decisions about your care. You may also direct us in writing to transmit your PHI to another entity or individual.

To do so, you must complete a Patient Access Request Form. You can obtain the form and instructions online at: https://www.pacommunitycare.org/policies/communitycare-privacy-policy

You may also obtain a copy of the form by contacting our Health Information Management Department directly using the contact information on the last page of this Notice. If you need assistance completing the form, please contact the Privacy Office. The contact information for the Privacy Office is located on the last page of this Notice.

Note that you will be charged a reasonable cost-based fee. Note also that we may deny your request to inspect and receive a copy of your PHI in very limited circumstances. If you are so denied, in some cases, you may request that such denial be reviewed. We will comply with the outcome of such review.

Authorizations
Certain disclosures require an authorization. For example, in general, for our Pennsylvania patients CommunityCare will not disclose inpatient mental health records unless you sign an authorization or a specific exception applies.

If you provide us with a written authorization to disclose your PHI, you may revoke (cancel) it at any time. Your revocation (cancellation) must be in writing. We are not able to take back any uses or disclosures that we already made with your authorization.

You may also wish to grant another individual or entity the right to access, discuss, or obtain copies of your PHI. To do so, you must complete an authorization form that complies with the law. CommunityCare provides several HIPAA compliant authorizations online at: https://www.pacommunitycare.org/policies/communitycare-privacy-policy

Your right to amend
We are required to retain your PHI regarding the care and treatment that we provided to you in accordance with applicable law. You have the right to an amendment of PHI or a record about you in a designated record set for so long as your PHI is maintained in the designated record set. However, we may deny such a request in the following circumstances:

The record was not created by CommunityCare, unless you provide us with a reasonable basis to believe that the originator of PHI is no longer available to act on the requested amendment
The record is not part of the designated record set
The record would not be available for inspection under 45 CFR 164.524
The record is accurate and complete.

Generally, we must respond in writing to your request within sixty (60) days. However, we may extend the time for such action by no more than thirty (30) days as provided under HIPAA. If we do not agree to your request, you have the right to submit a statement of disagreement that we must add to your medical record. The contact information for the Privacy Office is located on the last page of this Notice.

Your right to an accounting of disclosures
You have the right to an accounting of disclosures. This is a list (accounting) of the times we've disclosed your PHI for six years prior to the date you ask, who we've shared it with and why. In compliance with the law, we will include all the disclosures except for those about treatment, payment, and health care operations, and certain other disclosures (such as any you have asked us to make). We will provide you with an accounting of disclosures if you request it and in accord with the law. Contact our Privacy Office to make such a request.

Your right to notification
We are required by law to maintain the privacy and security of your PHI. We will let you know promptly if a breach occurs that may have compromised the privacy or security of your information. This will be done by mail or by other means if necessary.

Your right to request restrictions
You have the right to request restrictions on the PHI we use or disclose about you for treatment, payment and health care operations. We are not required to agree to your request, and generally, we will not accept requests for such restrictions.

As required by law, if you have paid out of pocket for a health care service or item, you have the right to ask us to not tell your insurance company about such service or item for purposes other than treatment. We will not share the PHI regarding such care with your insurer for purposes of payment or health care operations.

Your right to request confidential communications
You have the right to make a reasonable request that we communicate with you regarding your PHI in a certain way or at a certain location (for example, home or office phone). Such reasonable requests may include, when appropriate, how information as to payment for services we provide to you will be handled. We may require you to make this request in writing to the manager of your care site.

Your right to a paper copy of this Notice
Generally, you have a right to obtain a paper copy of this Notice. You may ask us to give you a copy of this Notice at any time, even if you have agreed to receive this Notice electronically. You may also obtain a paper copy of this Notice at the registration desk at your next appointment.

Changes to this Notice
We may change this Notice at any time. We may make the revised or changed Notice effective for PHI we already have as well as any PHI we receive in the future. We will post a current copy of this Notice in our hospitals and clinics. On the first page of the Notice, in the top right corner, you will find the effective date of that Notice.

If we make a material change to uses and disclosures, your rights, our legal duties or other privacy practices stated in this Notice, we will promptly revise and distribute our changed Notice. Except when required by law, a material change to any term of this Notice may not be implemented prior to the effective date of the revised Notice.

Complaints
If you believe your privacy rights have been violated, you may file a complaint with our privacy officer and/or the secretary of the U.S. Department of Health and Human Services. We have provided both addresses on the last page of this Notice. To file a complaint with the Privacy Office, please call 570-271-7360.

The covered entities of CommunityCare value your right to privacy. You will not be retaliated against for filing a complaint.

Other uses of your PHI
Other uses and disclosures of your PHI not covered by the categories included in this Notice or applicable laws, rules or regulations will be made only with your written permission or authorization.

We are required to abide by the terms of this Notice.

Your Choices

Phone Calls, Texting, and E-Mail
When you provide CommunityCare with your telephone number, including your cellphone or mobile number, or e-mail you are consenting to give CommunityCare permission to contact you via a phone call, text or e-mail for certain important messages related to your healthcare. When we contact you, we will provide you with the opportunity to opt out of similar communications in the future. Please be aware that text and messaging rates may apply.

At any time, you may instruct CommunityCare to stop all future texts by contacting our Privacy Office.

Appointment reminders
We may contact you via mail, telephone, text or e-mail to remind you of an upcoming appointment. We may leave you a message that includes the date, time and general information about an upcoming appointment.

If you do not wish to receive appointment reminders, please notify your health care professional.

Communicating with CommunityCare Using Unsecure Electronic Communications
We recommend that you use secure electronic communications, such as our patient portal MyCommunityCare, when you contact us. Using unsecure electronic communications, such as regular e-mail or text messaging, may result in certain risks such as interception by others or storage of your information on devices that are unsecured. If you choose to communicate with us via unsecure electronic communication, you are agreeing to accept these risks. Please note, that we may respond to you in the same manner to the e-mail address or phone number from which you sent your text.

Email and texting are not a substitute for professional medical advice, diagnosis or treatment and should not be used in a medical emergency.

Marketing
We will not share your PHI for marketing purposes or accept any payment for marketing communications without an authorization. However, we may use or share your PHI for communications that are not considered marketing. For example:

Contact you to give you information about products or services related to your treatment
Contact you to encourage you to maintain a healthy lifestyle and get recommended tests, participate in a disease management program, and tell you about government sponsored health programs
Have face to face communications with you regarding products and services that are appropriate for your care
Provide you with promotional gifts of nominal value
Remind you to take and refill your medications, or otherwise communicate with you about a drug or biologic that is currently prescribed to you. Any payment we receive, direct or indirect, may only cover the reasonable cost to us of making the communication
Provide you with information about treatment alternatives or other health-related benefits and services that may be of interest to you.

Health Information Exchanges
CommunityCare participates or is required to participate in certain information sharing networks for treatment, payment or healthcare operation. Exchange of health information can provide better coordination of care, faster access, and assist your in making more informed decisions regarding your care.

When we participate in any such exchange, you PHI will only be shared as permitted or required under HIPAA and other applicable federal and state privacy laws. Below is some additional information related to some of these exchanges.

Keystone Health Information Exchange (“KeyHIE Exchange)
Keystone Health Information Exchange, Inc. (“KeyHIE”) is a business associate of CommunityCare, and other participating covered entities. KeyHIE maintains and operates the Keystone Health Information Exchange (“KeyHIE Exchange”) which is a certified health information organization participating in the Pennsylvania Patient & Provider Network ("P3N").

The KeyHIE Exchange enables the secure exchange of PHI to improve health care delivery and health care outcomes. P3N was established by Pennsylvania law (Act 121) and is part of a federal initiative to electronically share PHI. The Pennsylvania eHealth Partnership Authority (the "Authority") has been charged with building the Pennsylvania network.

CommunityCare participates in the KeyHIE Exchange. At any time, you may instruct CommunityCare to stop sharing your PHI through the KeyHIE Exchange by contacting the Privacy Office. Our phone number and address are provided on the last page of this Notice. The Authority also maintains a separate P3N Opt-Out Registry. The opt-out form is online at paehealth.org.

CONTACT INFORMATION

The contact information for our Privacy Office is:
System Privacy Office
MC 30-03
100 N. Academy Ave.
Danville, PA 17822
570-271-7360
systemprivacyoffice@pacommunitycare.org

The address for the Health Information Management Department is:
Health Information Management Department
Medical Reports MC 13-11
100 N. Academy Ave.
Danville, PA 17822
570-214-6706

The address for the United States Department of Health and Human Services is:
U.S. Department of Health and Human Services
200 Independence Ave. SW
Washington, DC 20201
877-696-6775
Website: hhs.gov/ocr/privacy/hipaa/complaints

Important notice to patients who are not Residents of the United States

CONSENT TO PROCESSING YOUR INFORMATION IN THE UNITED STATES

The covered entities of CommunityCare Health only provide health care and related services in the United States. We are subject to the United States laws and regulations that govern the privacy and security of patient healthcare information, as well as consumer protection laws and regulations of the United States and its individual states, as applicable. If you are a citizen or resident of a different country, the data protection laws of your country may differ as to how your personal information is protected. We want you to understand that when you provide your personal information to us, or direct your healthcare provider to provide your information to us, your personal information will be transmitted to and processed in the United States. In doing that, you will be giving the covered entities of CommunityCare Health your consent to process your information in the United States, in accordance with United States law, for our legitimate purpose in fulfilling your request or addressing your healthcare needs.

If you would like information about how CommunityCare processes your personal information, please address your request to our Privacy Office at 570-271-7360 or at systemprivacyoffice@pacommunitycare.org. We will respond to your request in accordance with applicable US laws.

ENTITIES PARTICIPATING IN OUR SHARED ELECTRONIC HEALTH RECORD (EHR)

Caring Community Health Center, a Pennsylvania nonprofit corporation
All Geisinger Affliated Covered Entities (for a complete list of Geisinger Affiliated Covered Entities visit their website at Geisinger.org/HIPAA

Last Revision Date: October 1, 2019