Patient Privacy and Rights
Syracuse University Health Services is designated as a covered entity by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and as such is governed by the privacy and security regulations provided within the HIPAA legislation. The Health Service Notice of Privacy Practices (NPP) is made in compliance with the Standards for Privacy of Individually Identifiable Health Information (the Privacy Standards) established by the United States Department of Health and Human Services (DHHS) and summarizes the privacy practices of the Health Services at Syracuse University.
Protected Health Information
Protected Health Information (PHI), as defined by HIPAA and its accompanying regulations (the Privacy Standards), is individually identifiable health information, including demographic information, that is created, received, transmitted or maintained by Health Services, regardless of form (oral, written, or electronic), that relates to:
- the past, present or future physical or mental health or condition of an individual;
- the provision of health care services to an individual; or
- the past, present, or future payment for the provision of health care to an individual.
PHI may include, but is not necessarily limited to, medical records, billing records, medical images, consultant reports, laboratory or other diagnostic testing results, and any other individually identifiable information.
Confidentiality of Records
All PHI created, received, transmitted, or maintained by Health Services is confidential and remains the property of Health Services. Confidentiality extends to PHI in any medium, including information that is on paper, in the computer systems of Syracuse University, or communicated verbally.
Employees may not divulge, copy, transfer, alter, or destroy any PHI, or remove any PHI from Health Services, except as authorized by Health Services. Employees must hold in strictest confidence any and all access codes, passwords, and/or authorizations provided by Health Services as an Employee of Health Services.
Health Services has implemented appropriate administrative, technical, and physical safeguards to protect the privacy of PHI and to safeguard PHI from any intentional or unintentional uses or disclosures that are in violation of the Privacy Standards and/or the policies and procedures of Health Services. Employees must strictly comply with all applicable federal and state laws and regulations, and all policies and procedures established by Health Services relating to the confidentiality and protection of PHI.
NOTICE OF PRIVACY PRACTICES
As Required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.
PLEASE REVIEW IT CAREFULLY
This Notice of Privacy Practices (NPP) is made in compliance with the Standards for Privacy of Individually Identifiable Health Information (the Privacy Standards) established by the United States Department of Health and Human Services (DHHS) as required under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This NPP summarizes the privacy practices of the Health Services at Syracuse University (Health Services). The Privacy Standards shall control in the event of a discrepancy between this NPP and the Privacy Standards.
Health Services is required under HIPAA to protect the privacy of your Protected Health Information (PHI), as defined below, and to inform you, through this NPP, about:
- the duties of Health Services with respect to your PHI;
- how Health Services may use and disclose your PHI
- your privacy rights with respect to your PHI;
- your right to file a complaint with Health Services and with the Secretary of the DHHS; and
- who to contact for further information about the privacy practices of Health Services.
PHI, as defined by HIPAA, includes individually identifiable information about you that is transmitted or maintained by Health Services, including demographic information, and includes information that is created or received by Health Services that relates to:
- your past, present or future physical or mental health or condition;
- the provision of health care services to you; or
- the past, present, or future payment for the provision of health care to you.
Health Services is required to abide by the terms of the NPP that is currently in effect for Health Services. Health Services reserves the right to revise or amend the terms of this NPP. Any revision or amendment to the NPP will be effective for all records that Health Services has created or maintained in the past, and for any of your records that Health Services may create or maintain in the future. You will be informed of any material changes made to our NPP. In addition, Health Services will post a copy of our most current NPP in our reception area at all times. You may also obtain a copy of our most current NPP at any time by asking for a copy at the time of your next visit, or by calling our office at 315-443-9005.
If you have any questions about this NPP or would like further information about HIPAA, please contact the Privacy Contact Official at Health Services at 111 Waverly Avenue, Syracuse, New York 13244-2320, or at (315) 443-2666.
B. HOW HEALTH SERVICES MAY USE AND DISCLOSE YOUR PHI
HIPAA permits Health Services, its Business Associates, and their agents/subcontractors, if any, to use and/or disclose your PHI, without prior authorization, for the purposes of treatment, payment, and other health care operations of Health Services, which are described below. Health Services will disclose your PHI to its Business Associates only if it has received satisfactory assurances that its Business Associates will appropriately safeguard your PHI. HIPAA also permits Health Services to use and disclose your PHI, without prior authorization, for other specific purposes that are also described below. For each category, we have provided a description and some examples of the permitted uses and/ or disclosures. The following examples are illustrative and are not meant to be a complete description of the permitted uses and disclosures of Health Services.
- Treatment. Health Services may use and/or disclose your PHI with other health care providers who are involved in your care and treatment. For example, Health Services may use or disclose PHI about you to physicians, nurses, paraprofessionals, technicians, or other Health Services’ personnel who are involved in your care and treatment. Many of the people that work for Health Services, including, but not limited to, our health care providers, may use or disclose your PHI in order to treat you or to assist others in your care and treatment, including but not limited to treatment at Syracuse University’s R.A.P.E. Crisis Center or SAPHE. We may also disclose PHI about you to health care providers outside of our office who are involved in your care or treatment. For example, we may disclose your PHI to a referring physician or a pharmacy for treatment purposes. We may also share your PHI in order to coordinate services, such as laboratory work and/or x-rays.
- Payment. Health Services may use and/or disclose your PHI in order to bill or to collect payment for services you have received from Health Services. For example, we may use or disclose PHI to your health insurer or to another party responsible for payment in order to obtain payment, or to certify that you are eligible for benefits. We may also disclose to your insurer information about a treatment or service you may receive from Health Services in order to obtain prior approval for such service, or to determine whether your plan will cover the treatment or service.
- Health Care Operations. Health Services may use and/or disclose PHI in order to conduct its normal business operations. For example, Health Services may use your PHI to review the treatment and services it provided, to evaluate the performance of its staff in caring for you, or to educate its staff on how to improve the care they provide to you. Health Services may also disclose your PHI to another entity that performs business services on behalf of Health Services, such as billing companies, technology and software vendors, attorneys, or external auditors. Prior o such disclosures, however, HIPAA requires Health Services to sign a Business Associate Agreement with such entities to ensure the protection of your PHI.
- Appointment Reminders/Follow up Telephone Calls/Emails. Health Services may use and/or disclose PHI to contact you with a reminder that you have an appointment for treatment or medical care. Such contacts may include telephone messages and/or electronic mail messages. We may also call to follow up on care you received, to communicate test results, or to confirm an appointment with Health Services or another health care provider.
- Individuals Involved in Your Care or Payment for Your Care. Subject to the Family Educational Rights in Privacy Act (FERPA), HIPAA permits Health Services to disclose your PHI to a family member, other relative, or any other person identified by you, if:
- you are present for, or otherwise available prior to the disclosure and we have either obtained your agreement to the disclosure, provided you the opportunity to object to the disclosure, or Health Services has reasonably inferred from the circumstances that you do not object to the disclosures;
- due to your incapacity or an emergency circumstance, Health Services has determined that a disclosure is in your best interest – in such circumstances, Health Services will only disclose PHI that is directly relevant to the person’s involvement with your health care.
- Emergencies. Health Services may use and/or disclose PHI to provide you with emergency treatment in emergency situations.
- As Required By Law. Health Services may use and/or disclose your PHI if we are required to do so under any federal, state or local law.
- Public Health Risks. Health Services may use and/or disclose your PHI to authorized public health officials (or a foreign government agency collaborating with such officials) so such officials may carry out public health activities. For example, Health Services may disclose your PHI to public health officials for the following reasons:
- to prevent or control disease, injury or disability;
- to report vital events such as births and deaths;
- to report abuse or neglect of children or adults;
- to report quality, safety or effectiveness of FDA-regulated products or activities;
- to notify people of product recalls they may be using;
- to notify a person who may have been exposed to a communicable disease or may be at risk for contracting or spreading a disease or condition; or
- to your employer, if your employer hires us to provide you with a medical evaluation or to evaluate whether you have a work-related illness or injury that your employer must know about in order to comply with employment laws.
- Victims of Abuse, Neglect, or Domestic Violence. Health Services may disclose your PHI to government authorities, including a social service or protective services agency, authorized by law to receive reports of abuse, neglect or domestic violence. For example, Health Services may report your PHI to government officials if it reasonably believes that you have been a victim of abuse, neglect or domestic violence. Health Services will make every effort to obtain your permission before releasing this information, however, in some cases Health Services may be required or authorized to act without your permission.
- Health Oversight Activities. Health Services may disclose your PHI to a health oversight agency for activities authorized by law. These agencies typically monitor the operation of the health care system, government benefits programs, and compliance with government regulatory programs. The oversight activities may include audits; civil, criminal, or administrative investigations or actions; inspections; and/or licensure or disciplinary actions.
- Lawsuits and Similar Proceedings. Health Services may use or disclose your PHI in response to a court or administrative order, if you are involved in a lawsuit or similar proceeding. Health Services may also disclose your PHI in response to a discovery request, subpoena, or other lawful process that is not accompanied by an order of a court or administrative tribunal, but only if we have first received satisfactory assurances from the party requesting the information that reasonable efforts have been made to inform you of the request, or if Health Services has received satisfactory assurances that efforts have been made by the party seeking the information to obtain a qualified protective order. A qualified protective order is an order of a court or an administrative tribunal or a stipulation by parties to the litigation that prohibits the parties from using or disclosing PHI for any purpose other than the litigation or proceeding. A qualified protective order will require the return of PHI to Health Services at the end of the litigation or proceeding.
- Law Enforcement Purposes. Health Services may disclose your PHI to law enforcement officials for the following reasons:
- in response to court orders, warrants, subpoenas, or summons or similar legal process;
- to assist law enforcement officials with identifying or locating a suspect, fugitive, material witness, or missing person;
- if you have been or are suspected of being a victim of a crime and you agree to the disclosure, or if we are unable to obtain your agreement because of incapacity or other emergency.
- if we suspect that a death resulted from criminal conduct;
- to report evidence of criminal conduct that occurred on our premises;
- in response to a medical emergency, to report a crime (including the location or victims of the crime; or the identity, description or location of the person who committed the crime).
- Coroners, Medical Examiners and Funeral Directors. Health Services may disclose your PHI to a coroner or medical examiner for the purpose of identifying a deceased person, determining cause of death, or other duties as authorized by law. Health Services may also release PHI to funeral directors as necessary to carry out their duties.
- Research. In most cases, Health Services will ask for your written authorization before using and/or disclosing your PHI to conduct research. However, in limited circumstances we may use and/or disclose PHI without authorization if: (i) the use or disclosure was approved by an Institutional Review Board or a Privacy Board; and (ii) we obtain representations from the researcher that the information is necessary for the research protocol, PHI will not be removed from our practice, and the information will be used solely for research purposes; or (iii) the PHI sought by the researcher relates only to decedents and the researcher agrees that the use or disclosure is necessary for the research.
- To Avert Serious Threat to Health or Safety. Health Services may use or disclose your PHI when necessary to prevent or lessen a serious and imminent threat to your health or safety, or the health or safety of another person or the public. In such cases, Health Services will only share your PHI with a person or persons reasonably able to prevent or lessen the threat, including the target of the threat; or if it is necessary for law enforcement authorities to identify or apprehend an individual.
- Specialized Government Functions. Health Services may use and disclose PHI regarding:
- Military and veteran activities;
- Intelligence, counter-intelligence, and other national security activities authorized by law;
- Protective services for the President, to foreign heads of state, or to other persons authorized by law;
- Inmates to a correctional institution or a law enforcement official having lawful custody of an inmate or other individual.
- Workers' Compensation. Health Services may disclose your PHI for workers' compensation or other similar programs that provide benefits for work-related injuries or illnesses.
Except as otherwise indicated in this NPP, uses and disclosures for all other purposes will be made only with your written authorization. You may revoke any authorization at any time, provided that your revocation is done in writing, and except to the extent that Health Services has already relied upon your authorization.
C. YOUR RIGHTS REGARDING YOUR PHI
HIPAA provides you with the following rights regarding the PHI we maintain about you:
- Right to Inspect and Copy. You have the right to inivil, criminal, or administrative action or proceeding; and PHI maintained by Health Services that is subject to the Clinical Laboratory Improvement Amendments of 1988.
A "designated record set" is a group of records maintained by or for Health Services that is the medical records and billing records about you.
To inspect or obtain a copy of your PHI contained in a designated record set, please submit a request in writing to Privacy Official, Syracuse University Health Services, 111 Waverly Avenue, Syracuse, New York 13244-2320. If you request a copy of your record set, we may charge a fee for the costs of copying, mailing or other supplies we use to fulfill your request. The standard fee is $0.75 per page and must generally be paid before or at the time we provide you with copies of your PHI.
Health Services will respond to your request for inspection of records within 10 days, and will respond to requests for copies within 30 days if the information is located within our facility and within 60 days if the information is located off-site at another facility. If Health Services needs additional time to respond to your request for copies, we will notify you in writing within the time frame above to explain the reason(s) for such delay and when you can expect to have a final answer to your request.
Under certain circumstances, Health Services may deny your request to inspect or obtain a copy of your PHI. If your request for inspection is denied, we will provide you with a written notice explaining our reasons for such denial, and will include a complete description of your rights to have the decision reviewed and how you can exercise those rights.
- Right to Amend. You have the right to request that Health Services amend your PHI or a record about you in a designated record set for as long as the information is kept by Health Services, if you feel that the PHI Health Services has about you is incorrect or incomplete.
Health Services may deny your request for amendment if it determines that the PHI or record that is the subject of the request:
- was not created by Health Services, unless you provide a reasonable basis to believe that the originator of the PHI is no longer available to act on the requested amendment;
- is not part of the designated record set;
- would not be available for your inspection under the Privacy Standards (as described in Right to Inspect and Copy Section, above); or
- is accurate and complete.
To request an amendment, your request must be made in writing and submitted to Privacy Official, Syracuse University Health Services, 111 Waverly Avenue, Syracuse, New York 13244-2320. In addition, your request should include the reasons(s) why you believe Health Services should amend your information.
Health Services will respond to your request for amendment no later than 60 days after the receipt of your request. If Health Services needs additional time to respond to your request, we will notify you in writing within 60 days to explain the reason(s) for the delay and the date by which we will complete your request.
If Health Services denies your request for an amendment we will provide you with a written notice of the denial that explains the reasons for doing so. You will have the right to submit a written statement disagreeing with the denial. You will also be informed of how to file a complaint with Health Services or with the Secretary of the DHHS. These procedures will be explained in greater detail in any written denial notice.
- Right to an Accounting of Disclosures. You have the right to request an "accounting of disclosures." An "accounting of disclosures" is a list of disclosures Health Services has made regarding your PHI. An accounting of disclosures will include all disclosures except the following:
- Disclosures to carry out treatment, payment, and health care operations;
- Disclosures made to you;
- Disclosures made pursuant to your authorization;
- Disclosures made in a facility directory or to persons involved in your care;
- Disclosures for national security or intelligence purposes;
- Disclosures to correctional institutions or law enforcement officials; or
- Disclosures made before April 14, 2003.
The accounting of disclosures will be in a format that is consistent with the requirements of the Privacy Standards. To request an accounting of disclosures, you must submit your request in writing to: Privacy Official, Syracuse University Health Services, 111 Waverly Avenue, Syracuse, New York 13244-2320. Your request must include a time period of requested disclosures, which may not be longer than six years and may not include dates before April 14, 2003. The first list you request within a 12-month period will be free. Additional lists within the same 12 month period will be assessed a charge for the costs of providing the list. Health Services will notify you of the cost involved, at which time you may choose to withdraw or modify your request before any costs are incurred.
Health Services will respond to your request for an accounting of disclosures within 60 days from the receipt of such request. If Health Services needs additional time to prepare the accounting, we will notify you in writing within 60 days about the reason for the delay and provide you with the date when you can expect to receive the accounting.
- Right to Request Restrictions. You have the right to request a restriction or limitation on the PHI Health Services uses or discloses about you for treatment, payment or health care operations. You also have the right to request a limit on the medical information that Health Services discloses about you to someone who is involved in your care, like a family member, relative, friend, or other person(s) identified by you.
Health Services is not required to agree to your request for restrictions. If Health Services does agree to a requested restriction, Health Services may not use or disclose PHI in violation of such restriction, unless the information is needed to provide you with emergency care or treatment, or as otherwise required by law. Under certain circumstances Health Services may terminate its agreement to a restriction.
To request restrictions, you must make your request in writing to: Privacy Official, Syracuse University Health Services, 111 Waverly Avenue, Syracuse, New York 13244-2320. In your request, you must tell us (1) what information you want to limit; (2) whether you want to limit our use, disclosure or both; and (3) to whom you want the limits to apply, for example, disclosures to your spouse.
- Right to Request Confidential Communications. You have the right to request that Health Services communicate with you and your PHI in a certain way or at a certain location. For example, you can ask that Health Services only contact you at work or by mail.
Health Services will not ask you the reason for your request, and will accommodate all reasonable requests. Your request must specify how or where you wish to be contacted, and how payment for health care will be handled if Health Services communicates with you through this alternative method or location. To request confidential communications, you must make your request in writing to: Privacy Official, Syracuse University Health Services, 111 Waverly Avenue, Syracuse, New York 13244-2320.
- Right to Receive a Paper Copy of This NPP. You have the right to receive a paper copy of this NPP. You may ask us to give you a copy of this NPP at any time. Even if you have agreed to receive this NPP electronically, you are still entitled to a paper copy of this NPP.
You may obtain a copy of this NPP at our website, http://students.syr.edu/health/. To obtain a paper copy of this please ask any of our staff members at Health Services.
If you believe your privacy rights have been violated, you may file a complaint with the Privacy Official at Health Services, with Syracuse University’s Privacy Officer, and/or with the Secretary of the Department of Health and Human Services. To file a complaint with Health Services, please submit a written complaint to: Privacy Complaint Official, Syracuse University Health Services, 111 Waverly Avenue, Syracuse, New York 13244-2320. To file a complaint with Syracuse University’s Privacy Officer, please submit a written complaint to Privacy Officer, Office of Risk Management, Skytop Office Building, Syracuse, New York 13244. The submission of a complaint to Health Services, Syracuse University’s Privacy Official, or to the Secretary of the United States Department of Health and Human Services will not affect your status as a patient Health Services. You will not be retaliated against for filing a complaint.
E. CONTACT PERSON
If you have any questions about this Notice of Privacy Practices, please contact:
Syracuse University Health Services
111 Waverly Avenue
Syracuse, New York 13244-2320
Rights and Responsibilities
Patients Rights and Responsibilities
The goal of the Syracuse University Health Services is to provide all patients with high quality health care in a manner that clearly recognizes individuals’ needs and rights. The Health Service also recognizes that in order to effectively accomplish this goal, the patient and the health care provider must work together to develop and maintain optimum health.
As a Patient you have the Right To:
- Receive consideration and respectful care.
- Have an active role in the decisions about your health care and treatment.
- Services and care that are explained to you in terms that you can understand and have questions answered concerning your diagnosis and treatment.
- Review the contents of your medical records with a health care provider.
- Understand what medication(s) is given and why, and to understand the common side effects of a medication.
- A diagnosis which is clearly explained to you.
- An explanation of ways that you can prevent your medical problems from recurring.
- Not be examined or treated by a health practitioner; to be informed of the consequences of such decisions, and to request a second opinion if you want one.
- Know what the treatment will be and what risks are involved and to know what to expect as a result of treatment.
- Information about how to express concern over care you have received.
- Get the name, title and position of the person(s) interviewing, examining, and/or treating you.
- Be assured of the confidential treatment of your protected health information and to have the opportunity to authorize the release of such information under certain circumstances.
- Select a health care provider of your choice.
- Inspect and/or receive a copy of your protected health information for as long as Health Services maintains the record.
- Request that Health Services amend your protected health information for as long as the information is kept by Health Services, if you feel that the protected health information Health Services has about you is incorrect or incomplete.
- Request an accounting of disclosures, which is a list of disclosures Health Services has made regarding your protected health information, to the extent that Health Services is required under the HIPAA Privacy Rule to list such disclosures.
- Request a restriction or limitation on the protected health information that Health Services uses or discloses about you for treatment, payment or health care operations.
- Confidential communications, which is the right to request that the Health Service communicates with you in a certain way or at a certain location.
- Receive a paper copy of the Health Service Notice of Privacy Practices.
As a Patient you have the Responsibility to:
- Provide the Health Service with accurate information about your current and past illnesses, immunizations, medications, and hospitalizations.
- Ask questions if you do not understand the directions or treatment.
- Keep appointments or, if you need to cancel, contact the Health Service as soon as possible.
- Be respectful of others and others’ property while in the Health Service facility.
Parents are welcome to call or visit SUHS with questions or concerns. Please understand that we cannot discuss your student’s healthcare information (including whether or not the student has even visited SUHS) without his or her expressed consent.