• Privacy

     

    • PRINT 
     
    Mount Sinai Beth Israel

    Mount Sinai St. Luke’s Roosevelt

    NEW YORK EYE AND EAR INFIRMARY

    NOTICE OF PRIVACY PRACTICES
    Effective Date: September 2013

    Introduction 

    THIS NOTICE OF PRIVACY PRACTICES DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

    Mount Sinai Beth Israel, Mount Sinai St. Luke’s Roosevelt and the New York Eye and Ear Infirmary including its owned off-site physician practices (collectively, "Hospitals" for purposes of this Notice) are required by law to protect the privacy of your health information. We are also required to provide you with a copy of this Notice of Privacy Practices ("Notice") which describes our health information privacy practices, and to follow the terms of the Notice as it may be revised from time to time.

    We reserve the right to change this Notice. A copy of our current Notice will always be posted in the reception area where you receive care. You will also be able to obtain your own copy by accessing our website at www.wehealnewyork.org, calling our office, or asking for one at the time of your next visit.

    If you have any questions about this Notice or would like additional information, please contact the Hospital's Privacy Office at 212-523-2162.  

    PARTICIPANTS 

    We provide healthcare to patients jointly with physicians and other healthcare professionals and organizations. The privacy practices described in this Notice will be followed by:

    • Any healthcare professional who treats you at any Hospital location;
    • All employees, medical staff, trainees, students or volunteers at any Hospital location;
    • Any business associates of the Hospitals (as described below) and their subcontractors.

    These privacy practices will be followed at sites of care associated with all of the entities listed above. These facilities and individuals will share protected health information (PHI) with each other as necessary to carry out the treatment, payment, and healthcare operations described in this Notice.

    IMPORTANT SUMMARY INFORMATION 

    What Health Information is Protected. We are committed to protecting the privacy of information we gather about you while providing health-related services. Some examples of PHI are: information indicating that you are a patient at one of our Hospitals; information about your health condition (such as a disease that you may have); information about healthcare products or services you have received or may receive in the future (such as an operation); or information about your healthcare benefits under an insurance plan (such as whether a prescription is covered) when combined with: demographic information (such as your name, address, or insurance status); unique numbers that may identify you (such as your social security number, your telephone number or your driver's license number); genetic information (see Attachment D); and other types of information that may identify who you are. Note that PHI is no longer protected 50 years after a patient's death.

    Personal Representatives. If a person has the authority under law to make decisions for you relating to your healthcare ("personal representative") we will treat your personal representative the same way we would treat you with respect to your PHI. Parents and guardians will generally be personal representatives of minors unless the minors are permitted by law to act on their own behalf.

    Requirement for Written Authorization. We will obtain your written authorization before using your PHI or sharing it with others outside of our Hospitals, except as described below. You may also request the transfer of your records to another person by completing a written authorization form. If you provide us with written authorization, you may revoke that written authorization at any time, except to the extent that we have already relied upon it. To revoke a written authorization, please write to: Privacy Office, 555 West 57th Street, 18th Floor, New York, NY 10019.

    A verbal authorization is sufficient to disclose proof of immunization to a school where state law requires such information prior to admitting the student.

    Special Protections for HIV, Alcohol and Substance Abuse, Mental Health and Genetic Information. Special privacy protections apply to HIV-related information, alcohol and substance abuse treatment information, mental health information, and genetic information. Some parts of this Notice may not apply to these types of information. Notices explaining how these categories of information will be protected by us are found in Attachments A-D.

    YOUR RIGHTS TO ACCESS AND CONTROL YOUR HEALTH INFORMATION  

    You have the following rights regarding your medical information:

    Right to Inspect and/or Obtain Record Copies  

    You have the right to inspect and obtain a copy in either electronic or paper form of any of your PHI that may be used to make decisions about you and your treatment for as long as we maintain this information in our records. We will produce the records in the specific electronic format that you request if it is feasible to do so. This includes medical and billing records. To inspect or obtain a copy of your PHI, please submit your request in writing to the hospital's Medical Record Department, the physician's office that has your records, or the hospital's Patient Accounts Department.

    If you request a copy of the information, we may charge a fee, as permitted by law, for the costs of copying, mailing or other supplies we use to fulfill your request. The fee must generally be paid before or at the time we give the copies to you.

    We will respond to your request for inspection of records within 10 days. We ordinarily will respond to requests for copies within 30 days if the information is located on-site and within 60 days if it is located in off-site storage. If we need additional time to respond to a request for copies, we will notify you in writing within the time frame above to explain the reason for the delay and when you can expect to have a final answer to your request.

    Under certain very limited circumstances, we may deny your request to inspect or obtain a copy of your information. If we do, we will provide you with a summary of the information instead. We will also provide a written statement that explains the reasons for providing only a summary and a complete description of your right to have that decision reviewed. The written statement will also include information on how to file a complaint about these issues with us or with the Secretary of the United States Department of Health and Human Services/ Office for Civil Rights (OCR). If we have reason to deny only part of your request, we will provide complete access to the remaining parts.

    Right to Amend Records  

    If you believe that the PHI we have about you is incorrect or incomplete, you may ask us to amend the information. You have the right to request an amendment for as long as the information is kept in our records. If you wish to amend your PHI please contact the Hospital's Medical Record Department or the physician's office that has your records.

    Your request should include the reasons why you think we should make the amendment. Ordinarily we will respond to your request within 60 days. If we need additional time to respond, we will notify you in writing within 60 days to explain the reason for the delay and tell you when you can expect to have a final answer to your request.

    If we deny part or all of your request, we will provide a written notice that explains our reasons for doing so. You will have the right to have certain information related to your requested amendment included in your records. For example, if you disagree with our decision, you will have an opportunity to submit a statement explaining your disagreement which we will include in your records. We will also include information on how to file a complaint with us or with the OCR. These procedures will be explained in more detail in any written denial notice we send you.

    Right to an Accounting of Disclosures  

    You have a right to request an "accounting of disclosures", which is a list with information about how your PHI has been disclosed to others outside of our Hospitals (other than through our HIE).

    An accounting list will not include:

    • Disclosures we made to you or your personal representative;
    • Disclosures we made pursuant to your written authorization;
    • Disclosures we made for treatment, payment or business operations;
    • Disclosures made from the patient directory;
    • Disclosures made to your friends and family involved in your care or payment for your care;
    • Disclosures that were incidental to permissible uses and disclosures of your PHI (for example, when information is overheard by another person passing by);
    • Disclosures for purposes of research, public health or our business operations of limited portions of your health information that do not directly identify you;
    • Disclosures made to federal officials for national security and intelligence activities;
    • Disclosures about inmates to correctional institutions or law enforcement officers;
    • Disclosures made before September 1, 2007.

    To request this list, please write to:

    Privacy Office
    Legal Affairs - 18th Floor
    555 West 57th Street
    New York, NY 10019
     

    Your request must state a time period within the past six years for the disclosures you want us to include. For example, you may request a list of the disclosures that we made between January 1, 2008 and January 1, 2009. You have a right to receive one list within every 12 month period for free. However, we may charge you for the cost of providing any additional lists in that same 12 month period. We will always notify you of any cost involved so that you may choose to withdraw or modify your request before any costs are incurred.

    Ordinarily we will respond to your request for an accounting within 60 days. If we need additional time to prepare the accounting list you have requested, we will notify you in writing about the reason for the delay and the date when you can expect to receive the accounting list. In rare cases, we may have to delay providing you with the accounting list without notifying you because a law enforcement official or government agency has directed us to do so.

    Right to Request Additional Privacy Protections  

    You have the right to request that we further restrict the way we use and disclose your PHI to treat your condition, collect payment for that treatment, or run our business operations. You may also request that we limit how we disclose information about your treatment. To request restrictions, please write to the hospital's Medical Record Department or physician office that has your medical records. Your request should include (1) what information you want to limit; (2) whether you want to limit how we use the information, how we share it with others, or both; and (3) to whom you want the limits to apply.

    We are not always required to agree to your request for a restriction, and in some cases the restriction you request may not be permitted under law but if we do agree, we will be bound by our agreement unless the information is needed to provide you with emergency treatment or to comply with the law. We are required, however, to honor your request if you direct us not to share specific PHI with your insurance company relating to a service you plan to pay for and do pay for personally. It is your responsibility, however, to inform other providers who may receive copies of your Hospital record that they may not share this information with your insurer.

    Right to Request Confidential Communications  

    You have the right to request that we communicate with you about your medical matters by alternate means or at a specific location. For example, you may ask that we contact you at home instead of at work. To request more confidential communications, please write to:

    Privacy Office
    Legal Affairs - 18th Floor
    555 West 57th Street
    New York, NY 10019
     

    We will not ask you the reason for your request, and we will try to accommodate all reasonable requests. Please specify in your request how or where you wish to be contacted.

    Notification of Other Disclosures:  

    You will be notified within 60 days if your PHI has been disclosed to or accessed by a person who was not authorized to receive the information if we determine that there was a high probability that the PHI has been compromised.

    How to File a Complaint. If you believe your privacy rights have been violated, you may file a complaint with the Hospitals' Privacy Office or with the Department of Health and Human Services/Office for Civil Rights. To file a complaint please contact: Privacy Office - 555 West 57th Street, Legal Affairs, 18th Floor, New York, NY 10019 or the Department of Health and Human Services/OCR: www.hhs.gov/ocr/hipaa  

    Under no circumstances will you be penalized or subject to retaliation for filing a complaint.

    HOW WE MAY USE AND DISCLOSE YOUR HEALTH INFORMATION WITHOUT YOUR WRITTEN AUTHORIZATION  

    Treatment. We may share your PHI with healthcare providers at our Hospitals who are involved in taking care of you, and they may in turn use that information to diagnose or treat you. We may also make your PHI available to providers you see outside our Hospitals by making it accessible through a Health Information Exchange (HIE), an electronic network that makes it possible to share information electronically, but we will not let anyone access it through the HIE without your consent except in an emergency (unless you direct us otherwise). This means that if your private, non-Hospital physician uses an HIE that we operate or is part of, s/he will be able to access your PHI generated in the course of any Hospital inpatient or outpatient care. In addition, certain information about your care at our Hospitals may be sent automatically to the person you name as your Primary Care Provider and to the physician who referred you to us. If your private physician is on staff at our Hospitals and uses our electronic health record (EHR) in his/her office, anyone taking care of you at our Hospitals will be able to access your private physician's medical record directly as well.

    PHI shared through the HIE may include, in addition to your demographics and clinical information, the specially protected health information described in Attachments A (HIV-Related Information), B (Alcohol and Substance Abuse Treatment Information), C (Mental Health Information) and D (Genetic Information) of this Notice. The purpose of this use and disclosure to other non-Hospital providers is to ensure that they have the most current and complete information about the care you received at our Hospitals.

    If you participate in one of our Health Homes, staff for those entities will have access to your PHI, with your consent, to assist in coordinating your care.

    Payment. We may use your PHI or share it with others to obtain payment for your healthcare services. For example, we may share information about you with your health insurance company in order to obtain reimbursement after we have treated you, or to determine whether it will cover your treatment. You may direct us not to share specific PHI with your insurance company relating to a service you plan to pay for and do pay for personally. It is your responsibility, however, to inform other providers who may receive copies of your Hospital record that they may not share this information with your insurer. We might also need to inform your health insurance company about your health condition in order to obtain pre-approval for your treatment, such as admitting you to the hospital for a particular type of surgery. Finally, we may share your PHI with other healthcare providers, payers and their business associates for their payment activities.

    Business Operations. We may use your PHI or share it with others in order to conduct our business operations. For example, we may use your PHI to evaluate the performance of our staff in caring for you, to educate our staff on how to improve the care they provide for you or to conduct training programs for students, trainees and other healthcare practitioners. Finally, we may share your PHI with other healthcare providers and payers for certain of their business operations if the information is related to a relationship the provider or payor currently has or previously had with you, and if the provider or payor is required to protect the privacy of your PHI.

    Appointment Reminders, Treatment Alternatives, Benefits and Services. In the course of providing treatment to you, we may use your PHI to contact you with a reminder that you have an appointment for treatment or services at our facility. We may also use your PHI in order to recommend possible treatment alternatives or health-related benefits and services that may be of interest to you. If we are paid to send you treatment information, we will tell you that and give you the right not to receive these communications.

    Fundraising. To support our business operations, we may use demographic information about you, including information about your age, date of birth and gender, where you live or work, the type of insurance you have, and limited clinical information including the dates that you received treatment, the department and physician that provided you with services and outcome information, in order to contact you to raise money to help us improve our facilities and programs. We will not sell your PHI without your authorization. You may opt out of receiving any fundraising communications at any time by calling us at 212-636-8400 or writing us at our Development Office, 555 West 57th Street, New York, NY 10019.

    Business Associates (BAs). We may disclose the minimum amount of your PHI necessary to contractors, agents and other business associates who need the information in order to assist us with obtaining payment or carrying out our business operations. For example, we may share your PHI with a billing company that helps us obtain payment from your insurance company or with an insurance company, accounting firm, law firm, or risk management organization in order to obtain their advice regarding our operations. If we do disclose your PHI to a BA, we will have a written contract with them that requires the BA and any of its subcontractors to protect the privacy of your PHI. They and their subcontractors are also now independently required by federal law to protect your information.

    In-Patient Directory. If you do not object, we will include your name, your location in our facility, your general condition (e.g., fair, stable, critical, etc.) and your religious affiliation in our Patient Directory while you are an inpatient or ambulatory surgery patient at any Hospital facility. This directory information, except for your religious affiliation, may be released to people who ask for you by name. If you do not object, your religious affiliation may be given to a member of the clergy, such as a priest or rabbi, even if he or she does not ask for you by name. If you wish to opt out or restrict access to any of this information, please let us know when you register for inpatient or ambulatory surgery services at any Hospital facility.

    Family and Friends Involved in Your Care. If you do not object, we may share your PHI with a family member, relative, or close personal friend who is involved in your care or payment for that care. In some cases, we may need to share your PHI with a disaster relief organization that will help us notify these persons.

    As Required By Law. We may use or disclose your PHI if we are required by law to do so. We also will notify you of these uses and disclosures if notice is required by law.

    Public Health Activities. We may disclose your PHI to authorized public health officials (or a foreign government agency collaborating with such officials) so they may carry out their public health activities. For example, we may share your PHI with government officials responsible for controlling disease, injury or disability. We may also disclose your PHI to a person who may have been exposed to a communicable disease or be at risk for contracting or spreading the disease if the law permits us to do so. And finally, we are required to release some PHI about you to your employer if your employer hires us to provide you with a physical exam and we discover that you have a work-related injury or disease that your employer must know about in order to comply with employment laws.

    Victims of Abuse, Neglect or Domestic Violence. We may release your PHI to a public health authority that is authorized to receive reports of abuse, neglect or domestic violence. For example, we may report your PHI to government officials if we reasonably believe that you have been a victim of such abuse, neglect or domestic violence. We will make every effort to obtain your permission before releasing this information, but in some cases we may be required or authorized to act without your permission.

    Health Oversight Activities. We may release your PHI to government agencies authorized to conduct audits, investigations, and inspections of our facility. These government agencies monitor government benefit programs such as Medicare and Medicaid, as well as compliance with government regulatory programs and civil rights laws. We are required to release aggregate data (summary information that does not identify any specific patient) to the federal Center for Medicare and Medicaid Services (CMS) to demonstrate that we comply with Meaningful Use regulations by using EHR's to improve the quality of care, to better the overall health of the population and to improve efficiency.

    Product Monitoring, Repair and Recall. We may disclose your PHI to a person or company that is regulated by the United States Food and Drug Administration for the purpose of: (1) reporting or tracking product defects or problems; (2) repairing, replacing, or recalling defective or dangerous products or (3) monitoring the performance of a product after it has been approved for use by the general public.

    Lawsuits and Disputes. We may disclose your PHI if we are ordered to do so by a court or administrative tribunal that is handling a lawsuit or other dispute.

    Law Enforcement. We may disclose your PHI to law enforcement officials for the following reasons:

    • To comply with court orders or laws that we are required to follow;
    • To assist law enforcement officers with identifying or locating a suspect, fugitive, witness, or missing person;
    • If you have been the victim of a crime and we determine that: (1) we are unable to obtain your agreement because of an emergency or your incapacity; (2) law enforcement officials need this information immediately to carry out their law enforcement duties; and (3) in our professional judgment disclosure to these officers is in your best interests;
    • If we suspect that a death resulted from criminal conduct;
    • If necessary to report a crime that occurred on our property; or
    • If necessary to report a crime discovered during an offsite medical emergency (for example, by emergency medical technicians at the scene of a crime).

    To Avert A Serious And Imminent Threat to Health or Safety. We may use your PHI or share it with others when necessary to prevent a serious and imminent threat to your health or safety, or the health or safety of another person or the public. We may also disclose your PHI to law enforcement officers or others if you tell us that you participated in a violent crime that may have caused serious physical harm to another person, if we determine that you escaped from lawful custody (such as a prison) or eloped from a mental health institution.

    National Security and Intelligence Activities or Protective Services. We may disclose your PHI to authorized federal officials who are conducting national security and intelligence activities or providing protective services to the President or other important officials.

    Military and Veterans. If you are in the Armed Forces, we may disclose PHI about you to appropriate military command authorities for activities they deem necessary to carry out their military mission. We may also release PHI about foreign military personnel to the appropriate foreign military authority.

    Inmates and Correctional Institutions. If you are an inmate or you are detained by a law enforcement officer, we may disclose your PHI to prison officers or law enforcement officers if necessary to provide you with healthcare, or to maintain safety, security and good order at the place where you are confined. This includes sharing information that is necessary to protect the health and safety of other inmates or persons involved in supervising or transporting inmates.

    Workers' Compensation. We may disclose your PHI for workers' compensation or similar programs that provide benefits for work-related injuries.

    Coroners, Medical Examiners and Funeral Directors. We may use PHI to identify a deceased person or determine the cause of death or disclose PHI to a coroner or medical examiner for such purposes. We may also release PHI to funeral directors as necessary to carry out their duties.

    Organ and Tissue Donation. If you are a potential organ donor, we may use or disclose your PHI to other organizations that procure or store organs, eyes or other tissues for the purpose of investigating whether donation or transplantation is possible .

    Research. In most cases, we will ask for your written authorization before using your PHI or sharing it with others in order to conduct research. However, under some circumstances, we may use and disclose your PHI without your written authorization if the hospital's Institutional Review Board, applying specific criteria, determines that the particular research protocol poses minimal risk to your privacy. Under no circumstances, however, would we allow researchers to use your name or identity publicly without your authorization. We may also release your PHI without your written authorization to people who are preparing a future research project as long as any information identifying you does not leave our facility. We may share PHI with people who are conducting research using the information of persons deceased less than 50 years, as long as they agree not to remove from our facility any information that identifies the deceased person.

    Completely De-identified or Partially De-identified Information. We may use and disclose your health information if we have removed any information that has the potential to identify you so that the health information is "completely de-identified." We may also use and disclose "partially de-identified" health information about you for research, public health and specific healthcare operations if the person who will receive the information signs an agreement to protect the privacy of the information. Partially de-identified health information will exclude all direct identifiers but may include zip code, dates of birth, admission and discharge.

    Incidental Disclosures. While we will take reasonable steps to safeguard the privacy of your PHI, certain disclosures of your PHI may occur during or as an unavoidable result of our otherwise permissible uses or disclosures of your PHI. For example, during the course of a treatment session, other patients in the treatment area may see or overhear discussion about your PHI.

    Attachment A 

    CONFIDENTIALITY OF HIV-RELATED INFORMATION
    Effective Date: September 2013

    The privacy and confidentiality of HIV-related information maintained by us is protected by Federal and State law and regulations. These protections go above and beyond the protections described in our general Notice of Privacy Practices (Notice). If you have questions about this Notice or would like further information, please contact: Privacy Office - 212-523-2162  

    We recommend that you also take time to review our Notice for information about how your protected health information (PHI) may generally be used and disclosed by us. If there is any conflict between the Notice and this Attachment, the protections described in this Attachment will apply.

    Confidential HIV-related information is any information indicating that you had an HIV-related test (even if the test is negative), have HIV-related illness or AIDS, or have an HIV-related infection, as well as any information which could reasonably identify you as a person who has had a test for or has HIV infection.

    Under New York State law, confidential HIV-related information may only be given to persons allowed to have it by law, or persons you have allowed to have it by signing a written authorization form. The disclosure will be accompanied by a statement that the HIV-related information may not be redisclosed.

    Confidential HIV-related information about you may be used by personnel within our Hospital who need the information to provide you with direct care or treatment, to process billing or reimbursement records, or to monitor or evaluate the quality of care provided at the hospital. Generally we may not reveal to an outside person confidential HIV-related information that the institution obtains in the course of treating you, unless:

    • We obtain your written authorization; note that if you provide written authorization to participate in a Health Information Exchange (HIE) all of your records will be made available including HIV-related information. If you do not agree to such disclosure, you should not agree to participate in an HIE.
    • The disclosure is to a person who is authorized to make healthcare decisions on your behalf and the information disclosed is needed by that person to make his/her decisions;
    • The disclosure is to another healthcare provider or payer for treatment or payment purposes;
    • The disclosure is to a health care provider of a staff member, employee or volunteer who was exposed to you while performing his/her job or professional duties under circumstances that present a risk of transmission of HIV;
    • The disclosure is to a third party of the institution who needs the information to provide you with direct care or treatment, to a Business Associate who needs it to assist us with obtaining payment or carrying out our business operations or to monitor or evaluate the quality of care provided at our Hospitals. In such cases, we will have an agreement with the third party to ensure that your confidential HIV-related information is protected as required under Federal and State confidentiality laws and regulations, and no statement prohibiting redisclosure is required.
    • The disclosure is required by law or court order;
    • The disclosure is to an organization that procures body parts for transplantation;
    • You receive services under a program monitored or supervised by a Federal, State or local government agency and the disclosure is made to such government agency or other employee or agent of the agency when reasonably necessary for the supervision, monitoring, administration or provision of the program’s services;
    • We are required under Federal or State law to make the disclosure to a health officer;
    • The disclosure is required for public health purposes;
    • You are an inmate at a correctional facility and disclosure of confidential HIV-related information to the medical director of such facility is necessary for the director to carry out his or her functions;
    • The patient is deceased and the disclosure is made to a funeral director who has taken charge of the deceased person’s remains and who has access in the ordinary course of business to confidential HIV-related information on the deceased person’s death certificate;
    • The disclosure is made to report child abuse or neglect to appropriate State or local authorities.

    Violation of these privacy regulations may subject the institution to civil or criminal penalties. Suspected violations may be reported to appropriate authorities in accordance with Federal and State law. To file a complaint, mail completed form DOH-2865 (Complaint Report for Alleged Violation of Article 27-F), available on the DOH website (http://www.health.ny.gov), to:
    NYS Department of Health/AIDS Institute/Special Investigation Unit
    5 Penn Plaza
    New York, New York 10001

    Attachment B 

    CONFIDENTIALITY OF ALCOHOL AND SUBSTANCE ABUSE TREATMENT INFORMATION
    Effective Date: September 2013

    The confidentiality of alcohol and substance abuse treatment records maintained by us is protected by Federal and State law and regulations. These protections go above and beyond the protections described in our Notice of Privacy Practices (Notice). If you have questions about this Notice or would like further information, please contact:
    Privacy Office 212-523-2162  

    We recommend that you also take time to review our Notice for information about how your protected health information (PHI) may generally be used and disclosed by us. Our Notice provides information about how you may obtain access to your PHI, including alcohol and substance abuse treatment records. If there is any conflict between the Notice and this Attachment, the protections described in this Attachment will apply instead of the protections described in the Notice.

    Confidential alcohol and substance abuse treatment records include any information that identifies you as having been diagnosed with, treated for or referred for treatment of alcohol abuse, substance abuse or chemical dependency.

    Information about you may be used by personnel within our Hospitals in connection with their duties to provide you with diagnosis of, treatment for or referral for treatment of alcohol or substance abuse. Such use will be limited to the minimum amount of information necessary to carry out their duties. Generally, we may not reveal to a person outside of our Hospitals any information that would identify you as under treatment for alcohol or substance abuse, unless:

    • We obtain your written authorization; note that if you provide written authorization to participate in a Health Information Exchange (HIE) all of your records will be made available including alcohol and substance abuse-related information. If you do not agree to such disclosure, you should not agree to participate in an HIE.
    • The disclosure is allowed by a court order and permitted under Federal and State confidentiality laws and regulations;
    • The disclosure is made to medical personnel in a medical emergency;
    • The disclosure is made to qualified researchers without your written authorization when such research poses minimal risk to your privacy. When required by law, we will obtain an agreement from the researcher to protect the privacy and confidentiality of your information;
    • The disclosure is made to a qualified service organization that performs certain treatment services (such as lab analyses) or to a Business Associate (BA) who needs it to assist us with obtaining payment or carrying out our business operations. We will obtain the qualified service organization or BA's agreement in writing to protect the privacy and confidentiality of your information in accordance with Federal and State law;
    • The disclosure is made to a government agency or other qualified non-government personnel to perform an audit or evaluation of our Hospitals. We will obtain an agreement in writing from any non-government personnel to protect the privacy and confidentiality of your information in accordance with Federal and State law;
    • The disclosure is made to report a crime committed by a patient either at our Hospitals or against any person who works for us or about any threat to commit such a crime;
    • The disclosure is made to coroners and medical examiners to determine cause of death;
    • The disclosure is made to report child abuse or neglect to appropriate State or Local authorities, as required by law.

    Violation of these privacy regulations is a crime. Suspected violations may be reported to appropriate authorities in accordance with Federal and State law.

    Attachment C 

    CONFIDENTIALITY OF MENTAL HEALTH INFORMATION AND PSYCHOTHERAPY NOTES
    Effective Date: September 2013

    The privacy and confidentiality of mental health information and psychotherapy notes maintained by us is protected by Federal and State law and regulations. These protections go above and beyond the protections described in our Notice of Privacy Practices (Notice). If you have questions about this Attachment or would like further information, please contact: Privacy Office 212-523-2162

    We recommend that you also take time to review our Notice for information about how your protected health information (PHI) may generally be used and disclosed by us. The Notice also provides information about how you may obtain access to your PHI, including mental health information. If there is any conflict between the Notice and this Attachment, the protections described in this Attachment will apply instead of the protections described in the Notice.

    CONFIDENTIALITY OF MENTAL HEALTH INFORMATION  

    Mental health information about you may be used by personnel within our Hospitals in connection with their duties to provide you with treatment, obtain payment for that treatment, or conduct our business operations. Generally, we may not reveal mental health information about you to other persons outside of our Hospitals, except in the following situations:

    • We obtain your written authorization; note that if you provide written authorization to participate in a Health Information Exchange (HIE) all of your records will be made available including mental health-related information. If you do not agree to such disclosure, you should not agree to participate in an HIE.
    • To a personal representative who is authorized to make healthcare decisions on your behalf;
    • To government agencies or private insurance companies in order to obtain payment for services we provided to you;
    • To a qualified service organization that performs certain treatment services (such as lab analyses) or to a Business Associate (BA) who needs it to assist us with obtaining payment or carrying out our business operations. We will obtain the qualified service organization or BA's agreement in writing to protect the privacy and confidentiality of your information in accordance with Federal and State law;
    • To comply with a court order;
    • To appropriate persons who are able to avert a serious and imminent threat to the health or safety of you or another person;
    • To appropriate government authorities to locate a missing person or conduct a criminal investigation as permitted under Federal and State confidentiality laws;
    • To other licensed hospital emergency services as permitted under Federal and State confidentiality laws;
    • To the mental hygiene legal service provided by New York State;
    • To attorneys representing patients in an involuntary hospitalization proceeding;
    • To authorized government officials for the purpose of monitoring or evaluating the quality of care provided by the hospital or its staff;
    • To qualified researchers without your specific authorization when such research poses minimal risk to your privacy;
    • To coroners and medical examiners to determine cause of death; and
    • If you are an inmate, to a correctional facility which certifies that the information is necessary in order to provide you with health care, or in order to protect the health or safety of you or any other persons at the correctional facility.

    CONFIDENTIALITY OF PSYCHOTHERAPY NOTES  

    Psychotherapy notes are notes by a mental health professional that document or analyze the contents of a conversation during a private counseling session or during a group, joint, or family counseling session. If these notes are maintained separately from the rest of your medical records, they can only be used and disclosed as follows:

    In general, Psychotherapy notes may not be used or disclosed without your written authorization, except by the mental health professional who created them in the following circumstances:

    • To provide you with further treatment;
    • To students, trainees, or practitioners in mental health who are learning under supervision to practice or improve their skills in group, joint, family, or individual counseling;
    • As necessary to defend him or herself, or our Hospitals, in a legal proceeding initiated by you or your personal representative;
    • As required by law;
    • To appropriate government authorities when necessary to avert a serious and imminent threat to the health or safety of you or another person;
    • To the United States Department of Health and Human Services when that agency requests them in order to investigate the mental health professional's compliance, or our compliance, with Federal privacy and confidentiality laws and regulations;
    • To medical examiners and coroners if necessary to determine the cause of death;
    • To a health oversight agency for a lawful purpose related to oversight of the mental health professional.

    All other uses and disclosures of psychotherapy notes require your special written authorization.  

    Attachment D 

    CONFIDENTIALITY OF GENETIC INFORMATION
    Effective Date September 2013

    The privacy and confidentiality of genetic information maintained by us is protected by State law and Federal regulations. Genetic information means, with respect to an individual: (i) the individual's genetic tests; (ii) the genetic tests of family members of the individual; (iii) the manifestation of a disease or disorder in family members of such individual; or (iv) any request for, or receipt of, genetic services, or participation in clinical research which includes genetic services, by the individual or any family member of the individual. These protections go above and beyond the protections described in our general Notice of Privacy Practices (Notice). If you have questions about this Attachment or would like further information, please contact:
    Privacy Office 212-523-2162 

    We recommend that you also take time to review our Notice for information about how your protected health information (PHI) may generally be used and disclosed by us. Our Notice also provides information about how you may obtain access to your PHI, including confidential genetic information.

    Under New York State (NYS) law, special restrictions apply to (1) genetic testing of human biological samples and (2) the disclosure of information derived from genetic tests to any person or organization. Genetic test means any laboratory test of DNA, chromosomes, genes or gene products to detect a genetic variation linked to a predisposition to a genetic disease. It does not include information relating to a manifested disease (a disease that can be diagnosed primarily based on symptoms) or information obtained when confirming a disease with genetic testing.

    We will not perform a genetic test on a biological sample taken from you unless we obtains your written informed consent under NYS law. With your informed consent, we may use the results of your genetic test for treatment, payment and healthcare operations. Any other uses or disclosures of the results of your genetic test will generally require your written authorization. This authorization is separate from, and may not be combined with the informed consent.

    Authorization is not required if:

    • The disclosure is to a person who is authorized to make healthcare decisions on your behalf and the information disclosed is needed by that person to make his/her decisions;
    • The disclosure is made to a qualified service organization that performs certain treatment services (such as lab analyses) or to a Business Associate (BA) who needs it to assist us with obtaining payment or carrying out our business operations. We will obtain the qualified service organization or BA's agreement in writing to protect the privacy and confidentiality of your information in accordance with Federal and State law;
    • The disclosure is required or allowed by law or court order;
    • Our Institutional Review Board has decided to allow the disclosure of information obtained about you from genetic tests on your stored tissue, or information which links you with specific test results and you have signed either a Research Authorization form or a Consent to Release Genetic Information Form under NY Civil Rights Law §§ 79-l(3)(a) and 79-l(9)(d)].
    • If you provide written authorization to participate in a Health Information Exchange (HIE), all of your records will be made available including genetic information. If you do not agree to such disclosure, you should not agree to participate in an HIE.
    • Violation of these privacy regulations may subject us to civil or criminal penalties. Suspected violations may be reported to appropriate authorities in accordance with Federal and State law.