Privacy Practices

Printable Version

This information is also available in printable format as a PDF. 

Privacy Practices (PDF)

This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.

Notice of Privacy Practices

Effective October 1, 2006

The following is the notice of privacy practices ("Privacy Practices") of the Miami University Student Health Services (the "Covered Entity") as described in the Health Insurance Portability and Accountability Act of 1996 and regulations promulgated thereunder, commonly known as HIPAA. HIPAA requires the Covered Entity by law to maintain the privacy of your personal health information and to provide you with notice of the Covered Entity's legal duties and privacy practices with respect to your personal health information. The Covered Entity is required by law to abide by the terms of this Privacy Practices.

Your Personal Health Information

The Covered Entity collects personal health information from or about you through treatment, payment and related healthcare operations and/or healthcare providers or health plans, or through other activities in connection with the general management of the Covered Entity, as applicable. Your personal health information that is protected by law broadly includes any information, verbal, written or recorded, that is created or received by certain health care entities, including health care providers, such as physicians and hospitals, as well as, health insurance companies or health plans. The law specifically protects health information that contains data, such as your name, address, social security number, and others, that could be used to identify you as the individual patient who is associated with that health information.

Uses or Disclosures of Your Protected Health Information

Generally, the Covered Entity may not use or disclose your protected health information without your permission. Further, once your permission has been obtained, the Covered Entity must use or disclose your protected health information in accordance with the specific terms of that permission. The following are the circumstances under which the Covered Entity is permitted by law to use or disclose your protected health information.

  • Without Your Permission - Without your permission, the Covered Entity may use or disclose your protected health information in order to provide you with services and the treatment you require or request, or to collect payment for those covered services that you may receive and to conduct other related health care operations in connection with the general management of the Covered Entity otherwise permitted or required by law. Also, the Covered Entity is permitted to disclose your protected health information within and among those persons performing services for the Covered Entity.
    • Examples of treatment activities include:

(a) the provision, coordination, or management ,of health care and related services by health care providers;

(b) consultation between health care providers relating to a patient; or

(c) the referral of a patient for health care from one health care provider to another.

    • Examples of payment activities include:

(a) billing and collection activities and related data processing;

(b) actions by a health plan or insurer to obtain premiums or to determine or fulfill its responsibilities for coverage and provision of benefits under its health plan or insurance agreement, determinations of eligibility or coverage, adjudication or subrogation of health benefit claims;

(c) medical necessity and appropriateness of care reviews, utilization review activities; and

(d) disclosure to consumer reporting agencies of information relating to collection of premiums or reimbursement.

    • Examples of health care operations include:

(a) development of clinical guidelines;

(b) contacting patients with information about treatment alternatives or communications in connection with case management or care coordination;

(c) reviewing the qualifications of and training health care professionals;

(d) underwriting and premium rating;

(e) medical review, legal services, and auditing functions; and

(f) general administrative activities such as customer service and data analysis.

  • As Required By Law - The Covered Entity may use or disclose your protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.
    • Examples of instances in which the Covered Entity is required to disclose your protected health information include:

(a) public health activities including, preventing or controlling disease or other injury, public health surveillance or investigations, reporting adverse events with respect to food or dietary supplements or product defects or problems to the Food and Drug Administration, medical surveillance of the workplace or to evaluate whether the individual has a work related illness or injury in order to comply with Federal or state law;

(b) disclosures regarding victims of abuse, neglect, or domestic violence including, reporting to social service or protective services agencies;

(c) health oversight activities including, audits, civil, administrative, or criminal investigations, inspections, licensure or disciplinary actions, or civil, administrative, or criminal proceedings or actions, or other activities necessary for appropriate oversight of government benefit programs;

(d) judicial and administrative proceedings in response to an order of a court or administrative tribunal, a warrant, subpoena, discovery request, or other lawful process;

(e) law enforcement purposes including, for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person, or reporting crimes in emergencies, or reporting a death;

(f) disclosures about decedents for purposes of cadaveric donation of organs, eyes, or tissue;

(g) for research purposes under certain circumstances;

(h) to avert a serious threat to health or safety;

(i) military and veterans activities;

(j) national security and intelligence activities, protective services of the President and others;

(k) medical suitability determinations by entities that are components of the Department of State;

(1)correctional institutions and other law enforcement custodial situations;

(m) to covered entities that are government programs providing public benefits, and for workers' compensation.

  • All Other Situations, With Your Written Authorization - Except as otherwise permitted or required, as described above, the Covered Entity may not use or disclose your protected health information without your written authorization. Further, the Covered Entity is required to use or disclose your protected health information consistent with the terms of your authorization. You may revoke your authorization to use or disclose any protected health information at any time, except to the extent that either the Covered Entity has taken action in reliance on such authorization, or, if you provided the authorization as a condition of obtaining insurance coverage, other law provides the insurer with the right to contest a claim under the policy.
  • Miscellaneous Activities, Notice - The Covered Entity may contact you to provide appointment reminders or information about treatment alternatives or other health-related benefits and services that may be available to you. The Covered Entity may contact you to raise funds for the Covered Entity.
Your Rights With Respect to Your Personal Health Information

Under HIPAA, you have certain rights with respect to your protected health information. The following is a brief overview of your rights and the Covered Entity's duties with respect to enforcing those rights.

  • Right To Request Restrictions On Use Or Disclosure - You have the right to request restrictions on certain uses and disclosures of your protected health information.
    • You may request restrictions on the following uses or disclosures:

(a) to carry out treatment, obtain payment or with respect to healthcare operations of the Covered Entity;

(b) disclosures to your family members, relatives, or close personal friends of protected health information directly relevant to your care or payment related to your health care,or your location, general condition, or death;

(c) instances in which you are not present or when your permission cannot practicably be obtained due to your incapacity or an emergency circumstance;

(d) permitting other persons to act on your behalf to pick up filled prescriptions, medical supplies, X-rays, or other similar forms of protected health information; or

(e) disclosure to a public or private entity authorized by law or by its charter to assist in disaster relief efforts.

    • While the Covered Entity is not required to agree to any requested restriction, if the Covered Entity agrees to a restriction, the Covered Entity is bound not to use or disclose your protected healthcare information in violation of such restriction, except in certain emergency situations. You cannot request to restrict uses or disclosures that are otherwise required by law.
  • Right To Receive Confidential Communications - You have the right to receive confidential communications of your protected health information. The Covered Entity may require written requests for confidential communications that include an alternative address or method of contact. The Covered Entity may not require you to provide an explanation of the basis for your request as a condition of providing communications to you on a confidential basis. However, the Covered Entity is required by law to accommodate reasonable requests to receive communications of protected health information by alternative means or at alternative locations if you clearly state disclosure of all or part of the information could endanger you.
  • Right To Inspect And Copy Your Protected Health Information - Your designated record set is a group of records the Covered Entity maintains that includes medical records and billing records about you, enrollment, payment, claims adjudication, and case and medical management records, as applicable. You have the right of access in order to inspect and obtain a copy your protected health information contained in your designated record set, except for

(a) psychotherapy notes,

(b) information complied in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding, and

(c) health information maintained by the Covered Entity to the extent to which the provision of access to you would be prohibited by law. The Covered Entity may require written requests for access. The Covered Entity must provide you with hard copy access to your protected health information if you request it and, if it is available and, if not, in any other form reasonably available. The Covered Entity may provide you with a summary of the protected health information requested, in lieu of providing access to the protected health information or may provide an explanation of the protected health information to which access has been provided, if you agree in advance to such a summary or explanation and agree to the fees imposed for such summary or explanation. The Covered Entity will provide you with access as requested in a timely manner, including arranging with you a convenient time and place to inspect or obtain copies of your protected health information or mailing a copy to you at your request. The Covered Entity may discuss the scope, format, and other aspects of your request for access as necessary to facilitate timely access. If you request a copy of your protected health information or agree to a summary or explanation of such information, the Covered Entity may charge a reasonable cost-based fee for copying, postage, if you request a mailing, and the costs of preparing an explanation or summary as agreed upon in advance.

The Covered Entity reserves the right to deny you access to and copies of certain protected health information as permitted or required by law. The Covered Entity will reasonably attempt to accommodate any request for protected health information by, to the extent possible, giving you access to other protected health information after excluding the information as to which we have a ground to deny access. Upon denial of a request for access or request for information, the Covered Entity will provide you with a written denial specifying the basis for denial, a statement of your rights, and a description of how you may file a complaint with the Covered Entity. If the Covered Entity does not maintain the information that is the subject of your request for access but the Covered Entity knows where the requested information is maintained, the Covered Entity will inform you of where to direct your request for access.

  • Right To Amend Your Protected Health Information - You have the right to request that the Covered Entity amend your protected health information or a record about you contained in your designated record set, for as long as the designated record set is maintained by the Covered Entity. The Covered Entity has the right to deny your request for amendment, if:

(a) the Covered Entity determines that the information or record that is the subject of the request was not created by the Covered Entity, unless you provide a reasonable basis to believe that the originator of the information is no longer available to act on the requested amendment,

(b) the information is not part of your designated record set maintained by the Covered Entity,

(c) the information is prohibited from inspection by law, or

(d) the information is accurate and complete. The Covered Entity may require that you submit written requests and provide a reason to support the requested amendment. If the Covered Entity denies your request, the Covered Entity will provide you with a written denial stating the basis of the denial, your right to submit a written statement disagreeing with the denial, and a description . of how you may file a complaint with the Covered Entity or the Secretary of the U.S. Department of Health and Human Services. This denial will also include a notice that if you do not submit a statement of disagreement, you may request that the Covered Entity include your request for amendment and the denial with any future disclosures of your protected health information that is the subject of the requested amendment. Copies of all requests, denials, and statements of disagreement will be included in your designated record set. If the Covered Entity accepts your request for amendment, the Covered Entity will make reasonable efforts to inform and provide the amendment within a reasonable time to persons identified by you as having received your protected health information prior to amendment and persons that the Covered Entity knows have the protected health information that is the subject of the amendment and that may have relied, or could foreseeably rely, on such information to your detriment. All requests for amendment shall be sent to Karen Kammer, 117 Health Services Center, Miami University, 421 South Campus Avenue, Oxford, Ohio 45056 or Kammerkh@MiamiOH.edu

  • Right To Receive An Accounting Of Disclosures Of Your Protected Health Information - Beginning __________(date), you have the right to receive a written accounting of all disclosures of your protected health information that the Covered Entity has made within the six (6) year period immediately preceding the date on which the accounting is requested. You may request an accounting of disclosures for a period of time less than six (6) years from the date of the request. Such accountings will include the date of each disclosure, the name and, if known, the address of the entity or person who received the information, a brief description of the information disclosed, and a brief statement of the purpose and basis of the disclosure or, in lieu of such statement, a copy of your written authorization or written request for disclosure pertaining to such information. The Covered Entity is not required to provide accountings of disclosures for the following purposes:

(a) treatment, payment and healthcare operations,

(b) disclosures pursuant to your authorization,

(c) disclosures to you,

(d) for a facility directory or to persons involved in your care,

(e) for national security or intelligence purposes,

(f) to correctional institutions, and

(g) with respect to disclosures occurring prior to October 1, 2006.

The Covered Entity reserves the right to temporarily suspend your right to receive an accounting of disclosures to health oversight agencies or law enforcement officials, as required by law. The Covered Entity will provide the first accounting to you in any twelve (12) month period without charge, but will impose a reasonable cost-based fee for responding to each subsequent request for accounting within that same twelve (12) month period. All requests for an accounting shall be sent to Karen Kammer, 117 Health Services Center, Miami University, 421 South Campus Avenue, Oxford, Ohio 45056 or Kammerkh@muohio.edu.

Complaints

You may file a complaint with the Covered Entity and with the Secretary of the U.S. Department of Health and Human Services if you believe that your privacy rights have been violated. You may submit your complaint in writing by mail or electronically to the Covered Entity's Privacy Officer Karen Kammer, 117 Health Services Center, Miami University, 421 South Campus Avenue, Oxford, Ohio 45056 or Kammerkh@MiamiOH.edu.  

A complaint must name the entity that is the subject of the complaint and describe the acts or omissions believed to be in violation of the applicable requirements of HIPAA or this Privacy Policy. A complaint must be received by the Covered Entity or filed with the Secretary of the U.S. Department of Health and Human Services within 180 days of when you knew or should have known that the act or omission complained of occurred. You will not be retaliated against for filing any complaint.

Amendments to this Privacy Policy

The Covered Entity reserves the right to revise or amend this Privacy Policy at any time. These revisions or amendments may be made effective for all protected health information the Covered Entity maintains even if created or received prior to the effective date of the revision or amendment. The Covered Entity will provide you with notice of any revisions or amendments to this Privacy Policy, or changes in the law affecting this Privacy Notice, by mail or electronically within 60 days of the effective date of such revision, amendment, or change.

On-going Access to Privacy Policy

The Covered Entity will provide you with a copy of the most recent version of these Privacy Practices at any time upon your written request sent to Karen Kammer, 1117 Health Services Center, Miami University, 421 South Campus Avenue, Oxford, Ohio 45056. Also, the most current version of the Privacy Practices can be obtained from the Covered Entity's Internet website at www.MiamiOH.edu/studenthealth. For any other requests or for further information regarding the privacy of your protected health information, and for information regarding the filing of a complaint with the Covered Entity, please contact the Covered Entity's Privacy Officer Karen Kammer, 117 Health Services Center, Miami University, 421 South Campus Avenue, Oxford, Ohio 45056 or 513/529-3000 or Kammerkh@MiamiOH.edu