UPMC's Notice of Privacy Practices
Effective Date: September 23, 2013
At UPMC, we are committed to protecting the privacy of your medical information, as federal and state laws require. When we say “information,” we mean health, treatment, or payment information that identifies you. Attached is UPMC’s “Notice of Privacy Practices.” The Notice explains how we meet this commitment. The Notice also explains your legal rights about what is in your health record. All people and places that make up UPMC must follow the Notice. However, this does not include UPMC Health Plan or UPMC as an employer. This Summary tells you in brief what the Notice says. THIS SUMMARY IS NOT A COMPLETE LISTING OF HOW WE USE AND DISCLOSE (SHARE) YOUR HEALTH INFORMATION. IF YOU HAVE A QUESTION ABOUT ANY OF THE INFORMATION IN THIS SUMMARY, YOU SHOULD REVIEW THE FULL NOTICE OF PRIVACY PRACTICES OR ASK A UPMC STAFF MEMBER FOR MORE INFORMATION. UPMC has the right to change this Summary and the Notice without first notifying you.
How UPMC may use and share your health information
Without your consent, UPMC can use and share your health information to:
- Provide you with medical treatment and other services.
- Receive payment from you, an insurance company, or someone else for services we provide to you.
- Coordinate your care, which may include such things as giving you appointment reminders and telling you about other treatment options.
- Contact you for certain marketing and fundraising activities, unless otherwise indicated by you.
- Comply with the law.
- Meet special situations as described in the Notice, such as public health, safety, and research.
- Exception: This does not include behavioral health, drug and alcohol, and AIDS/HIV information.
Unless you object, UPMC can:
- Include your name and other information in the hospital directory.
- Share your health information with a family member or a close personal friend.
All other uses and sharing of your health information will be done only with your specific written permission or as required by law.
Your legal rights about your health information
- Right to ask to see and request a copy of your medical record
- Right to ask that incorrect or incomplete information in your medical record be corrected
- Right to ask for a list of all people and organizations who UPMC disclosed your health information to, subject to limits permitted by law
- Right to ask UPMC to limit how we use and share your health information without your consent
- Right to ask for confidential communications
- Right to ask for a paper copy of the Notice of Privacy Practices
Violation of privacy rights
If you believe your privacy rights have been violated, you have a right to file a complaint. Please see UPMC’s Notice of Privacy Practices for more details.
In the event that a breach of your protected health information occurs at UPMC or one of its Business Associates, you will be provided written notification as required by law.
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED (SHARED) AND HOW YOU CAN GET ACCESS TO (SEE AND COPY) THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
What is a notice of privacy practices?
UPMC understands that your health information is personal. We create and maintain a record with information about the care and services you receive at UPMC. We need this information to provide you with quality care and to comply with the law. This Notice of Privacy Practices (Notice) applies to all information about your care that UPMC, and all of the people and places that make up UPMC, (a list of entities that this notice covers accompanies this notice below) may create, maintain, or receive. This includes information that UPMC receives from other doctors and medical facilities that are not part of UPMC, but that UPMC keeps to help give you better care. The Notice tells you about the ways we may use and share your health information, as well as the legal duties we have about your health information. The Notice also tells you about your rights under federal (United States) and state (Pennsylvania) laws. In this Notice, the words “we,” “us,” and “our” mean UPMC and all the people and places that make up UPMC which are described below.
Who follows UPMC’s Notice of Privacy Practices?
All of the people and places that make up UPMC follow this Notice. UPMC includes hospitals, doctors, rehabilitation services, skilled nursing services, home health services, pharmacy services, laboratory services and other related health care providers. UPMC also includes departments, units, and staff within our health care facilities, health care professionals permitted by us to provide services to you, and students, residents, trainees, volunteers, and others involved in providing your care. UPMC may share and use your health information for purposes of treating you, obtaining payment for services provided to you, and/or health care operations as described in this Notice. You can learn more about UPMC at www.upmc.com.
This Notice does not apply to the UPMC Health Plan or UPMC as an employer. These UPMC entities are separate covered entities for the purpose of the Health Insurance Portability and Accountability Act (HIPAA) and have their own Notice. Additionally, if your doctor is not a member of a physician practice that is owned by UPMC, he or she may have different policies about how to handle your information and will have a separate Notice.
Our duty to protect your health information
We are required by law to:
- Make sure that information that identifies you is kept private.
- Make available to you this Notice that describes the ways we use and share your health information as well as your rights under the law about your health information.
- Follow the Notice that is currently in effect.
How we may use and share your health information with others
The law permits us to use and share your health information in certain ways. When we share this information with others outside of UPMC, we will share what is reasonably necessary. When we act in response to your written permission, share information to help treat you, or are directed by the law, we will share all information that you, your health care provider, or the law permits or requires. The list below tells you about different ways that we may use your health information and share it with others. We have also provided you with examples of what we mean. Every possible example of how we may use or share information is not listed below. However, all of the ways we are permitted to use and share information fall into one of the groups below. When possible, we will use health information that does not identify you.
- Ways We Are Allowed to Use and Share Your Health Information With Others Without Your Consent or as the UPMC General Consent for Treatment, Payment, and Health Care Operations Provides:
- Treatment. We may use your health information to give you medical treatment or services. We may share your health information with people and places that provide treatment to you. For example, if you have diabetes, the doctor may need to tell the dietitian about your diabetes so that you get the kind of meals you need. We may share health information about you with people outside of UPMC who provide follow-up care to you, such as nursing homes and home care agencies. At all times, we will comply with any regulations that apply.
- Payment. In order to receive payment for the services we provide to you, we may use and share your health information with your insurance company or a third party. We also may share your health information with another doctor or facility that has treated you so that they can bill you, your insurance company, or a third party. For example, some health plans require your health information to pre-approve you for surgery and require pre-approval before they pay us.
- Health Care Operations. We may use and share your health information so that we, or others that have provided treatment to you, can better operate the office or facility. For example, we may use your health information to review the treatment and services we gave you and to see how well our staff cared for you. We may share your health information with our researchers so they can develop plans to conduct research. We may share information with our students, trainees, and staff for review and learning purposes.
- Business Associates. We may share your health information with others called “business associates,” who perform services on our behalf. The Business Associate must agree in writing to protect the confidentiality of the information. For example, we may share your health information with a billing company that bills for the services we provided.
- Appointment Reminders. We may use and share your health information to remind you of your appointment for treatment or medical care. For example, if your doctor has sent you for a test, the place where the testing will be done may call you to remind you of the date you are scheduled.
- Appointment Confirmations. We may use and share your health information to confirm the time, place and attendance of your appointment for treatment with third-party transportation services.
- Treatment Options and Other Health-Related Benefits and Services. We may use and share your health information to tell you about possible treatment options and other health-related benefits and services that may interest you. For example, if you suffer from an illness or condition, we may tell you about a special treatment or research study that is being offered.
- Fundraising Activities. We may use and share with a Business Associate or a foundation that is related to us your name, address, phone number, and other such information (called “demographic information”), the dates that health care was provided to you, general department information regarding the department where services were rendered, the name of your treating physician, and outcome information. You may then be asked for a donation to UPMC. For example, you may receive a letter from a UPMC foundation asking for a donation to support enhanced patient care, treatment, education or research at UPMC. Any fund-raising materials will explain how you can tell us, a business associate, or a foundation that you do not want to be contacted in the future.
- Marketing Activities. We may use or share your health information for marketing purposes without your permission when we discuss such products or services with you face to face or to provide you with an inexpensive promotional gift related to the product or service. For example, you may receive samples of products or drugs during a visit to a UPMC hospital or facility. For other types of marketing activities we will obtain your written permission before using or sharing your health information. We will not sell your name or any identifiable health information to others without your authorization.
- Research. We may use and share your health information for research 1) if our researcher obtains permission from a special UPMC committee that decides if the request meets certain standards required by law; or 2) if you provide us with your written permission to do so. You may participate in a research study that requires you to obtain hospital and other health care services. In this case, we may share the information that we create 1) to our researcher who ordered the hospital or other health care services; and 2) to your insurance company in order to receive payment for services that your insurance will pay for. We may use and share with a UPMC researcher your health information if certain parts of your information that would identify you, such as your name and other items that the law describes are removed before we share it with the UPMC researcher. This will be done when the researcher signs a written agreement with us that the researcher will not share the information again, will not try to contact you, and will obey other requirements that the law provides. We may also share your health information with a Business Associate who will remove information that identifies you so that the remaining information can be used for research.
- Special Situations. In the following situations, the law either permits or requires us to use or share your health information with others. Pennsylvania law may further limit these disclosures; for example, in cases of behavioral health information, drug and alcohol treatment information, and HIV status:
- As Required by Law. We will share your health information when federal, state, or local law requires us to do so.
- If we believe that you have been a victim of abuse, neglect (except child abuse or neglect) or domestic violence, we may share your health information with an authorized government agency. We will do so either if you agree to our sharing this information or if the law allows us to do so and we believe that we need to share the information in order to protect you or someone else. If we decide to share your health information for this purpose, we will tell you unless we believe that telling you would put you at risk of harm or you are a personal representative of the victim and may be involved in the abuse, neglect, or injury.
- We may share your health information in response to an administrative or court order, a subpoena, a discovery request, or other legal process if we are advised that you have been made aware of the request or we receive notice either that you agree or, if you disagree with the request, that you are taking action to prevent the disclosure.
- We may share your health information with a law enforcement official or authorized individuals 1) to comply with laws, including laws that require the reporting of injury or death suspected to have been caused by criminal means; 2) in response to a court order, warrant, subpoena, or summons; 3) or in emergency situations.
- If asked to do so by a law enforcement official, we may share your health information if you are an adult victim of a crime and, in certain limited cases, we are unable to obtain your permission and the law enforcement official meets certain conditions described by law.
- To Prevent a Serious Threat to Health or Safety. We may use and share your health information with persons who may be able to prevent or lessen the threat or help the potential victim of the threat when doing so is necessary to prevent a serious threat to the health and safety of you, the public, or another person. Pennsylvania law may require such disclosure when an individual or group has been specifically identified as the target or potential victim.
- Organ and Tissue Donation. To assist in the process of eye, organ or tissue transplants, in the event of your death, we may share your health information with organizations that obtain, store, or transplant eyes, organs, or tissue.
- Special Government Purposes. We may use and share your health information with certain government agencies, such as:
- Military and Veterans. We may share your health information with military authorities as the law permits if you are a member of the armed forces (of either the United States or a foreign government).
- National Security and Intelligence. We may share your health information with authorized federal officials for intelligence, counter-intelligence and other national security activities authorized by law.
- Protective Services for the President and Others. We may share your health information with authorized federal officials to protect the President of the United States, other authorized persons, or foreign heads of state. We may also share your health information for purposes of conducting special investigations as authorized by law.
- Workers’ Compensation. We may share your health information for Workers’ Compensation or similar programs that provide benefits for work-related injuries or illness.
- Public Health. We may share your health information with public health authorities for public health purposes to prevent or control disease, injury, or disability. This includes, but is not limited to, reporting disease, injury, and important events such as birth or death, and conducting public health monitoring, investigations, or activities. For example, we may share your health information to 1) report child abuse or neglect; 2) collect and report on the quality, safety, and effectiveness of products and activities regulated by the Food and Drug Administration (FDA) (such as drugs and medical equipment, and could include product recalls, repairs, and monitoring); or 3) notify a person who may have been exposed to or is at risk of spreading a disease.
- Health Oversight. We may share your health information with a health oversight agency for purposes of 1) monitoring the health care system; 2) determining benefit eligibility for Medicare, Medicaid, and other government benefit programs; and 3) monitoring compliance with government regulations and civil rights laws.
- Coroners, Medical Examiners, and Funeral Directors. We may share your health information with a coroner or medical examiner in order to identify a deceased person, determine the cause of death, or for other reasons allowed by law. We also may share your health information with funeral directors, as necessary, so they can carry out their duties.
- Inmates. If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may share your health information with the correctional institution or law enforcement official. This would be necessary 1) for the institution to provide you with health care; 2) to protect your health and safety or the health and safety of others; or 3) for the safety and security of the correctional institution.
- Other Ways We Are Allowed to Use and Provide Your Health Information to Others
- Hospital Directory. We may include limited information about you in the hospital directory while you are a patient at a UPMC hospital or other facility. The information may include your name, location in the building, general condition, such as “stable,” “serious,” “critical,” and your religious affiliation. Except for your religious affiliation, the directory information may be released to people who ask for you by name. We may give your religious affiliation to a member of the clergy, such as a priest or rabbi, even if they don’t ask for you by name. This helps your family, friends, and clergy who visit you to know how you are doing. You have the right to ask that all or part of your information not be given out. If you do so, we will not be able to tell your family or friends your room number or that you are in the hospital or facility.
- People Involved in Your Care or Payment for Your Care. We may share your health information with a friend, family member, or another person identified by you who is involved in your medical care or the payment of your medical care. We may share your health information with these persons if you are present or available before we share your health information with them and you do not object to our sharing your health information with them, or we reasonably believe that you would not object to this. If you are not present and certain circumstances indicate to us that it would be in your best interests to do so, we will share information with a friend or family member or someone else identified by you, to the extent necessary. This could include sharing information with your family or friend so that they could pick up a prescription or a medical supply. We may tell your family or friends that you are in a UPMC hospital and your general condition. We may share medical information about you with an organization assisting in a disaster relief effort.
- Exception to the Above. If you are a patient in a psychiatric/mental/behavioral health facility or a drug and alcohol facility, none of the above information will be given to anyone outside of UPMC unless you give your written permission. If you are under 14 years of age, this permission must come from your parents or legal guardians. If you are 14 years or older, this permission must come from you.
- In All Other Ways, We Will Require Your Written Permission Before Your Health Information Is Used or Shared With Others
Except as stated in Sections A and B, your written permission is required before we can use or share your health information with anyone outside of UPMC. This permission is provided through a form. If you give us permission to use or share health information about you, you may cancel that permission, in writing, at any time. If you cancel your permission, we will no longer use or share your health information for the reasons you have given us in your written permission. However, we are unable to take back any information that we have already shared with your permission.
Your Rights Concerning Your Health Information
The law gives you the following rights about your health information:
- Right to Ask to See and Request a Copy. You have the right to ask to see and request a copy of the health information we used to make decisions about your care. This includes your right to request a copy of your electronic medical record in electronic form. Your request must be in writing and given to your doctor or the place where you were treated. You can call your doctor’s office or the place where you were treated to find out how to do this. If you ask to see or request a copy of your health information, you may have to pay fees as permitted by law. We may tell you that you cannot see nor have a copy of some or all of your health information. If we tell you this, you may ask that someone else at UPMC review this decision. A licensed health care professional chosen by UPMC will review those that can be reviewed. This person will not be the same person who refused your request. We will do whatever this person decides.
- Right to Ask for a Correction. If you feel that health information we have about you is incorrect or incomplete, you may ask us to correct the information. You have the right to ask for a correction for as long as the information is kept by or for UPMC. You must put your request in writing and give it to your doctor or the place where you received care. If you do not ask in writing or give your reasons in writing, we may tell you that we will not do as you have asked. We have the right to refuse your request if you ask us to correct information that 1) was not made by us, unless the person or place that originally made the information is no longer available to make the correction; 2) is not part of the health information kept by or for UPMC; 3) is not part of the information you are permitted by law to see and copy; or 4) we decide is correct and complete.
- Right to Ask for an "Accounting of Disclosures."
- Generally. You have the right to ask us for an “accounting of disclosures.” This is a list of those people and organizations who have received or have accessed your health information. This right does not include information made available for treatment, payment, or health care operations, or made available when you have provided us with permission to do so. You must put your request in writing and give it to your doctor or the place where you received care. You can call your doctor’s office or the place where you received care to find out how to ask for the list. You must include in your written request how far back in time you want us to go, which may not be longer than six years.
- Information that is Maintained Electronically. Subject to a schedule established by federal law, if we maintain your health information electronically (in our computer), you have the right to ask for an accounting of disclosures of where UPMC disclosed your health information. In accord with federal law, you may request an accounting for a period of three years prior to the date the accounting is requested. You also have the right to ask our business associates for an accounting of their disclosures. We will post a list of all of our business associates and how to contact them on our website.
- Right to Ask for Limits on Use and Sharing.
- Generally. You have the right to ask us to limit the health information we use or share with others about you for treatment, payment, or health care operations. You also have the right to ask us to limit health information that we share with someone who is involved in your care or payment for your care, like a family member or friend. You can call your doctor’s office or the place where you received your care to get instructions on how to submit such a request. In your request, you must tell us 1) what information you want to limit; 2) whether you want to limit our use, disclosure or both; and 3) the person or institution the limits apply to (for example, your spouse). For example, you could ask that we not use or share information about a surgery you had. You must put your request in writing and give it to your doctor or the place where you received your care. We are not required to agree to your request. If we do agree to your request, we still may provide information, as necessary, to give you emergency treatment.
- Services Paid For by You. Where you have paid for your services out of pocket in full, at your request, we will not share information about those services with a health plan for purposes of payment or health care operations. “Health plan” means an organization that pays for your medical care.
- Right to Ask for Confidential Communications. You have the right to ask that we contact you about your health information in a certain way or at a certain location that you believe provides you with greater privacy. For example, you can ask that we contact you at work or by mail. Your request must state how or where you wish to be contacted. You must make your request in writing to your doctor or the place where you received care. You do not need to provide a reason for your request. We will comply with all reasonable requests.
- Right to Ask for a Paper Copy of This Notice. You may ask us to give you a copy of this Notice at any time. Even if you have agreed to receive this Notice electronically (for example, through the computer), you still have the right to a paper copy of this Notice. You can get a copy of this Notice at our website. To obtain a paper copy of this Notice, contact your doctor’s office or the registration department of the place where you received care.
- UPMC Insurance Division is prohibited from requesting, requiring, or purchasing genetic information with respect to any individual prior to such individual's enrollment in a health plan, and from using genericl information for underwriting purposes.
Violation of Privacy Rights
In the event that a breach of your protected health information occurs by UPMC or one of its Business Associates, you will be provided with written notification as required by law.
If you believe your privacy has been violated by us, you may file a confidential complaint directly with us. You can do this by contacting the UPMC Privacy Officer at the hospital or facility where you received care or by calling the UPMC Compliance HelpLine at 1-877-983-8442, or the UPMC Office of Patient and Consumer Privacy at 412-647-5757.
You also may file a complaint with the Secretary of the U.S. Department of Health and Human Services. To file a complaint with the Secretary of Health and Human Services, you must 1) name the UPMC place or person that you believe violated your privacy rights and describe how that place or person violated your privacy rights; and 2) file the complaint within 180 days of when you knew or should have known that the violation occurred. All complaints to the Secretary of the U.S. Department of Health and Human Services must be in writing and addressed to:
U.S. Department of Health and Human Services
200 Independence Ave. S.W.
Washington, DC 20201
You will not be penalized for filing a complaint.
Changes to This Notice
We reserve (have) the right to change this Notice. We reserve (have) the right to make the revised or changed Notice effective for health information we already have about you and for any future health information. We will post a copy of the revised Notice in the places where we provide medical services. The Notice will contain the effective date on the first page, in the top right-hand corner. We will provide to you, if you ask us, a copy of the Notice that is currently in effect each time you register at UPMC as an inpatient or outpatient for treatment or health care services.
If You Have Questions About This Notice
If you have any questions about this Notice, please contact your doctor or the place where you received care. You also may contact UPMC’s Notice of Privacy inquiry line at 412-647-6286, or the UPMC Office of Patient and Consumer Privacy at 412-647-5757.
Entities Covered by UPMC's Notice of Privacy Practices
UPMC's Notice of Privacy Practices covers all organizations under the control of UPMC, including, but not limited to:
UPMC Bedford Memorial
UPMC Hamot **
UPMC Horizon–Shenango Valley
UPMC St. Margaret
Children's Hospital of Pittsburgh of UPMC
Eye & Ear Institute
Magee-Womens Hospital of UPMC
Western Psychiatric Institute and Clinic of UPMC
**Affiliated with UPMC Hamot
Hamot Medical Center
Hamot Primary Care Network
Hamot Diabetes Institute
Hamot Health Connection
Bayside Pharmacy (Hamot)
Hamot Sports Medicine Center
Great Lakes Home Healthcare (Hamot)
Great Lakes Home Health Services (Hamot)
Great Lakes Hospice (Hamot)
Great Lakes Home Medical (Hamot)
UPMC Hamot Joint Ventures
The Regional Cancer Center (PDF)
UPMC Surgery Centers
UPMC Monroeville Surgery Center
UPMC South Surgery Center
Other UPMC Facilities & Entities
UPMC Cancer Center
UPMC Community Provider Services
UPMC at Home
Physician Services Division
Credentialed Medical Staff Physicians
UPMC Cancer Centers joint ventures:
Skilled Nursing, Retirement, Assisted Living, Independent Living, and Long-term Care Freestanding Facilities
Organized Health Care Arrangements
- UPMC Insurance Services Arrangement
- Skilled Nursing Facility Arrangements
- Charles M. Morris Nursing & Rehabilitation Center / JAA
- Manor Care of Monroeville PA, LLC d.b.a. ManorCare Health Services, Monroeville
- Manor Care of Whitehall Borough, Pittsburgh PA LLC d.b.a. ManorCare Health Services, Whitehall Borough
- Presbyterian Medical Center of Oakmont Inc. d.b.a. The Willows of Presbyterian Senior Care
- Vincentian Collaborative System / Vincentian Home
- Oncology Services