Notice of Privacy Practices for MedStar Health
Effective date: October 1, 2009
Date Amended: October 30, 2023
This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.
How we may use and disclose health information
Your privacy rights regarding your health information
Changes to this Notice of Privacy Practices
Our Notice of Privacy Practices is available in the following languages:
Download Adobe Reader
Who will follow this notice
This Notice applies to the MedStar Health affiliated covered entity. For a current list of the members of the affiliated covered entity, please visit this link: MedStarHealth.org/Patient-Privacy-Policy/HIPAA-Affiliated-Covered-Entity-Designation. This Notice also applies to all healthcare professionals, employees, medical staff, trainees, students, and volunteers within the MedStar Health affiliated covered entity.
Our obligation to you
MedStar Health is committed to the protection of your medical information. In our mission to serve our patients, it is our vision to be the Trusted Leader in Caring for People and Advancing Health. We create and obtain information about you and use it to provide you with quality care and to comply with certain legal requirements. We are required by law to maintain the privacy of your health information and to give you this Notice of our legal duties, our privacy practices, and your rights. We are required to follow the terms of our most current Notice. When we disclose information to other persons and companies to perform services for us, we will require them to protect your privacy. There are other laws we are required to follow that may provide additional protections, such as laws related to mental health, behavioral health, alcohol and other substance abuse, genetic information, and communicable disease or other health conditions.
How we may use and disclose health information
Treatment
We may use and disclose your health information to provide treatment or services, to coordinate or manage your health care, or for medical consultations or referrals. For example, we may use and disclose your health information among doctors, nurses, technicians, clinical observers, medical students, and other personnel who are involved in taking care of you, professionals in-training to observe or participate in your care under proper supervision at our facilities, or with such persons outside our facilities. We may use or share information about you to coordinate the different services you need, such as prescriptions, lab work, and X-rays. We may disclose information about you to people outside our facility who may be involved in your care after you leave, such as family members, home health agencies, therapists, nursing homes, clergy, and others. We may give information to your health plan or another provider to arrange a referral or consultation.
Payment
We may use and disclose your health information so that we can receive payment for the treatment and services that were provided. For example, we may share information with your insurance company, or a third party used to process billing information. We may contact your insurance company to verify what benefits you are eligible for, to obtain prior authorization for services, and to tell them about your treatment to make sure that they will pay for your care. We may disclose information to third parties to bill you or to bill those who may be responsible for payment, such as family members involved with your payment. We may disclose information to third parties that help us process payments, such as billing companies, claims processing companies, and collection companies.
Health care operations
We may use and disclose your health information for MedStar Health’s operations as permitted by law. For example, we may use and disclose your health information as necessary to operate our facility and make sure that all of our patients receive quality care. We may use health information to improve our performance or to find better ways to provide care. We may use health information to grant medical staff privileges or to evaluate the competence of our healthcare professionals. We may use your health information to decide what additional services we should offer and whether new treatments are effective. We may disclose information to students, professionals, and clinical observers for review and learning purposes. We may combine our health information with data from other healthcare facilities to compare how we are doing and see where we can make improvements. We may use health information for business planning, or disclose it to attorneys, accountants, consultants, and others in order to make sure we are complying with the law. We may remove health information that identifies you so others may use the de-identified information to study health care and healthcare delivery without learning who you are. If operating as a health plan, we will not use or disclose genetic information for underwriting purposes (this does not apply to long-term care plans).
Accountable care organizations (ACO) and insurance carriers (Maryland only)
We may use your health information or disclose your health information to an ACO or insurance company for payment, health care operations, and any other purpose permitted by law. For example, we will disclose information from your medical records with insurance carriers to enhance or coordinate patient care, obtain payment, conduct quality assessment and improvement activities, and manage our business. You may opt out of the sharing of certain medical records which otherwise would be disclosed to an insurance carrier or ACO for care coordination purposes by submitting a request to us here: acodatasharing@medstar.net
State laws, when applicable, impose restrictions on the use of health information we may disclose to an insurance company or ACO. For example, if you received care in the state of Maryland, a disclosure to an insurance company for care coordination purposes may not be used for underwriting or utilization review purposes.
Appointment reminders and service information
We may use or disclose your health information to contact you to provide appointment reminders, or to let you know about treatment alternatives or other health-related services or benefits that may be of interest to you.
Business Associates
There are some services provided by MedStar Health through contracts with other vendors or providers, referred to as business associates. For example, we may use a copy service when making copies of your health record, engage with consultants, accountants, lawyers, medical transcriptionists, and third-party billing companies. When these services are contracted, we may disclose your health information to our business associates so they can perform the job we’ve asked them to do. To protect your health information, however, we require the business associate to appropriately safeguard your information.
Certain marketing activities
We may use your medical information to forward promotional gifts of nominal value to you, to communicate with you about products, services, and educational programs offered by MedStar Health, to communicate with you about case management and care coordination, and to communicate with you about treatment alternatives. We do not sell your health information to any third party for their marketing activities unless you sign an authorization allowing us to do this.
Correctional facilities
If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may release your health information to the correctional institution or law enforcement official. We may release your health information for your health and safety, for the health and safety of others, or for the safety and security of the correctional institution.
Fundraising activities
We depend extensively on philanthropy to support our healthcare missions. We may use your name and other limited information to contact you, including the dates of your care, the name of the department where you were treated, and the name of your treating physician so that we may provide you with an opportunity to donate to our programs. We may collaborate with a third-party including Georgetown University to manage our fundraising activities. If we or any of our agents contact you for fundraising or philanthropy purposes, you will be told how you may opt out of future contact.
Health information exchanges
We may participate in health information exchanges (HIEs) to facilitate the secure exchange of your electronic health information between and among several healthcare providers or other healthcare entities for your treatment, payment, or other healthcare operations purposes. We may share information about you through HIEs for treatment, payment, healthcare operations, or research purposes. This means we may share information we obtain or create about you with outside entities (such as hospitals, doctors’ offices, pharmacies, or insurance companies) or we may receive information they create or obtain about you (such as medication history, medical history, or insurance information) so that each of us can provide better treatment and care coordination. In addition, if you visit any MedStar Health facility, your health information may be available to other clinicians and staff who may use it to care for you, to coordinate your health services, or for other permitted purposes.
The Chesapeake Regional Information System for our Patients (CRISP) is a regional HIE serving Maryland and D.C. in which we participate. You may “opt out” and disable access to your health information available through CRISP by calling 1-877-952-7477 or completing and submitting an Opt-Out form to CRISP by mail, fax, or through their website at CRISPHealth.org. Even if you opt out of CRISP, public health reporting, and Controlled Dangerous Substances information, as part of the State Prescription Drug Monitoring Program (PDMP), will still be available to providers through CRISP as permitted by law.
We also participate in the CommonWell Health Alliance® Services (CommonWell), a national network of organizations aligned to streamline the secure sharing of health data with a goal of improving care coordination and health outcomes. You may opt out and disable access to your health information available through CommonWell by completing and submitting an Opt-Out form to us by mail, fax, e-mail, or through the opt-out form can be found here: MedStarHealth.org/Patient-Privacy-Policy/CommonWell
Individuals involved in your care or payment for your care
We may give your health information to people involved in your care, such as family members or friends, unless you ask us not to. We may give your information to someone who helps pay for your care. We may share your information with other healthcare professionals, government representatives, or disaster relief organizations, such as the Red Cross, in emergency or disaster-relief situations so they can contact you, your family, or friends to coordinate disaster-relief efforts.
Organ and tissue donation, and transplant activities
We may use or disclose your health information in connection with organ donations, eye or tissue transplants or organ donation banks, as necessary to facilitate these activities.
Patient directories
We may keep your name, location in the facility, and your general condition in a directory to give to anyone who asks for you by name. We may give this information and your religious affiliation to clergy, even if they do not know your name. You may ask us to keep your information out of the directory, but you should know that if you do, visitors and florists will not be able to find your location in our facility. Even if you ask us to keep your information out of the directory, we may share your information for disaster relief efforts or in declared emergency situations.
Public health activities
We may disclose your health information to public health or legal authorities whose official activities include preventing or controlling disease, injury, or disability. For example, we must report certain information about births, deaths, and various diseases to government agencies. We may disclose health information to coroners, medical examiners, and funeral directors as allowed by the law to carry out their duties. We may use or disclose health information to report reactions to medications, problems with products, or to notify people of recalls of products they may be using. We may use or disclose health information to notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease.
Required by law, legal proceedings, health oversight activities, and law enforcement
We will disclose your health information when we are required to do so by federal, state, and other law. For example, we may be required to report victims of abuse, neglect, or domestic violence, as well as patients with gunshot and other wounds. We will disclose your health information when ordered in a legal or administrative proceeding, such as a subpoena, discovery request, warrant, summons, or other lawful process. We may disclose health information to a law enforcement official to identify or locate suspects, fugitives, witnesses, victims of crime, or missing persons. We may disclose health information to a law enforcement official about a death we believe may be the result of criminal conduct, or about criminal conduct that may have occurred at our facility. We may disclose health information to a health oversight agency for activities authorized by law, such as audits, investigations, inspections, and licensure.
Research
We may use or disclose your health information for research that has been approved by one of our official research review boards, which has evaluated the research proposal and established standards to protect the privacy of your health information. We may use or disclose your health information to a MedStar Health researcher preparing to conduct a research project. Serious threat to health and safety: We may use or disclose your health information when necessary to prevent a serious threat to your health and safety, or the health and safety of the public or another person. We will only disclose health information to someone reasonably able to help prevent or lessen the threat, such as law enforcement or government officials.
Specialized government functions
If you are in the military or a veteran, we will disclose your health information as required by command authorities. We may disclose health information to authorized federal officials for national security purposes, such as protecting the President of the United States or the conduct of authorized intelligence operations. We may disclose health information to make medical suitability determinations for Foreign Service.
Workers compensation
We may use or disclose your health information as required by applicable workers compensation laws and similar requirements.
Your written authorization
Other uses and disclosures of your health information not covered by this Notice, or the laws that govern us, will be made only with your written authorization. These include the sale of your health information, use of your health information for marketing purposes, and certain disclosures of psychotherapy notes. You may revoke your authorization in writing at any time, and we will discontinue future uses and disclosures of your health information for the reasons covered by your authorization. We are unable to take back any disclosures that were already made with your authorization, and we are required to retain the records of the care that we provided to you.
Your privacy rights regarding your health information
The records of your medical information are the property of MedStar Health. You have the following rights, however, regarding medical information that we maintain about you:
Right to access, review, and receive a copy of your health information
You have the right to access, review, and receive a copy of your medical and billing records and other health information that we have about you, with certain exceptions. To do so, please contact the MedStar Health facility where you received treatment, or the MedStar Health Privacy Office listed below. You will be required to submit your request in writing. You may request to see or receive an electronic or paper copy of your health information. You may also request that we send a copy of your records directly to a person you identify in your request. Ask us how to do this. As permitted by law, we may charge you a reasonable, cost-based fee for the cost of copying or mailing your record (and the electronic media if the request is to provide the information on portable electronic media).
We will provide a copy of your medical record usually within 30 days. In certain situations, we may deny your request. If we do, we will tell you, in writing, our reasons for the denial and explain how to have the denial reviewed.
Right to update your medical record
If you believe that important information is missing from your medical record, you have the right to request that we add an amendment to your record. Your request must be in writing, and it must contain the reason for your request. To submit your request, please contact the facility where you received treatment, or the MedStar Health Privacy Office listed below. We will make every effort to fulfill your request usually within 60 days. We may deny your request to amend your record if the information being amended was not created by us, if we believe that the information is already accurate and complete, or if the information would not be contained in records that you would be permitted by law to review and copy. If we deny your request, you will be notified in writing usually within 60 days.
Right to get a list of the disclosures we have made
You have the right to request a list (i.e., accounting) of the disclosures that we have made of your health information for the six years prior to the date of your request. This list is not required to include disclosures made for treatment, payment, and healthcare operations, and certain other disclosure exceptions. Your request must be in writing and indicate in what form you want the list (for example, on paper, electronically). To request a list of disclosures, please contact the facility where you received treatment, or the MedStar Health Privacy Office listed below. The first list you request in a 12-month period is free. For additional lists, we may charge a fee, as permitted by law.
Right to request a restriction on certain uses or disclosures
You have a right to request a restriction on how we use and disclose your medical information for treatment, payment, and healthcare operations, and to certain family members or friends identified by you, who are involved in your care or the payment of your care. Your request must be in writing, and it must (1) describe the specific information you want to limit, (2) whether you want to limit our use, disclosure, or both, and (3) to whom you want the limits to apply. Generally, we are not required to agree to your request, and we will notify you if we are unable to agree. However, we must agree to your request if your request concerns disclosure of your information to you and a health plan, or to someone on your behalf, or for out-of-pocket paid in full treatment or services.
Right to breach notification
You have the right to be notified if there is a breach of your health information. A breach means health information is acquired, accessed, used, or disclosed in a manner not permitted by law which causes it to be compromised.
Right to choose a patient representative
You have the right to choose a representative to act on your behalf. If you have given someone medical power of attorney, that person can exercise your rights and make choices about your health information. We will make efforts to verify the person you designate has this authority and can act for you before we take any action.
Rights of minors, parents, and guardians
This Notice also applies to minors. Minors have a right to the same privacy protections for their medical information. If a minor is emancipated or can make independent healthcare decisions without parental or guardian knowledge or permission under applicable law, the minor has the authority to hold all privacy rights in this Notice with respect to those independent healthcare decisions. If under applicable law, a parent, guardian, or other person acting in place of a parent has authority to act on behalf of an unemancipated minor in making decisions related to the health care of the minor, MedStar Health must treat that person as the minor’s personal representative, including with respect to this Notice.
Right to choose how you receive your health information
You have the right to request that we communicate with you in a certain way, such as by mail or fax, or at a certain location, such as a home address or post office box. We will try to honor your request if we reasonably can. Your request must be in writing, and it must specify how or where you wish to be contacted. To submit a request, please contact the facility where you received treatment, or the MedStar Health Privacy Office listed below.
Right to confidential communication with us
If we contact you by mail or a phone number you provide, you have the right to request that we communicate with you in an alternate means or alternative location. Your request must be reasonable, submitted to us in writing, and must provide a method to contact you. If you direct your request to one or more of our health plans, you must also explain how the disclosure of all or part of your information would endanger you. If your request pertains to payment, you must provide information as to how payments will be handled and an alternate method for us to communicate effectively with you.
Right to obtain a copy of this Notice of Privacy Practices
We will post a copy of our current Notice in our facilities and on our website at MedStarHealth.org. A copy of our current Notice will be available at our registration areas or upon request. To request a copy of our current Notice, please contact the MedStar Health Privacy Office or call 410-772-6606.
Questions or complaints
Privacy Officer
MedStar Health, Inc.
10980 Grantchester Way
Columbia, MD 21044
410-772-6606
PrivacyOfficer@MedStar.net
or
U.S. Department of Health and Human Services Office for Civil Rights
200 Independence Avenue, S.W.
Washington, D.C., 20201
1-877-696-6775 (toll free)
www.hhs.gov/ocr/privacy/hipaa/complaints/
If you have questions about this Notice, or would like to exercise your Privacy Rights, please contact the facility where you received treatment, or the MedStar Health Privacy Office.
Changes to this notice of privacy practices
We reserve the right to change this Notice. We reserve the right to make the revised Notice effective for medical information we already have about you as well as any information we receive in the future. We will post a copy of the current Notice in each MedStar Health facility and on our website at MedStarHealth.org. In addition, you may request a copy of the Notice currently in effect and we will promptly provide you with a copy of the Notice.
Additional information
El Aviso sobre Prácticas de Privacidad está disponible en español.
Footnote: MedStar Health, Inc. is a non-profit, community-based healthcare system serving District of Columbia, Maryland, and Virginia region. The system is made up of a number of separate healthcare providers and other diversified healthcare entities. Each provider is independently responsible for providing medical services to patients in a professional manner and in compliance with applicable laws and regulations.