EFFECTIVE DATE: This Notice is effective October 24, 2024
University Health System, Inc.
The University of Tennessee Medical Center
Notice Of Privacy Practices
This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.
At University Health System (UHS), your privacy is a priority. We follow applicable federal and state requirements to maintain the confidentiality of your medical information.
This Notice applies to the following UHS operations and affiliates and their workforce members: The University of Tennessee Medical Center, University Health Network, and University Health System Ventures, Inc. This Notice, however, does not apply to University Plastic & Reconstructive Surgery, clinical trials at The University of Tennessee Medical Center, or other functions that are not covered by HIPAA.
Important: UTMC may share your medical information with members of UTMC Medical Staff (doctors) and other independent medical professionals in order to provide treatment, payment, and healthcare operations and perform other activities for UTMC through the OHCA (Organized Health Care Arrangement.) Those professionals have agreed to follow this Notice and participate in the privacy program of UTMC, but many doctors (or other professionals) providing services in our facilities practice medicine as independent professionals who own their own businesses, so UTMC will not be responsible for their acts or omissions related to your care or privacy/security rights.
Our Responsibilities
UHS is required by law to:
- Maintain the privacy and security of your protected health information (“PHI”)
- Provide this notice of our duties and privacy practices concerning PHI
- Abide by the terms of this Notice so long as it remains in effect
“PHI” means individually identifiable health information, as defined by HIPAA, that is created or received by us and that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies the individual or for which there is a reasonable basis to believe the information can be used to identify the individual. PHI includes information of persons living or deceased.
How Do We Use and Disclose Medical Information?
When you visit a UHS facility, we may use your PHI to treat you, to obtain payment for services, and to conduct normal business known as health care operations. Examples of how we use your information include:
Treatment. We keep a record of each visit and/or admission, and your record may include your test results, diagnoses, medications, and your response to medications or other therapies. We use and disclose PHI to provide or arrange for medical treatment. For example, we may disclose PHI to doctors, nurses, technicians, medical students, volunteers, or other healthcare personnel or facilities involved in a patient’s care. Different departments may share PHI to coordinate the different things a patient needs, such as prescriptions, lab work and x-rays. This allows your doctors, nurses and other clinical staff to provide appropriate care to meet your needs. We may also use and disclose PHI to send treatment-related communications concerning treatment alternatives or other health-related products or services.
Payment. We document the services and supplies you receive at each visit or admission. We may use and disclose PHI to create bills and process payments. For example, we may provide a health insurer with information about a surgery a patient received so the insurer will pay for the surgery. We may also tell a health insurer about a treatment a patient will receive to obtain prior approval, or to determine whether the insurer will cover the treatment. We may tell your health plan about upcoming treatment or services that require their prior approval.
Health Care Operations. We use and disclose PHI for the operation of UHS and to ensure that all patients receive quality care. For example, medical information is used and shared to improve the services we provide; to train and evaluate staff and students; for business management; for quality improvement; to perform audits; to budget and plan; for credentialing, licensure, certification, and accreditation; for internal reviews; to evaluate staff performance; and for customer service.
Appointment Reminders/Treatment Alternatives/Health-Related Benefits and Services. We may use and disclose your PHI to contact you to remind you that you have an appointment for treatment or medical care, or to contact you to tell you about possible treatment options or alternatives or health related benefits and services that may be of interest to you. Please inform scheduling or admitting if you do not wish to participate by calling (865) 305-9501.
To You or Your Personal Representative. We may disclose your PHI to you, or a representative appointed by you or designated by applicable law.
Health Information Exchanges. We may release your medical records or other information about you to a Health Information Exchange or a health information network (called an “HIE”). HIEs provide healthcare providers (including doctors and health facilities) and insurance companies with the ability to share or “exchange” clinical information about you electronically. HIEs are designed to provide your physicians/health facilities/providers with greater access to your clinical information with the goal of reducing the number of tests and treatment delays that result from the use of paper medical records. This helps providers communicate and provide patients with safer care. HIEs are very helpful when providing care in emergencies. The healthcare providers who have access to HIEs will have access to any of your personal or health information that has been entered into the HIE and may use that information for treatment, payment, or healthcare operations, or as otherwise required/allowed by state and federal law.
- Sensitive information: Sensitive information (such as HIV/AIDs or other communicable disease, mental health, drug and alcohol treatment information) is protected under state and federal law. We will provide sensitive information to the HIE but have put into place protections to help prevent the disclosure of sensitive information to those other than your treating providers, their workforce members and business associates. However, because sensitive information cannot be completely isolated or removed from other medical information, there is a chance that sensitive information (or information that could indicate you have had treatment for a sensitive condition) could be included within your medical information. Therefore, if you are concerned at all about a certain piece of medical information being known, we strongly recommend you tell us you do not want your information in the HIE. In other words, you should “opt-out” of participation.
- To Opt-Out of the HIE If you do not want your personal or medical information automatically entered into or disclosed through an HIE, please let us know by contacting the Compliance Office at (865) 305-6566, or at registration points throughout UTMC. Please allow 5 business days for us to process your opt-out request. Information released to HIEs prior to processing of opt-out request may remain in the HIE. Please note that you must also opt-out separately with each of your physician and other providers who may participate in any HIEs.
Patient Portal. We may use and disclose information through a patient portal which allows you to securely view certain parts of your medical record such as lab results and billing information.
Philanthropic Support. We may use and disclose certain PHI (for example, your name, address, phone number and email address, but not any records subject to 42 CFR Part 2) for our fundraising activities, including to contact you for UHS or UTGSM fundraising. You have the right to ask not to be contacted for fundraising. If you do not wish to be contacted, please contact the Philanthropy office by phone or email at the following: (865) 305-6611 or [email protected].
Other Permitted Uses And Disclosures Of Health Care Information
Directory. Our hospitals and facility may maintain limited directory information (e.g., patient name, location, and general condition). The directory information may also include religious affiliation, which would be released only to clergy. Unless you object, the directory information (except for religious affiliation) will be released to those who ask for you by name. You may request that your information not be included in the directory or limit the information in the directory. Please inform scheduling or admitting if you do not wish to participate by calling (865) 305-9501.
Family and Friends Involved in Your Care. If you are available and do not object, we may disclose your PHI to your family, close friends, and others who are involved in your care or payment of a claim, or any other person you identify. If you are unavailable or incapacitated and we determine that a limited disclosure is in your best interest, we may share limited PHI with such individuals. Only the PHI that directly relates to that person’s involvement in your health care will be shard. We may use or disclose PHI to notify or assist in notifying (including identifying and locating) a family member, personal representative, or any other person that is responsible for your care about your location, general condition, or death.
Research. We may use and disclose PHI for research purposes when the research has been approved by an institutional review board that has reviewed the research proposal and established protocols to ensure the privacy of your PHI. We also may disclose health information about you to people preparing to conduct a research project (for example, to help them look for patients with specific medical needs), so long as the health information they review does not leave our organization.
Required by Law. We use or disclose your PHI to the extent that the use or disclosure is required by law. The use or disclosure will be made in compliance with the law and will be limited to the relevant requirements of the law. You will be notified, to the extent required by law, of any such uses or disclosures.
To Avert a Serious Threat to Health and Safety. Consistent with applicable federal and state laws, we may disclose your PHI, if we believe that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.
Public Health Activities. We may use or disclose PHI for certain public health activities. This includes disclosures to a public health authority that is permitted by law to collect or receive the information for the purposes of preventing or controlling disease, injury or disability; reporting births, deaths, and certain injuries or illnesses; or conducting public health surveillance, public health investigations, and public health interventions. In addition, if directed by the public health authority, we may disclose PHI to a foreign government agency that is collaborating with the public health authority. We may also report reactions to medications or problems with products.
Abuse and Neglect. We may use or disclose your PHI to a public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect. We may also disclose PHI about an individual whom we reasonably believe to be a victim of abuse, neglect, or domestic violence to a government authority (including a social service or protective services agency) authorized by law to receive reports of such abuse, neglect, or domestic violence. We may do this when required by law, if you agree to the disclosure, or when authorized by law and we believe the disclosure is necessary to prevent serious harm to the individual or other potential victims.
Communicable Diseases. We may disclose your PHI, if authorized by law, to a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading the disease or condition.
Health Oversight Activities. We may disclose PHI to a health oversight agency for activities authorized by law. These oversight activities include audits; investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or other similar activities involving the oversight of the health care system or government programs. Oversight agencies seeking this information include government agencies that oversee health care system, government benefit programs, other government regulatory programs and civil rights laws.
Food and Drug Administration. We may disclose your PHI to a person or company required by the Food and Drug Administration to report adverse events, product defects or problems, biologic product deviations; to track products to enable product recalls; to make repairs or replacements; or to conduct post marketing surveillance, as required by law.
Required Uses and Disclosures. We will, if required by law, release your PHI to the Secretary of the Department of Health and Human Services for enforcement of HIPAA.
Law Enforcement. We may also disclose your PHI if it is necessary for law enforcement authorities when required by law, including to report certain types of injuries, or in response to subpoenas, warrants, or summons; to identify or locate a suspect, fugitive, material witness, or missing person; to respond to requests about individuals who is or is suspected to be a victim of a crime; to alert law enforcement about a death; to report suspected criminal conduct committed at our facilities; or to alert law enforcement about a crime in certain emergency circumstances.
Lawsuits and Disputes. We may disclose PHI in response to a court or administrative order. We may also disclose PHI in response to a subpoena, discovery requests, or other lawful process.
Military Activity. If you are a member of the armed forces, we may use or disclose PHI to your commanding officer or other command authority so that your fitness for duty or for a particular mission may be determined, to comply with military health surveillance requirements, for activities deemed necessary by appropriate military command authorities, or for the purpose of a determination by the Department of Veterans Affairs of your eligibility for benefits. If you are a member of a foreign military service, we may release PHI about you to the appropriate foreign military authority.
For National Security and Intelligence Activities. We may disclose PHI to authorized federal officials for conducting national security, intelligence, and counterintelligence activities. PHI may also be disclosed to authorized federal officials so they may provide protection to the President, other authorized persons or foreign heads of state, or conduct special investigations.
Inmates. If a patient is an inmate or under the custody of a law enforcement official, we may disclose PHI to the correctional institutions or law enforcement officials.
Workers’ Compensation. If you seek treatment for a work-related illness or injury, we may disclose your PHI related to that injury or illness to workers' compensation agencies for your workers' compensation benefit determination or as authorized to comply with workers’ compensation laws and other similar legally established programs.
Coroners, Funeral Directors, and Medical Examiners. We may disclose certain PHI to a coroner, medical examiner, or funeral director, as authorized by law, in order to permit them to carry out their duties.
Organ Donation. PHI may be used and disclosed to organ procurement organizations, tissue banks and eye banks and, upon request, to the person or entity that you designated to be the recipient, as necessary to facilitate organ or tissue donation and transplantation, including cadaveric organ, eye or tissue donation purposes.
Business Associates. We may disclose PHI to our business associates that perform functions on our behalf or provide us with services if the information is necessary for such functions or services. Examples of these outside persons and organizations might include vendors that help us process claims. At times it may be necessary for us to provide certain of your PHI to one or more of these outside persons or organizations. All of our business associates are obligated, under contract with us, to protect the privacy of your information and are not allowed to use or disclose any information other than as specified in our contract.
Disaster Relief Organizations. We may use or disclose your PHI to an authorized public or private entity to assist in disaster relief efforts for the purpose of coordinating uses and disclosures to family or other individuals involved in your health care.
Uses and Disclosures of PHI that Require Your Written Authorization
Except as outlined above, we will not use or disclose your PHI unless you have signed a form authorizing the use or disclosure. Uses and disclosures of your PHI that involve the release of psychotherapy notes (if any), marketing, sale of your PHI, or other uses or disclosures not described in this Notice will be made only with your written authorization. You may revoke an authorization at any time, in writing, except to the extent we have taken an action in reliance on the use or disclosure indicated in the authorization. We are unable to take back any disclosures we have already made with your permission.
Special Protections for HIV, Alcohol and Substance Abuse, Mental Health, Genetic Information, and Reproductive Health Information
Certain federal and state laws may require special privacy protections that restrict the use and disclosure of certain health information, including HIV-related information, alcohol and substance abuse information, mental health information, and genetic information. For this type of information, we may be required to get your written permission before disclosing it to others, and we may seek that permission if permitted by law. If you have any questions about this, you may contact our Privacy Officer for more information. In the event applicable law, other than HIPAA, prohibits or materially limits our uses and disclosures of PHI, as described above, we will restrict our uses or disclosure of your PHI in accordance with the more stringent standard.
Substance Use. Substance use disorder treatment records received from programs subject to 42 CFR Part 2, or testimony relaying the content of such records, will not be used or disclosed in civil, criminal, administrative, or legislative proceedings against the individual unless based on written consent or a court order after notice and an opportunity to be heard is provided to the individual or the holder of the record, as provided in 42 CFR Part 2. A court order authorizing use or disclosure must be accompanied by a subpoena or other legal requirement compelling disclosure before the requested record is used or disclosed.
Reproductive Health Care. We are prohibited from using and disclosing PHI in connection with any of the following activities: (1) conducting a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care; (2) imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care; or (3) identifying any person for any such purpose, in each case where we determine that the activity is related to care that is lawful under applicable state law (such as abortions in certain states), is authorized, required, or protected under federal law (such as contraception), or is provided by a third party and certain presumptions under HIPAA apply. For example, we are not allowed to use or disclose PHI for a law enforcement investigation regarding an individual seeking or obtaining reproductive health care where such care was lawful under the circumstances in which it was provided.
If we receive a valid attestation from the requestor, we may, however, disclose PHI potentially related to reproductive health care for (1) health oversight activities (for example, licensure or disciplinary actions), (2) judicial and administrative proceedings (for example, in response to a court order), (3) law enforcement purposes (for example, in response to a grand jury subpoena), and (4) coroners and medical examiners (related to deceased persons). For example, if we receive a request for reproductive health information from a medical examiner who provides a valid attestation that the requested information will only be used for a permissible purpose (such as determining a cause of death), we may disclose the information to the medical examiner so long as all other legal requirements are met.
Redisclosure
Please be aware that information disclosed to a third party may no longer be protected by HIPAA and may be further used and disclosed by the recipient unless otherwise prohibited by law.
Your Rights
The following describes your rights with respect to your PHI and how you may exercise these rights. All requests must be submitted in writing to the Privacy Officer. Please contact the Privacy Officer if you need additional information regarding any of these rights.
Restrictions on Use and Disclosure of Your PHI. You have the right to request restrictions on certain of our uses and disclosures of your PHI. This means that you may ask us not to make uses or disclosures of your PHI for treatment, payment, or health care operations purposes; disclosures to persons involved in your care; and disclosures for disaster relief purposes. For example, you may request that we not disclose your PHI to your spouse. Your request must describe in detail the restriction you are requesting. We are not required to agree to your request but will attempt to accommodate reasonable requests when appropriate. If we agree to the requested restriction, we will not use or disclose your PHI in violation of that restriction unless it is needed to provide emergency treatment or otherwise required by law. With this in mind, please discuss any restriction you wish to request with your physician. You may request a restriction by contacting our Privacy Officer. Your request must state the specific restriction requested and to whom you want the restriction to apply. We will honor requests to restrict the disclosure of PHI by us to a health plan for payment or health care operations when the information you wish to restrict pertains solely to a health care item or service for which you paid us out-of-pocket in full. For this purpose, “in full” means the amount we charge for the service, not your copay, coinsurance, or deductible responsibility when your health plan or insurer pays for your care. If you think you may wish to restrict the disclosure of your health information for a certain service, please let us know as early in your visit as possible by asking to speak with the Privacy Officer.
Request for Confidential Communications. You have the right to request that communications regarding your PHI be made by alternative means or at alternative locations. For example, you may request that messages not be left on voicemail or sent to a particular address. We are required to accommodate reasonable requests, but we may condition an accommodation by asking you for information as to how payment will be handled or specification of an alternative address or other method of contact. Requests for confidential communications must be in writing, signed by you or your representative, and sent to us at the address below. Your request must specify how or where you wish to be contacted, but we will not request an explanation from you as to the basis for the request. Please make this request in writing to our Privacy Officer.
Access to Your PHI. With certain exceptions, you have the right of access to copy and/or inspect your PHI that we maintain in designated record sets. If we maintain the requested information in an electronic health record, you have the right to request that we send a copy in an electronic format. A “designated record set” contains medical and billing records and any other records that we use for making decisions about you. Under federal law, however, you may not inspect or copy psychotherapy notes or information compiled in reasonable anticipation of, or use in, a civil, criminal, or administrative action or proceeding. Certain requests for access to your PHI must be in writing, must state that you want access to your PHI and must be signed by you or your representative. Access request forms are available from us at the address below. We may charge you a reasonable fee for copying and postage. Depending on the circumstances, we may deny your request to inspect and/or copy your PHI. A decision to deny access may be reviewable, and we will inform you of your rights. Please contact the Privacy Officer if you have any questions about access to your PHI.
Amendments to Your PHI. You have the right to request that PHI that we maintain about you be amended or corrected. If you feel that PHI is incorrect or incomplete, you may request an amendment of PHI about you in your designated record set for as long as we maintain this information. We are not obligated to make all requested amendments but will give each request careful consideration. If we deny your request for amendment, you have the right to file a statement of disagreement with us and we may prepare a rebuttal to your statement and will provide you with a copy of the rebuttal. To be considered, your amendment request must be in writing, must be signed by you or your representative, and must state the reasons for the amendment/correction request. Please be specific about the information that you believe is incorrect or incomplete. Amendment request forms are available from us at the address below. Please contact our Privacy Officer if you have questions about amending your medical record.
Accounting for Disclosures of Your PHI. You have the right to receive an accounting of certain disclosures made by us of your PHI. This right only applies to disclosures made by us during the last six years, and it does not include all types of disclosures. Examples of disclosures that we are required to account for include those to state insurance departments, pursuant to valid legal process, or for law enforcement purposes. However, the accounting will not include disclosures we may have made for treatment, payment, or healthcare operations; to you; pursuant to an authorization; for a facility directory; to family members or friends involved in your care, or for notification purposes. The right to receive this information is also subject to certain exceptions, restrictions, and limitations. If you submit a request, you must state the time period for which you want this listing (for example, six months). To be considered, your accounting requests must be in writing and signed by you or your representative. Accounting request forms are available from us at the address below. The first accounting in any 12-month period is free; however, we may charge you a fee for each subsequent accounting you request within the same 12-month period.
Right to a Copy of the Notice. You have the right to a paper copy of this Notice upon request by contacting us at the telephone number or address below. We will provide you with a paper copy of this Notice even if you have agreed to accept this Notice electronically.
Data Breach Notifications. You have the right to receive notice of a data breach. We are required to notify affected individuals following a breach of unsecured PHI, as defined under HIPAA. If your PHI is affected by a breach, we will notify you in accordance with applicable law.
Revisions
We reserve the right to change the terms of this Notice and to make the new Notice effective for all PHI that we maintain. We will promptly distribute any updates whenever there is a material change to the uses or disclosures of PHI, your rights, our legal duties, or other privacy practices stated in the Notice. Revised notices will be available in our facilities and on our website. You can also obtain any revised notice by contacting our Privacy Officer. The new notice will be effective for all PHI that we maintain at the time as well as any information we receive in the future.
Contact Us
If you would like to exercise your rights, or if you have privacy concerns:
University Health System, Inc. Privacy Officer
Phone: (865) 305-5743
Fax: (865) 305-6968
Address: 2121 Medical Center Way Suite 310
Knoxville, TN 37920
Call the Confidential Reporting line at 1-877-591-6744.
Complaints. If you have any questions or complaints or believe your privacy rights have been violated, you can file a complaint with us in writing to our Privacy Officer at the address above. You may also file a complaint in writing with the Secretary of the U.S. Department of Health and Human Services in Washington, D.C. To submit a complaint to the Department of Health and Human Services, you may contact the Office for Civil Rights of the Department of Health and Human Services, Hubert H. Humphrey Building, 200 Independence Avenue, SW, Room 509F, Washington, D.C. 20201. There will be no retaliation for filing a complaint.
Need More Information?
Visit our website at www.utmedicalcenter.org
Call or write the Privacy Officer at the number and address listed.