Notice of Privacy Practices
Effective date: 04/14/2003
Revised date: 11/01/2016
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a U.S. law that requires health care organizations to follow procedures for safeguarding private medical information.
This notice describes how medical information about you may be used and disclosed and how you can get access to this medical information.
Please review it carefully.
For more information about Norton Healthcare’s privacy policies, contact Norton Healthcare Health Information Management Department at (502) 629-8527 or call the Norton Healthcare Privacy Hotline at (502) 629-8051 or (866) 264-4567.
Who will follow this notice
This notice describes Norton Healthcare’s practices and those of:
- Any health care professional authorized to enter information into a patient’s chart
- All departments and units within Norton Healthcare facilities
- Any member of a volunteer group that Norton Healthcare allows to help patients while they are in a Norton Healthcare facility
- All employees, staff and other facility personnel and participating members of the medical staffs
- Norton Healthcare hospitals, physician practices and any other owned or managed entities of Norton Healthcare
All these entities, sites and locations follow the terms of this notice. In addition, these entities, sites and locations may share with each other medical information related to patient treatment, payment or hospital operations described in this notice and as otherwise permitted by law.
Norton Healthcare’s pledge regarding health information privacy
We understand that medical information about the health of our patients is personal. We are committed to protecting patients’ personal medical information. We create a record of the care and services you receive at Norton Healthcare facilities. We need this record to provide you with quality care and to comply with certain legal requirements.
This notice applies to patient care records generated by Norton Healthcare hospitals and facilities, whether made by facility personnel or by a patient’s physician. A patient’s doctor may have different policies or notices about the use and disclosure of medical information created in the doctor’s office or clinic.
This notice explains ways in which Norton Healthcare may use and disclose medical information about its patients. It also describes patients’ rights and certain obligations Norton Healthcare has regarding the use and disclosure of medical information.
Norton Healthcare is required by law to:
- Make sure medical information that identifies patients is kept private.
- Give patients this notice of our legal duties and privacy practices with respect to patients’ medical information.
- Obtain an acknowledgment from each patient regarding receipt of this notice.
- Follow the terms of the notice that are currently in effect.
How Norton Healthcare may use and disclose patients’ medical information
The following categories describe different ways Norton Healthcare uses and discloses medical information. For each category of uses or disclosures, there is an explanation and examples. Not every use or disclosure in a category will be listed. However, all of the ways Norton Healthcare is permitted to use and disclose information will fall within one of these categories.
For treatment. Norton Healthcare may use medical information about patients to provide medical treatment or services. We may disclose medical information about patients to doctors, nurses, technicians, medical or health care professions students, or other facility personnel who are involved in care at a Norton Healthcare hospital or facility. For example, a doctor treating a patient for a broken leg may need to know if the patient has diabetes, because diabetes may slow the healing process. In addition, the doctor may need to tell the dietitian if a patient has diabetes so that appropriate meals can be arranged. Different departments of the hospital also may share medical information about patients in order to coordinate the different things patients need, such as prescriptions, lab work and X-rays. We also may disclose medical information about patients to people outside the hospital or to other facilities who may be involved in a patient’s medical care after discharge, such as family members, clergy or others who will be providing continuing care.
For payment. Norton Healthcare may use and disclose medical information about patients so that the treatment and services received may be billed to and payment may be collected from patients, an insurance company or a third party. For example, we may need to provide health plan information about the surgery received at the hospital so a patient’s health plan will pay the hospital or reimburse the patient for the surgery. We may also tell a patient’s health plan about a treatment he or she is going to receive to obtain prior approval or to determine whether the patient’s plan will cover the treatment.
Please note, we will comply with your request not to disclose your health information to your health plan if the information relates solely to a health care item or service for which you have paid out of pocket and in full to us. This restriction does not apply to the use or disclosure of your health information for your medical treatment.
For health care operations. Norton Healthcare may use and disclose medical information about patients for health care operations. These uses and disclosures are necessary to run our facilities and make sure that all of our patients receive quality care. For example, we may use medical information to review our treatment and services and to evaluate the performance of our staff in caring for patients or for accreditation or credentialing activities. We also may combine medical information about many hospital patients to decide what additional services the hospital should offer, what services are not needed and whether certain treatments are effective. We may disclose information to doctors, nurses, technicians, medical students and other hospital personnel for review and learning purposes.
Appointment reminders. Norton Healthcare may use and disclose medical information to remind patients of appointments for treatment or medical care at a Norton Healthcare hospital or facility.
Treatment alternatives. Norton Healthcare may use and disclose medical information to tell patients about or recommend possible treatment options or alternatives that may be of interest.
Health-related benefits and services. Norton Healthcare may use and disclose medical information to tell patients about our own health care-related products and services that may be of interest so long as certain conditions set by law are satisfied. These communications may include information to help patients manage and improve their health, schedules of upcoming classes and health screenings, and Norton Healthcare’s magazine Get Healthy, among others. If patients do not want to receive this type of information, they can write to Norton Healthcare, Marketing and Communications, 224 E. Broadway, Third Floor, Mailbox M-46, Louisville, KY 40202.
Fundraising activities. Norton Healthcare may use medical information to contact patients in an effort to support Norton Healthcare facilities and programs through one of our two foundations. We may disclose medical information to a business associate or to the foundation related to Norton Healthcare so that the business associate or foundation may contact patients in raising money for Norton Healthcare. We will only use the following information without your permission: your contact information, such as a name, address, phone number, dates of treatment or services, the general department in which you were treated, the name of your treating physician and, if you had a less than an optimal outcome, that information as well. Note: Norton Healthcare does not require that you participate in receiving fundraising communications in order to receive treatment. Patients who do not want to be contacted for fundraising efforts must notify the Foundations Office in writing at 234 E. Gray St., Suite 450, Louisville, KY 40202.
Marketing activities. We may, without obtaining your authorization and so long as we do not receive payment from a third party for doing so, (1) provide you with marketing materials in a face-to-face encounter, (2) give you a promotional gift of nominal value, and/or (3) tell you about our own health care products and services. We will ask your permission to use your health information for any other marketing activities.
Hospital directory. Norton Healthcare may include certain limited information about patients in a directory while they are patients in the hospital. This information may include name, location in the hospital and general condition (e.g., fair, stable, etc.). The directory information, except for religious affiliation, may be released to people who ask for patients by name. Additionally, a patient’s religious affiliation may be provided to a member of the clergy, such as a priest or rabbi, even if they do not ask for a patient by name. This release of information is so a patient’s family, friends and clergy can visit the patient in the hospital and generally know how he or she is doing. Patients may restrict whether directory information is included in the directory, or to whom we may release such information by notifying their nurse in writing or patient access at the point of registration.
Individuals involved in care or payment for care. Norton Healthcare may release medical information about patients to a friend or family member who is involved in the patient’s medical care and provide information to someone who helps pay for the patient’s care. We may use or disclose a patient’s medical information to notify or assist in the notification of a patient’s family or other persons responsible for patient care about the patient’s location, general condition or death. In addition, we may disclose medical information about a patient to an entity assisting in disaster relief efforts so the patient’s family can be notified about the patient’s condition, status and location.
Research. Medical research is vital to the advancement of medical science. Federal regulations permit use of patient medical information in research, either with patient authorization or when the research study is reviewed and approved by an Institutional Review Board or privacy board before any medical research study begins. In some situations, limited information may be used before approval of the research study to allow a researcher to determine whether enough patients exist to make a study scientifically valid. Institutional Review Boards and privacy boards follow a special review process to protect patient safety, welfare and confidentiality. Norton Healthcare will use and disclose medical information about patients for research purposes only as permitted by federal and state law.
As required by law. Norton Healthcare will disclose medical information about patients when required to do so by federal, state or local law.
To avoid a serious threat to health or safety. Norton Healthcare may use and disclose medical information about patients when consistent with applicable law and ethical standards to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. Any disclosure, however, would only be to someone able to lessen or prevent the threat.
Business associates. Norton Healthcare may contract with other entities, called business associates, for the provision of certain services that require the business associates to use and disclose medical information to perform a service on behalf of Norton Healthcare. Examples of business associates of Norton Healthcare include services that copy medical records, medical transcription providers and companies that assist with patient billing and collection activities. Norton Healthcare enters into “business associate agreements” with these types of entities. These agreements, as well as federal law, require business associates to protect patient medical information.
Participation in health information exchanges. We may participate in one or more health information exchanges (HIEs) and may electronically share your health information for treatment, payment and permitted health care operations purposes with other participants in the HIE, including entities that may not be listed under “Who will follow this notice.” You will be provided the opportunity to opt out of HIE participation. HIEs allow your health care providers to efficiently access and use your pertinent medical information necessary for treatment and other lawful purposes. We will not share your information with an HIE unless we have entered into a business associate agreement with the HIE to protect the confidentiality of your information.
Participation in a shared electronic medical record. Norton Healthcare facilities may participate in a shared electronic medical record with other health care providers in the community. This makes it is easier for a patient’s health care providers to have access to his or her health information, and it improves the quality of a patient’s care. If you would like a list of the health care providers that participate in the shared medical record, contact the Norton Healthcare Health Information Management Department at (502) 629-8527 or the office manager for the facility at which the patient received care.
Organ and tissue donation. If a patient is an organ donor, Norton Healthcare may release medical information to organizations that handle organ procurement or organ, eye or tissue transplantation or to an organ donation bank, as necessary to facilitate organ or tissue donation and transplantation.
Military. If a patient is a member of the armed forces, Norton Healthcare may release medical information about the patient as required by military command authorities. We also may release medical information about foreign military personnel to the appropriate foreign military authority.
Workers’ compensation. Norton Healthcare may release medical information about patients for workers’ compensation or similar programs that provide benefits for work-related injuries or illness.
Public health risks. Norton Healthcare may disclose medical information about patients for public health activities. Generally, these activities include the following reports:
- To prevent or control disease, injury or disability
- Of births and deaths
- Of suspected child abuse
- Of reactions to medications or problems with medical devices
- To notify people of recalls of products they may be using
- To notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition
- To notify the appropriate government authority if Norton Healthcare believes a patient has been the victim of abuse or neglect, as required by law
- With your verbal permission, to notify the school(s) attended by your child(ren) concerning immunization records
Health oversight activities. Norton Healthcare may disclose patients’ medical information to a health oversight agency for activities authorized by law. These oversight activities include, for example, audits, investigations, inspections, licensure or disciplinary actions and legal proceedings or actions. These activities are necessary for the government to monitor the health care system, government programs and compliance with civil rights laws.
Highly confidential information. Federal and state laws require special privacy protections for certain highly confidential information about you (“Highly Confidential Information”), including the subset of your protected health information that is maintained in psychotherapy notes or is about your: (1) mental health and/or developmental disabilities services; (2) alcohol and drug abuse prevention, diagnosis, treatment or referral; (3) HIV/AIDS testing, diagnosis or treatment; (4) communicable disease(s); (5) genetic testing; (6) child abuse and neglect; (7) domestic or elder abuse; and/or (8) sexual assault. In order for your Highly Confidential Information to be disclosed for a purpose other than those permitted by law, Norton Healthcare will require your written authorization.
Lawsuits and disputes. Norton Healthcare may disclose medical information about the patient in response to a court order or administrative order. We also may disclose medical information about patients in response to a subpoena, discovery request or other lawful process
Law enforcement. If asked to do so by law enforcement, and to the extent permitted or required by law, we may release medical information for the following reasons:
- In response to a court order, subpoena, warrant, summons or similar process
- To identify or locate a suspect, fugitive, material witness, or missing person
- About a suspected victim of a crime if, under certain limited circumstances, we are unable to obtain the person’s agreement
- About a death suspected to be the result of criminal conduct
- About criminal conduct at any Norton Healthcare hospital or facility
- In emergency circumstances to report a crime; the location of the crime or victims; or the identity, description or location of the person who committed the crime
- In an investigation of a patient’s unlawful attempt to obtain a controlled substance at a Norton Healthcare hospital or facility
Coroners, medical examiners and funeral directors. Norton Healthcare may release patients’ medical information to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death. We also may release medical information about patients to funeral directors as necessary to carry out their duties.
National security and intelligence activities. Norton Healthcare may release medical information about patients to authorized federal officials for intelligence, counterintelligence and other national security activities authorized by law.
Protective services for the president and others. Norton Healthcare may disclose medical information about patients to authorized federal officials so they may provide protection to the president, other authorized persons or foreign heads of state or to conduct special investigations.
Inmates. If a patient is an inmate of a correctional institution, Norton Healthcare may release medical information about the patient to the correctional institution or to a law enforcement official who has custody. This release would be necessary: (1) for the institution to provide the patient with health care, (2) to protect the patient’s health and safety or the health and safety of others, or (3) for the safety and security of the correctional institution.
Patients’ rights regarding their personal medical information
Patients have the following rights regarding medical information Norton Healthcare maintains about them:
Right to inspect and copy. Patients have the right to inspect and copy medical information that may be used to make decisions about their care. Usually, this includes medical and billing records but does not include psychotherapy notes.
To inspect and copy medical information while an inpatient in a Norton Healthcare hospital, patients must provide a written request to their nurse. Once they have left the facility, patients must submit their request in writing to the Norton Healthcare Health Information Management Department at P.O. Box 35070, Louisville, KY 40232-5070 or to the office manager of the practice at which the patient was treated. For billing records, contact the Norton Healthcare Health Information Management Department at the address above. If the facility uses or maintains an electronic health record with respect to your medical information, you have the right to obtain an electronic copy of the information if you so choose. If you request an electronic copy of your information, we will provide the information in the format requested if it is feasible to do so. Patients may be charged a fee for the costs of copying, mailing or other supplies associated with the request (for example, your costs may include the cost of a flash drive, if that is how you request a copy of your information be produced).
A patient’s request to inspect and copy personal medical information may be denied in certain circumstances. If access to medical information is denied, a patient may request that the denial be reviewed. Another licensed health care professional chosen by the facility will review the request and the denial. The person conducting the review will not be the person who denied the request. Norton Healthcare will comply with the outcome of the review.
Right to amend. If a patient feels that medical information is incorrect or incomplete, the patient may ask that the information be amended. A patient has the right to request an amendment for as long as the information is kept by or for the facility.
Inpatients may request an amendment by making their request in writing and giving it to their nurse. Once patients have been discharged from the facility, requests for amendments must be made in writing and submitted to the Norton Healthcare Health Information Management Department at P.O. Box 35070, Louisville, KY 40232-5070 or to the office manager at the practice at which the patient was treated. In addition, the patient must provide a reason that supports the request.
Request for an amendment will be denied if it is not in writing or does not include a reason to support the request. In addition, requests also may be denied if the information:
- Was not created by Norton Healthcare, unless the patient provides a reasonable basis to believe the person or entity that created the information is no longer available to make the amendment
- Is not part of the medical information kept by or for the facility
- Is not part of the information that the patients would be permitted to inspect or copy
- Is accurate and complete
Right to an accounting of disclosures. Patients have the right to request an “accounting of disclosures.” This is a list of the disclosures Norton Healthcare made of medical information about the patient for purposes other than treatment, payment and health care operations, inclusion of information in our directory, or to persons involved in care, for national security or intelligence purposes, to corrections institutions or law enforcement officials, or for disclosures made after April 14, 2003. For research disclosures, see the “Research” section in this notice.
To request this list or accounting of disclosures, patients must submit a request in writing to the Norton Healthcare Health Information Management Department at P.O. Box 35070, Louisville, KY 40232-5070 or to the office manager at the facility where they received care. Inpatients must give the written request to their nurse. Requests must state a time period that may not be longer than six years and may not include dates before April 14, 2003. Requests should indicate in what form the patient wants the list (for example, on paper or electronically). The first list requested within a 12-month period will be provided free. For additional lists, patients may be charged the cost of providing the list. Patients will be notified of the cost involved and may choose to withdraw or modify the request before any costs are incurred.
Right to request restrictions. Patients have the right to request a restriction on the medical information used or disclosed about them for treatment, payment or health care operations. Patients also have the right to request a limit on the medical information Norton Healthcare discloses to someone who is involved in the patient’s care or the payment for care, like a family member or friend, or for other permitted purposes. For example, patients could ask that we not use or disclose information about a surgery they had.
In most cases, Norton Healthcare is not required to agree to patient requests to restrict the use or disclosure of a patient’s medical information. If a patient has paid in full for treatment out of his/her own pocket, the patient may request that information regarding the out-of-pocket treatment not be disclosed to his/her health plan, and Norton Healthcare must grant such a request. In all other cases, Norton Healthcare is not required to agree to requests. If we do agree, we will comply with a patient’s request unless the information is needed to provide emergency treatment and/or safe patient care.
To request restrictions, patients must make their request in writing to the Norton Healthcare Health Information Management Department at P.O. Box 35070, Louisville, KY 40232-5070 or to the office manager at the facility where they received care. Inpatients must give a written request to their nurse. In the request, the patient must tell us: (1) what information he or she wants to limit; (2) whether he or she wants to limit our use, disclosure or both; and (3) to whom he or she wants the limits to apply (for example, disclosures to his or her spouse).
Right to request confidential communications. Patients have the right to ask that Norton Healthcare communicate with them about medical matters in a certain way or at a certain location. For example, a patient can ask that we contact him or her only at work or by mail.
To request confidential communications, patients must make their requests in writing to the Norton Healthcare Health Information Management Department at P.O Box 35070, Louisville, KY 40232-5070 or to the office manager at the facility where they received care. Inpatients should give the written request to their nurse. We will not ask the reason for the request. We will make every effort to accommodate all reasonable requests. Requests must specify how or where the patient wishes to be contacted and how payment will be handled.
Right to a paper copy of this notice. Patients have the right to a paper copy of this notice. Patients may ask us to provide a copy of this notice at any time. Even if a patient has agreed to receive this notice electronically, he or she is entitled to a paper copy of this notice.
Patients may obtain an electronic copy of this notice online at NortonHealthcare.com.
Right to be notified following a breach of the patient’s unsecured protected health information. In the unlikely event that a patient’s unsecured protected health information has been compromised, Norton Healthcare will notify the patient of such an incident.
Changes to this notice
Norton Healthcare reserves the right to change this notice and to make the revised or changed notice effective for medical information we already have about patients as well as any information we receive in the future. A copy of the current notice is posted in all our facilities.
The notice contains the effective date on the cover page.
If patients believe their privacy rights have been violated, they may file a complaint with the facility and/or with the secretary of the Department of Health and Human Services. Additionally, some states may allow patients to file a complaint with the state’s attorney general, Office of Consumer Affairs or other state agency as specified by applicable state law. To file a complaint with a Norton Healthcare hospital or facility, patients should contact the Health Information Management Department, hospital administration, the risk manager at the hospital, the office manager at the practice where the patient was treated, the compliance officer or the Norton Healthcare Compliance Hotline (888) 441-8279. All complaints must be submitted in writing.
No one will be penalized or retaliated against for filing a complaint.
Other uses of medical information
Other uses and disclosures of medical information not covered by this notice or the laws that apply to Norton Healthcare will be made only with patients’ written permission or as otherwise permitted by law. If a patient provides us with permission to use or disclose medical information about him or her, he or she may revoke that permission, in writing, at any time. If a patient revokes permission, we will no longer use or disclose medical information about him or her for the reasons covered by his or her written authorization. We are unable to take back any disclosures we have already made with the patient’s permission, and we are required to retain our records of the patient care that we provide.
Norton Healthcare complies with applicable federal civil rights laws and does not discriminate on the basis of race, color, national origin, age, disability or sex.
ATENCIÓN: Si habla español, tiene a su disposición servicios gratuitos de asistencia lingüística. Llame al 1-866-862-2636.
Renato V. LaRocca, M.D., values the opportunity to be at the forefront of brain cancer research. As a neuro-oncologist and cancer medicine specialist with Norton Cancer Institute, Dr. LaRocca has treated many cases of glioblastoma. […]Read Full Story
With COVID-19 weakening her body, Hannah Jones, 24, was at risk of a heart attack. She was placed on a ventilator so she could breathe. It was very possible she would die. Two days after […]Read Full Story
Like many cancer patients, Misty Aubrey’s calendar is filled with appointments. She meets regularly with her oncologist, behavioral oncologist and neurologist. To be safer during the height of the COVID-19 pandemic, she stopped meeting her […]Read Full Story