Learn More

Notice of Privacy Practices

Effective date: April 14, 2003

Revised: July 22, 2007; Sept. 14, 2009; Aug. 30, 2011; Sept. 23, 2013; Nov. 1, 2016; June 30, 2021

This notice describes how medical information about you may be used and disclosed and how you can get access to this medical information. Please review it carefully.

For more information about Norton Healthcare’s privacy policies, contact the Norton Healthcare Health Information Management Department at P.O. Box 35070, Louisville, KY 40232-5070 or (502) 629-8766, or call the Norton Healthcare Compliance Hotline at (866) 264-4567.

Who will follow this notice:

This notice describes Norton Healthcare’s practices and those of:

  • Any health care professional authorized to enter information into a patient’s chart
  • All departments and units within Norton Healthcare facilities
  • Any member of a volunteer group that Norton Healthcare allows to help patients while they are in a Norton Healthcare facility
  • All employees, staff and other Norton Healthcare facility personnel and participating members of the medical staffs
  • Norton Healthcare hospitals, physician practices and any other owned or managed entities of Norton Healthcare

All these entities, sites and locations follow the terms of this notice. In addition, these entities, sites and locations may share with each other medical information related to patient treatment, payment or health care operations described in this notice and as otherwise permitted by law.

Norton Healthcare’s pledge regarding medical information

We understand that medical information about the health of our patients is personal. We are committed to protecting patients’ personal medical information. We create a record of the care and services patients receive at Norton Healthcare facilities. We need these records to provide patients with quality care and to comply with certain legal requirements.

This notice applies to patient care records generated or maintained by Norton Healthcare facilities, whether made by facility personnel or by a physician. A patient’s private doctor may have different policies or notices about the use and disclosure of medical information created in the doctor’s office or clinic.

This notice explains ways in which Norton Healthcare may use and disclose medical information about its patients. It also describes patients’ rights with respect to their medical information.

Norton Healthcare is required by law to:

  • Make sure medical information that identifies patients is kept private
  • Give patients this notice of our legal duties and privacy practices with respect to patients’ medical information
  • Obtain an acknowledgment from each patient regarding receipt of this notice
  • Follow the terms of the notice that are currently in effect
  • Notify affected individuals following a breach of unsecured protected health information

How Norton Healthcare may use and disclose patients’ medical information

The following categories describe different ways Norton Healthcare uses and discloses medical information. For each category of uses or disclosures, there is an explanation and examples. Not every use or disclosure in a category will be listed. However, all of the ways Norton Healthcare is permitted to use and disclose information will fall within one of these categories.

For treatment. Norton Healthcare may use medical information about patients to provide medical treatment or services. We may disclose medical information about patients to doctors, nurses, technicians, medical or health care professions students, or other facility personnel who are involved in care at a Norton Healthcare facility. For example, a doctor treating a patient for a broken leg may need to know if the patient has diabetes, because diabetes may slow the healing process. In addition, the doctor may need to tell the dietitian if a patient has diabetes so that appropriate meals can be arranged. Different departments of a hospital also may share medical information about patients in order to coordinate the different things patients need, such as prescriptions, lab work and X-rays. We also may disclose medical information about patients to people outside the hospital or to other facilities or persons who may be involved in a patient’s medical care after discharge.

For payment. Norton Healthcare may use and disclose medical information about patients so that the treatment and services received may be billed to and payment may be collected from patients, an insurance company or another third party. For example, we may need to provide health plan information about a surgery received at the hospital so a patient’s health plan will pay the hospital or reimburse the patient for the surgery. We also may inform a patient’s health plan about a treatment he or she is going to receive to obtain prior approval or to determine whether the plan will cover the treatment.

For health care operations. Norton Healthcare may use and disclose medical information about patients for health care operations. These uses and disclosures are necessary to run our facilities and make sure that all of our patients receive quality care. For example, we may use medical information to review our treatment and services and to evaluate the performance of our staff in caring for patients or for accreditation or credentialing activities. We also may combine medical information about many hospital patients to decide what additional services the hospital should offer, what services are not needed and whether certain treatments are effective. We may disclose information to doctors, nurses, technicians, medical students and other hospital personnel for review and learning purposes.

Appointment reminders. Norton Healthcare may use and disclose medical information to remind patients of appointments for treatment or medical care at a Norton Healthcare facility.

Treatment alternatives. Norton Healthcare may use and disclose medical information to tell patients about or recommend possible treatment options or alternatives that may be of interest.

Health-related benefits and services. Norton Healthcare may use and disclose medical information to tell patients about our own health care-related products and services that may be of interest so long as certain conditions set by law are satisfied. These communications may include information to help patients manage and improve their health, schedules of upcoming classes and health screenings, and Norton Healthcare’s magazine Get Healthy, among others. If patients do not want to receive this type of information, they can write to Norton Healthcare, Marketing & Communications, 224 E. Broadway, Third Floor, Mailbox M-46, Louisville, KY 40202.

Fundraising activities. Norton Healthcare may use medical information to contact patients in an effort to support Norton Healthcare facilities and programs through one of our two foundations. We may disclose medical information to a foundation related to Norton Healthcare or to a business associate so that the foundation or business associate may contact patients to raise money for the foundation. We will only use the following information without a patient’s permission: contact information, such as a name, address and phone number; dates of treatment or services; the general department in which the patient was treated; the name of the treating physician; and, if the patient had less than an optimal outcome, that information as well. Note: Norton Healthcare does not require patients to participate in receiving fundraising communications in order to receive treatment. Patients who do not want to be contacted for fundraising efforts must notify the Foundations Office in writing at 234 E. Gray St., Suite 450, Louisville, KY 40202.

Marketing activities. We may, without obtaining authorization and so long as we do not receive payment from a third party for doing so, (1) provide patients with marketing materials in a face-to-face encounter, (2) give patients a promotional gift of nominal value, and/or (3) tell patients about our own health care products and services. We will ask patients’ permission to use their health information for any other marketing activities.

Hospital directory. Norton Healthcare may include certain limited information about patients in a directory while they are patients in the hospital. This information may include name, location in the hospital and general condition (e.g., fair, stable, etc.). The directory information, except for religious affiliation, may be released to people who ask for patients by name. Additionally, a patient’s religious affiliation may be provided to a member of the clergy, such as a priest or rabbi, even if they do not ask for

a patient by name. This release of information is so a patient’s family, friends and clergy can visit the patient in the hospital and generally know how he or she is doing. Patients may restrict whether their information is included in the directory by notifying patient access at the point of registration or their nurse at any time during their stay.

Individuals involved in care or payment for care. Norton Healthcare may release medical information about patients to a friend or family member who is involved in the patient’s medical care or payment for the patient’s care. We may use or disclose a patient’s medical information to notify or assist in the notification of a patient’s family or other persons responsible for patient care about the patient’s location, general condition or death. In addition, we may disclose medical information about a patient to an entity assisting in disaster relief efforts so the patient’s family can be notified about the patient’s condition, status and location.

Research. Medical research is vital to the advancement of medical science. Federal regulations permit use of patient medical information in research, either with patient authorization or when the research study is reviewed and approved by an Institutional Review Board or privacy board before any medical research study begins. In some situations, limited information may be used before approval of the research study to allow a researcher to determine whether enough patients exist to make a study scientifically valid. Institutional Review Boards and privacy boards follow a special review process to protect patient safety, welfare and confidentiality. Norton Healthcare will use and disclose medical information about patients for research purposes only as permitted by federal and state law.

As required by law. Norton Healthcare will disclose medical information about patients when required to do so by federal, state or local law.

To avoid a serious threat to health or safety. Norton Healthcare may use and disclose medical information about patients when consistent with applicable law and ethical standards to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. Any disclosure, however, would be only to someone able to lessen or prevent the threat.

Business associates. Norton Healthcare may contract with other entities, called business associates, for the provision of certain services that require the business associates to use and disclose medical information to perform a service on behalf of Norton Healthcare. Examples of business associates of Norton Healthcare include medical transcription providers and companies that assist with patient billing and collection activities. Norton Healthcare enters into “business associate agreements” with these types of entities. These agreements, as well as federal law, require business associates to protect patient medical information.

Participation in health information exchanges. We may participate in one or more health information exchanges (HIEs) and may electronically share your health information for treatment, payment and permitted healthcare operations purposes with other participants in the HIE, including entities that may not be listed under “Who will follow this notice.” Patients may “opt out” of HIE participation by contacting the Norton Healthcare Health Information Management Department.  HIEs allow patients’ health care providers to efficiently access and use your pertinent medical information necessary for treatment and other lawful purposes. We will not share patients’ information with an HIE unless we have entered into a business associate agreement with the HIE to protect the confidentiality of patients’ information.

Participation in a shared electronic medical record. Norton Healthcare facilities may participate in a shared electronic medical record with other health care providers in the community. This makes it easier for a patient’s health care providers to have access to the patient’s health information, and it improves the quality of a patient’s care. Patients who would like a list of the health care providers that participate in the shared medical record may contact the Norton Healthcare Health Information Management Department.

Special situations

Organ and tissue donation. If a patient is an organ donor, Norton Healthcare may release medical information to organizations that handle organ procurement or organ, eye or tissue transplantation or to an organ donation bank, as necessary to facilitate organ or tissue donation and transplantation.

Military. If a patient is a member of the armed forces, Norton Healthcare may release medical information about the patient as required by military command authorities. We also may release medical information about foreign military personnel to the appropriate foreign military authority.

Workers’ compensation. Norton Healthcare may release medical information about patients for workers’ compensation or similar programs that provide benefits for work-related injuries or illnesses.

Public health risks. Norton Healthcare may disclose medical information about patients for public health activities. Generally, these activities include the following reports:

  • To prevent or control disease, injury or disability
  • To report births and deaths
  • To report to the appropriate government authority if Norton Healthcare suspects a patient has been the victim of abuse or neglect, including child abuse
  • To report reactions to medications or problems with medical devices
  • To notify people of recalls of products they may be using
  • To notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition
  • With a parent or guardian’s verbal permission, to notify the school(s) attended by child(ren) concerning immunization

Health oversight activities. Norton Healthcare may disclose patients’ medical information to a health oversight agency for activities authorized by law. These oversight activities include, for example, audits, investigations, inspections, licensure or disciplinary actions and legal proceedings or actions. These activities are necessary for the government to monitor the health care system, government programs and compliance with civil rights laws.

Highly Confidential Information. Federal and state laws require special privacy protections for certain highly confidential information about patients (“Highly Confidential Information”), including the subset of protected health information that is maintained in psychotherapy notes or is about the patient’s: (1) mental health and/or developmental disabilities services; (2) substance use disorder prevention, diagnosis, treatment or referral; (3) HIV/AIDS testing, diagnosis or treatment; (4) communicable disease(s); (5) genetic testing; (6) child abuse and neglect; (7) domestic or elder abuse; and/or (8) sexual assault. In order for the patient’s Highly Confidential Information to be disclosed for a purpose other than those permitted by law, Norton Healthcare will require the patient’s written authorization.

Lawsuits and disputes. Norton Healthcare may disclose medical information about the patient in response to a court order or administrative order. We also may disclose medical information about patients in response to a subpoena, discovery request or other lawful process.

Law enforcement. If asked to do so by law enforcement, and to the extent permitted or required by law, we may release medical information for the following reasons:

  • In response to a court order, subpoena, warrant, summons or similar process
  • To identify or locate a suspect, fugitive, material witness or missing person
  • About a suspected victim of a crime if, under certain limited circumstances, we are unable to obtain the person’s agreement
  • About a death suspected to be the result of criminal conduct
  • About criminal conduct at any Norton Healthcare facility
  • In emergency circumstances to report a crime; the location of the crime or victims; or the identity, description or location of the person who committed the crime
  • In an investigation of a patient’s alleged unlawful attempt to obtain a controlled substance at a Norton Healthcare facility

Coroners, medical examiners and funeral directors. Norton Healthcare may release patients’ medical information to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death. We also may release medical information about patients to funeral directors as necessary to carry out their duties.

National security and intelligence activities. Norton Healthcare may release medical information about patients to authorized federal officials for intelligence, counterintelligence and other national security activities authorized by law.

Protective services for the president and others. Norton Healthcare may disclose medical information about patients to authorized federal officials so they may provide protection to the president, other authorized persons or foreign heads of state or to conduct special investigations.

Inmates. If a patient is an inmate of a correctional institution, Norton Healthcare may release medical information about the patient to the correctional institution or to a law enforcement official who has custody. This release would be necessary: (l) for the institution to provide the patient with health care; (2) to protect the patient’s health and safety or the health and safety of others; or (3) for the safety and security of the correctional institution.

Patient rights regarding their personal medical information. Patients have the following rights regarding medical information Norton Healthcare maintains about them:

Right to inspect and copy. Patients have the right to inspect and copy medical information that may be used to make decisions about their care. Usually, this includes medical and billing records but does not include psychotherapy notes.

To inspect and copy medical or billing information, patients must submit their request in writing to the Norton Healthcare Health Information Management Department. If the facility uses or maintains an electronic health record with respect to medical information, patients have the right to obtain an electronic copy of the information if they so choose. If a patient requests an electronic copy of his or her information, we will provide the information in the format requested if it is feasible to do so. Patients may be charged a reasonable, cost-based fee for the costs of copying, mailing or other supplies associated with the request (for example, the costs may include the cost of a flash drive, if that is how the patient requested a copy of the information be produced).

A patient’s request to inspect and copy personal medical information may be denied in certain circumstances. If access to medical information is denied, a patient may request that the denial be reviewed. Another licensed health care professional chosen by the facility will review the request and the denial. The person conducting the review will not be the person who denied the request. Norton Healthcare will comply with the outcome of the review.

Right to amend. If a patient feels that medical information is incorrect or incomplete, the patient may ask that the information be amended. A patient has the right to request an amendment for as long as the information is kept by or for the facility.

Requests for amendments must be made in writing and submitted to the Norton Healthcare Health Information Management Department. In addition, the patient must provide a reason that supports the request.

Request for an amendment will be denied if it is not in writing or does not include a reason to support the request. In addition, requests also may be denied if the information:

  • Was not created by Norton Healthcare, unless the patient provides a reasonable basis to believe the person or entity that created the information is no longer available to make the amendment
  • Is not part of the medical information kept by or for the facility
  • Is not part of the information that patients would be permitted to inspect or copy
  • Is accurate and complete

Right to an accounting of disclosures. Patients have the right to request an “accounting of disclosures.” This is a list of the disclosures Norton Healthcare made of medical information about the patient, except for disclosures: for treatment, payment and health care operations; that are incidental in nature; for our directory or to persons involved in care; for national security or intelligence purposes; to corrections institutions or law enforcement officials; or for disclosures made before April 14, 2003. For research disclosures, see the “Research” section in this notice.

To request this list, or accounting of disclosures, patients must submit a request in writing to the Norton Healthcare Health Information Management Department. Inpatients must give the written request to their nurse. Requests must state a time period that may not be longer than six years. Requests should indicate in what form the patient wants the list (for example, on paper or electronic). The first list requested within a 12-month period will be provided free. For additional lists during that same period, patients may be charged the cost of providing the list. Patients will be notified of the cost involved and may choose to withdraw or modify the request before any costs are incurred.

Right to request restrictions. Patients have the right to request a restriction on the medical information used or disclosed about them for treatment, payment or health care operations. Patients also have the right to request a limit on the medical information Norton Healthcare discloses to someone who is involved in the patient’s care or the payment for care, like a family member or friend, or for other permitted purposes. For example, patients could ask that we not use or disclose information about a surgery they had.

In most cases, Norton Healthcare is not required to agree to patient requests to restrict the use or disclosure of a patient’s medical information. If a patient has paid out-of-pocket in full for items or services, the patient may request that information regarding the items or services not be disclosed to his/her health plan, and Norton Healthcare must grant such a request. In all other cases, Norton Healthcare is not required to agree to requests. If we do agree, we will comply with a patient’s request unless the information is needed to provide emergency treatment and/or safe patient care.

To request restrictions, patients must make their request in writing to the Norton Healthcare Health Information Management Department. In the request, the patient must tell us: (l) what information he or she wants to limit; (2) whether he or she wants to limit our use, disclosure or both; and (3) to whom he or she wants the limits to apply (for example, disclosures to his or her spouse).

Right to request confidential communications. Patients have the right to ask that Norton Healthcare communicate with them about medical matters in a certain way or at a certain location. For example, a patient can ask that we contact him or her only at work or by mail.

To request confidential communications, patients must make their requests in writing to the Norton Healthcare Health Information Management Department. We will not ask the reason for the request. We will make every effort to accommodate all reasonable requests. Requests must specify how or where the patient wishes to be contacted and how payment will be handled.

Right to a paper copy of this notice. Patients have the right to a paper copy of this notice. Patients may ask us to provide a copy of this notice at any time. Even if a patient has agreed to receive this notice electronically, he or she is entitled to a paper copy of this notice.

Patients may obtain an electronic copy of this notice online at NortonHealthcare.com.

Right to be notified following a breach of the patient’s unsecured protected health information. In the event that a patient’s unsecured protected health information is compromised, Norton Healthcare will notify the patient of such an incident.

Changes to this notice

Norton Healthcare reserves the right to change this notice and to make the revised or changed notice effective for medical information we already have about patients as well as any information we receive in the future. A copy of the current notice is posted in all our facilities. The notice contains the effective date on the cover page.


If patients believe their privacy rights have been violated, they may file a complaint with the facility and/or with the secretary of the Department of Health and Human Services. Additionally, some states may allow the patient to file a complaint with the state’s attorney general, Office of Consumer Affairs or other state agency as specified by applicable state law. To file a complaint with a Norton Healthcare facility, patients should contact the Norton Healthcare Health Information Management Department or the Compliance Hotline (866) 264-4567. All complaints must be submitted in writing. No one will be penalized or retaliated against for filing a complaint.

Other uses of medical information

Other uses and disclosures of medical information not covered by this notice or the laws that apply to Norton Healthcare will be made only with the patient’s written permission or as otherwise permitted by law. If a patient provides us with permission to use or disclose medical information about them, they may revoke that permission, in writing, at any time. If a patient revokes permission, we will no longer use or disclose medical information about them for the reasons covered by their written authorization. We are unable to take back any disclosures we have already made with the patient’s permission, and we are required to retain our records of the patient care that we provide.

Norton Healthcare complies with applicable federal civil rights laws and does not discriminate on the basis of race, color, national origin, age, disability, or sex.

ATENCIÓN: si habla español, tiene a su disposición servicios gratuitos de asistencia lingüística. Llame al (866) 862-2636

注意:如果您使用繁體中文,您可以免費獲得語言援助服務。請致電 (866) 862-2636

Schedule an Appointment

Select an appointment date and time from available spots listed below.