THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND
DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
Clarinda Regional Health Center and any Rural Health Clinic and Provider Based Clinics
operated under Hospital is required by the Health Insurance Portability and Accountability Act of
1996, and the Health Information Technology for Economic and Clinical Health Act (found in Title
XIII of the American Recovery and Reinvestment Act of 2009)(collectively referred to as HIPAA),
as amended from time to time, to maintain the privacy of individually identifiable patient health
information (this information is protected health information and is referred to herein as
PHI). We are also required to provide patients with a Notice of Privacy Practices regarding PHI.
We will only use or disclose your PHI as permitted or required by applicable state law. This
Notice applies to your PHI in our possession including the medical records generated by us.
Hospital understands that your health information is highly personal, and we are committed to
safeguarding your privacy. Please read this Notice of Privacy Practices thoroughly. It describes
how we will use and disclose your PHI.
This Notice applies to the delivery of health care by Hospital and its medical staff in the main
hospital, outpatient departments and clinics. This Notice also applies to the utilization review
and quality assessment activities of Hospital.
I. Permitted Use or Disclosure
A. Treatment: Hospital will use and disclose your PHI to provide, coordinate, or manage your
health care and related services to carry out treatment functions. The following are
examples of how Hospital will use and/or disclose your PHI:
To your attending physician, consulting physician(s), and other health care providers who have a
legitimate need for such information in your care and continued treatment.
To coordinate your treatment (e.g., appointment scheduling) with us and other health care providers
such as name, address, employment, insurance carrier, etc.
To contact you as a reminder that you have an appointment for treatment or medical care at our
To provide you with information about treatment alternatives or other health-related benefits or
If you are an inmate of a correctional institution or under the custody of a law enforcement
officer, the Hospital will disclose your PHI to the correctional institution or law enforcement
B. Payment: Hospital will use and disclose PHI about you for payment purposes. The following are
examples of how Hospital will use and/or disclose your PHI:
To an insurance company, third party payer, third party administrator, health plan or other health
care provider (or their duly authorized representatives) for payment purposes such as
determining coverage, eligibility, pre-approval / authorization for treatment, billing, claims
management, reimbursement audits, etc.
To collection agencies and other subcontractors engaged in obtaining payment for care.
C. Health Care Operations: Hospital will use and disclose your PHI for health care
operations purposes. The following are examples of how Hospital will use and/or disclose your PHI:
For case management, quality assurance, utilization, accounting, auditing, population based
activities relating to improving health or reducing health care costs, education, accreditation,
licensing and credentialing activities of Hospital.
To consultants, accountants, auditors, attorneys, transcription companies, information technology
D. Other Uses and Disclosures: As part of treatment, payment and health care operations, Hospital
may also use your PHI for the following purposes:
Fundraising Activities: Hospital will use and may also disclose some of your PHI to a related
foundation for certain fundraising activities. For example, Hospital may disclose your
demographic information, your treatment dates of service, treating physician information,
department of service and outcomes information to the foundation who may ask you for a monetary
donation. Any fundraising communication sent to you will let you know how you can exercise your
right to opt-out of receiving similar communications in the future.
Medical Research: Hospital will use and disclose your PHI without your authorization to medical
researchers who request it for approved medical research projects. Researchers are required to
safeguard all PHI they receive.
Information and Health Promotion Activities: Hospital will use and disclose some of your PHI for
certain health promotion activities. For example, your name and address will be used to send you
general newsletter or specific information based on your own health concerns.
E. More Stringent State and Federal Laws: The State law of Iowa is more stringent than HIPAA in
several areas. Certain federal laws also are more stringent than HIPAA. Hospital will continue to
abide by these more stringent state and federal laws.
i. More Stringent Federal Laws: The federal laws include applicable internet privacy laws, such
as the Childrens Online Privacy Protection Act and the federal laws and regulations governing the
confidentiality of health information regarding substance abuse treatment.
ii. More Stringent State Laws: The State of Iowa is more stringent when the individual is
entitled to greater access to records than under HIPAA. State law also is more restrictive when
the records are more protected from disclosure by state law than under HIPAA. In cases where CRHC
provides treatment to a patient who resides in a neighboring state, Hospital will abide by the more
stringent applicable state law.
F. Health Information Exchange: (HIE) Hospital may elect to share your health records
electronically with Iowa Health Exchange Network (IHEN) for the purpose of improving the overall
quality of health care services provided to you (e.g., avoiding unnecessary duplicate testing).
If shared with Iowa Health Exchange Network the electronic health records would include sensitive
diagnosis such as HIV/AIDS, sexually transmitted diseases, genetic information, and mental health
substance abuse, etc. The HIE would function as our business associate and, in acting on our
behalf, the HIE would transmit, maintain and store your PHI for treatment purposes. The HIE has a
duty to implement administrative, physical and technical safeguards that reasonably and
appropriately protect the confidentiality and integrity of your medical information.
You have the right to opt-out and prevent your health information from being sent to IHIN by
completing and submitting an Opt-Out form** to IHIN. Please contact IHIN by calling (866)
924-4636 or via web-site at www.iowaehealth.org. The Opt Out form has been developed by the IHIN.
II. Permitted Use or Disclosure with an Opportunity for You to Agree or Object
A. Family/Friends: Hospital will disclose PHI about you to a friend or family member who is
involved in or paying for your medical care. You have a right to request that your PHI not be
shared with some or all of your family or friends. In addition, Hospital will disclose PHI about
you to an agency
assisting in disaster relief efforts so that your family can be notified about your condition,
status, and location.
B. Hospital: Hospital will include certain information about you in
facility directory while you are a hospital patient at Hospital. This information will include
your name, location in Hospital, your general condition (e.g., fair, stable, critical, etc.) and
your religious affiliation. The directory information, except your religious affiliation, will be
disclosed to people who ask for you by name. You have the right to request that your name not be
included in the Hospital directory. If you request to opt-out of the facility directory, we cannot
inform visitors of your presence, location, or general condition.
C. Spiritual Care: Directory information, including your religious affiliation, will be
given to a member of the clergy, even if they do not ask for you by name. Spiritual care
providers are members of the health care team at Hospital and may be consulted upon regarding your
care. You have the right to request that your name not be given to any member of the clergy.
D. Media Reports: Hospital will release facility directory information to the media (excluding
religious affiliation) if the media requests information about you using your name and after we
have given you an opportunity to agree or object.
III. Use or Disclosure Requiring Your Authorization
A. Marketing: Subject to certain limited exceptions, your written authorization is required in
cases where Hospital receives any direct or indirect financial remuneration in exchange for making
the communication to you which encourages you to purchase a product or service or for a disclosure
to a third party who wants to market their products or services to you.
B. Research: Hospital will obtain your written authorization to use or disclose your PHI for
research purposes when required by HIPAA.
C. Psychotherapy Notes: Most uses and disclosures of psychotherapy notes require your written
D. Sale of PHI: Subject to certain limited exceptions, disclosures that constitute a sale of PHI
requires your written authorization.
E. Other Uses and Disclosures: Any other uses or disclosures of PHI that are not described in
this Notice of Privacy Practices require your written authorization. Written authorizations will
let you know why we are using your PHI. You have the right to revoke an authorization at any time.
IV. Use or Disclosure Permitted or Required by Public Policy or Law without your Authorization
A. Law Enforcement Purposes: Hospital will disclose your PHI for law enforcement purposes as
required by law, such as identifying a criminal suspect or a missing person, or providing
information about a crime victim or criminal conduct.
B. Required by Law: Hospital will disclose PHI about you when required by federal, state or local
Examples include disclosures in response to a court order / subpoena, mandatory state reporting
(e.g., gun shot wounds, victims of child abuse or neglect), or information necessary to comply with
other laws such as workers compensation or similar laws. Hospital will report drug diversion and
information related to fraudulent prescription activity to law enforcement and regulatory agencies.
C. Public Health Oversight or Safety: Hospital will use and disclose PHI to avert a serious
threat to health and safety of a person or the public. Examples include disclosures of PHI to
state investigators regarding quality of care or to public health agencies regarding immunizations,
communicable diseases, etc. Hospital will use and disclose PHI for activities related to the
quality, safety or effectiveness of FDA regulated products or activities, including collecting and reporting adverse
events, tracking and facilitating in product recalls, etc.
D. Coroners, Medical Examiners, Funeral Directors: Hospital will disclose your PHI to a coroner
or medical examiner. For example, this will be necessary to identify a deceased person or to
determine a cause of death. Hospital may also disclose your medical information to funeral
directors as necessary to carry out their duties.
E. Organ Procurement: Hospital will disclose PHI to an organ procurement organization or entity
for organ, eye or tissue donation purposes.
F. Specialized Government Functions: Hospital will disclose your PHI regarding
government functions such as military, national security and intelligence activities. Hospital
will use or disclose PHI to the Department of Veterans Affairs to determine where you are eligible
for certain benefits.
G. Immunizations: Hospital will disclose proof of immunization to a school where the state or
other similar law requires it prior to admitting a student.
V. Your Health Information Rights
You have the following individual rights concerning your PHI:
A. Right to Inspect and Copy: Subject to certain limited exceptions, you have the right to access
PHI and to inspect and copy your PHI as long as we maintain the data.
If Hospital denies your request for access to your PHI, Hospital will notify you in writing with
the reason for the denial. For example, you do not have the right to psychotherapy notes or to
inspect the information which is subject to law prohibiting access. You may have the right to have
this decision reviewed.
You also have the right to request your PHI in electronic format in cases where Hospital utilizes
electronic health records. You may also access information via patient portal if made available by
You will be charged a reasonable copying fee in accordance with applicable federal or state law.
B. Right to Amend: You have the right to amend your PHI for as long as Hospital maintains the
You must make your request for amendment of your PHI in writing to Hospital, including your reason
to support the requested amendment.
However, Hospital will deny your request for amendment if:
Hospital did not create the information;
The information is not part of the designated record set;
The information would not be available for your inspection (due to its condition or nature); or
The information is accurate and complete.
If Hospital denies your request for changes in your PHI, Hospital will notify you in writing with
the reason for the denial. Hospital will also inform you of your right to submit a written
statement disagreeing with the denial. You may ask that Hospital include your request for
amendment and the denial any time that Hospital subsequently discloses the information
that you wanted changed. Hospital may prepare a rebuttal to your statement of disagreement and
will provide you with a copy of that rebuttal.
C. Right to an Accounting: You have a right to receive an accounting of the disclosures of your
that Hospital has made, except for the following disclosures:
To carry out treatment, payment or health care operations; To you;
To persons involved in your care;
For national security or intelligence purposes; or
To correctional institutions or law enforcement officials.
You must make your request for an accounting of disclosures of your PHI in writing to Hospital.
You must include the time period of the accounting, which may not be longer than 6 years. In any
given 12-month period, Hospital will provide you with an accounting of the disclosures of your PHI
at no charge. Any additional requests for an accounting within that time period will be subject to
a reasonable fee for preparing the accounting.
D. Right to Request Restrictions: You have the right to request restrictions on certain uses and
disclosures of your PHI to carry out treatment, payment or health care operations functions or to
prohibit such disclosure. However, Hospital will consider your request but is not required to
agree to the requested restrictions.
E. Right to Request Restrictions to a Health Plan: You have the right to request a restriction on
disclosure of your PHI to a health plan (for purposes of payment or health care operations) in
cases where you paid out of pocket, in full, for the items received or services rendered.
F. Right to Confidential Communications: You have the right to receive
confidential communications of your PHI by alternative means or at alternative locations. For
example, you may request that Hospital only contact you at work or by mail.
G. Right to Receive a Copy of this Notice: You have the right to receive a paper copy of this
Privacy Practices, upon request.
VI. Breach of Unsecured PHI
In a breach of unsecured PHI affecting you occurs, Hospital is required to notify you of the
VII. Sharing and Joint Use of Your Health Information
In the course of providing care to you and in furtherance of Hospital mission to improve the
the community, Hospital will share your PHI with other organizations as described below who have
agreed to abide by the terms described below:
A. Medical Staff. Physicians and allied health care professionals who are members of
the Hospital medical staff will have access to and use your PHI for treatment, payment and health
care operations purposes related to your care within Hospital. Hospital will disclose your PHI to
the medical staff and allied health professionals for treatment, payment and health care
B. Business Associates. Hospital will share your PHI with business associates and their
Subcontractors contracted to perform business functions on behalf of the Hospital, including Bryan
Health Network which performs certain business functions for Hospital.
A. Changes to this Notice. Hospital will abide by the terms of the Notice currently in effect.
Hospital reserves the right to make material changes to the terms of its Notice and to make the new
Notice provisions effective for all PHI that it maintains. Hospital will distribute / provide you
with a revised Notice at your first visit following the revision of the Notice in cases where it
makes a material change in the Notice. You can also ask Hospital for a current copy of their
Notice at any time.
B. Complaints. If you believe your privacy rights have been violated, you may file a complaint
with the Hospital Privacy Official or with the Secretary of the Department of Health and Human
Services. All complaints must be submitted in writing directly to the Hospital Privacy Official.
Hospital assures you that there will be no retaliation for filing a complaint. You will not be retaliated against for
C. Privacy Official - Questions / Concerns / Additional Information.
If you have any
questions, concerns, or want further information regarding the issues covered by this Notice of
Privacy Practice or seek additional information regarding Hospital privacy policies and
procedures, please contact the Hospital Privacy Official:
Clarinda Regional Health Center
Jenny Wagoner, Education/Compliance/HIPAA Coordinator
220 Essie Davison Drive
Clarinda, IA 51632
Revised/Effective: April 2017