Privacy Practices & Compliance
On August 23, 2022, United Regional became aware that a few patients had accessed their Explanation of Benefits (EOBs) through their MyChart portal, but the EOBs contained protected health information for more than one patient. The EOBs were for services prior to 2020, and included name, date of service, billing code, claim total, covered amount, and in some cases, the last four numbers of the social security number. Once discovered, we immediately removed patient access to these documents because they do not need to be in MyChart. We also began identifying affected patients and are in the process of removing the documents entirely. On October 6, 2022, we mailed notices to the affected patients advising them of the event and included steps they should take to protect themselves. Currently, there is no evidence of misuse of any patient information. However, 14 of these notices were returned undeliverable. If you think you may be one of the 14 affected individuals, we have set up a toll-free number for you to confirm if you were. Please call (855) 764-2901. We take the security of your personal information seriously and sincerely regret any concern this may cause.
United Regional Health Care System
Notice of Privacy Practices
Effective April 14, 2003
THIS JOINT NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW CAREFULLY.
Who Will Follow United Regional’s Notice of Privacy Practices?
• This Joint Notice of Privacy Practices will be followed by United Regional Health Care System and its subsidiaries, which includes:
o United Regional (hospital) o United Regional Physician Group
o United Regional Primary Care Clinic o United Regional Specialty Care Clinic
o United Regional Reference Lab
• Any health care professional authorized to enter information into your medical chart, including physicians and other allied health professionals involved in your care
• All departments and units of United Regional Health Care System
• Any member of a volunteer group we allow to help you while you are in the hospital
• All employees, staff, and other hospital and clinic personne
l • Any clinics or off site groups that operate under United Regional Health Care System
• All trainees, students, interns and residents
• All contractors who provide services to United Regional that involves access to protected health information
• United Regional is required by federal and state law to make sure that medical information that identifies you is kept private.
• Provide you with a copy of this notice of our legal duties and privacy practices with respect to medical information about you.
• United Regional is required to abide by the terms of this notice currently in effect, and while we reserve the right to make changes to the notice, any changes to the notice will be effective for all protected health information we maintain.
• United Regional will provide our Notice of Privacy Practices on our web site at www.unitedregional.org and post it in a clear and prominent location at all registration points in our health system.
• United Regional will not use or share your information other than described above here unless you tell us we can in writing. If you tell us we can, you may change your mind at any time. Let us know in writing if you change your mind.
• For more information see: www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/noticepp.html
Understanding Your Health Record
Each time you visit a hospital, physician, or other healthcare provider, a record of your visit is made to manage the care you receive. This notice applies to all of the records of your care generated by United Regional, whether made by United Regional personnel, agents of United Regional, or your personal doctor. United Regional Health Care System understands that the medical information that is recorded about you and your health is personal, and we care about keeping it protected.
Although your health record itself is the physical property of United Regional, the personal health information in the record belongs to you.
Your Rights Regarding Your Medical Information
You have the following rights regarding your medical information, provided that you make a written request to invoke the right on the form provided by us.
• Inspect and Request a Copy: You have the right to inspect and obtain a copy of the health information that may be used to make decisions about your care. Usually, this includes medical and billing records, but does not include psychotherapy notes. We may be allowed to charge you for the cost of making the copy. We may deny your request to inspect and copy in certain very limited circumstances. If you are denied access to health information, you may request that the denial be reviewed. Another licensed health care professional chosen by the hospital will review your request and the denial. The person conducting the review will not be the person who denied your request. We will comply with the outcome of the review.
• Obtain a Copy of your Electronic Health Record: At your request, United Regional is required to fulfill the request of a patient’s electronic health record no later than the 15th business day after the date we receive a written request from you for those records. United Regional shall provide the requested record to you in electronic form if the current electronic system is capable, or unless you agree to accept the record in another form. United Regional is not required to provide access to your protected health information that is excluded from access, or to which access may be denied. United Regional may charge a reasonable, cost-based fee.
• Amendment to your Medical Record: If you feel that medical information we have about you is incorrect or incomplete, you may ask us to amend the information. You have the right to request an amendment for as long as the information is kept by and for the hospital. The request must be made in writing, using the United Regional form. We may deny your request for an amendment, and if this occurs, you will be notified of the reason for the denial.
• An Accounting of Disclosures: You have the right to know who has received your protected health information. Any uses or disclosures of protected health information other than those permitted by the Privacy Rule will be made only with written authorization of the individual, and you have the right to revoke an authorization.
• Notice of Electronic Disclosure: United Regional may create, receive and maintain your protected health information in electronic form. If United Regional intends to disclose your protected health information for reasons other than described in this notice, we will ask you to authorize that specific disclosure.
• Request Restrictions: You have the right to request a restriction or limitation on the health information we use or disclose about you for treatment, payment, or health care operations. However, agreement with your request is not required by law, with one exception. An individual has the right to restrict certain disclosures of personal health information to a health plan where the individual has paid out of pocket in full for the health care item or service.
• Request to Alternative Communication Methods: You have the right to request that we communicate with you about medical matters in a certain way or at a certain location. We will attempt to accommodate all reasonable requests, but in certain circumstances we may not be able to do so.
• Breach notification: United Regional takes the protection of your confidential information seriously, and we will make every reasonable effort to keep it protected. However, in the event of a breach, meaning your protected health information is disclosed to an unintended recipient, United Regional will notify you.
How We May Use and Disclose Health Information about You
Without specific authorization, your medical information may be used, unless you ask for restrictions on a specific use or disclosure. (See Request Restrictions Section of this notice.)
The following categories describe examples of the way we use and disclose health information. Not every use or disclosure in a category will be listed. However, all of the ways we are permitted to use and disclose information will fall within one of the categories:
For Treatment: We may use health information about you to provide you treatment or services. We may disclose health information about you to doctors, nurses, technicians, medical students, or other hospital personnel who are involved in taking care of you at the hospital. For example: a doctor treating you for a broken leg may need to know if you have diabetes because diabetes may slow the healing process.
Physicians and other providers may have access to protected health information in their offices or other remote settings to facilitate expedited care while you are a patient at United Regional, or to assist in reviewing past treatment as it may affect treatment at the time of your visit in their office.
Different departments of the hospital also may share health information in order to coordinate the different things you may need; such as prescriptions, lab work, meals, and x-rays. We may disclose medical information about you to people outside the hospital who may be involved in your medical care after you leave the hospital, such as family members, clergy or others who may assist in your care. We may also provide your physician or a subsequent healthcare provider with copies of various reports that should assist him or her in treating you once you are discharged from this hospital.
For Payment: We may use and disclose health information about your treatment and services to bill and collect payment from you, your insurance company, or a third party payer. For example, we may need to give your insurance company information about your surgery so they will pay us or reimburse you for the treatment. We may also tell your health plan about treatment you are going to receive to determine whether your plan will cover it. We may also share information about you with physicians, and others formally or informally associated with United Regional, who have provided services required for your care so that these physicians can bill for services provided to you while you are a United Regional patient.
For Healthcare Operations: Members of the medical staff and/or quality improvement team may use information in your health record to assess the care and outcomes in your case and others like it. The results will then be used to continually improve the quality of care for all patients we serve. For example, we may combine health information about many patients to evaluate the need for new services or treatment. We may disclose information to doctors, nurses, and other students for educational purposes. We may combine health information we have with that of other hospitals to see where we can make improvements. We may remove information that identifies you from this set of health information to protect your privacy.
We may also use and disclose health information: a. to business associates we have contracted with to perform a service and to enable them to bill for that service b. to remind you that you have an appointment for medical care c. to assess your satisfaction with our services d. to tell you about health-related benefits or services e. to inform funeral directors, consistent with applicable law f. for population based activities relating to improving health or reducing healthcare costs g. for conducting training programs or reviewing competence of healthcare professionals h. for students and trainees that may access your health information as part of their training and educational activities i. for audits to make sure that business practices comply with the law and with our policies. Examples include audits involving quality of care, medical bills or patient confidentiality
Additionally, when disclosing information, primarily appointment reminders and billing/collections efforts; we may leave messages on your answering machine/voicemail.
For Fundraising Activities: We may use limited information about you for fundraising activities. The information we are allowed by law to use for this purpose includes your name, address and contact information, age, date of birth, gender, department of service, health insurance status, treating physician(s), and outcome information. Any fundraising materials you receive will give you the opportunity to opt out of any future communications.
Marketing and Sale of PHI: All uses and disclosures of personal health information for marketing purposes and disclosures that constitute a sale of personal health information, require patient authorization. Other uses and disclosures not described in the Notice of Privacy Practices will be made only with patient authorization.
Business Associates: There are some services provided in our organization through contracts with business associates. Examples include: physician services in the emergency department and radiology, certain laboratory tests; personal health record vendors; and subcontractors that create, maintain, receive, or transmit personal health information on behalf of United Regional. When these services are contracted, we may disclose your health information to our business associates so that they can perform the job we’ve asked them to do or bill you or your third-party payer for services rendered. To protect your health information, however, we require the business associate to appropriately safeguard your personal health information.
Hospital Directory: We may include you in the hospital directory while you are a patient at United Regional. Your name, location, your condition described in general terms (e.g., good, fair) and your religious affiliation may be included in our directory of hospitalized patients. This is so your family, friends, and clergy can visit you in the hospital and generally know how you are doing. If you agree, the directory information, except for religious affiliation, will be released to people who ask for you by name. Your religious affiliation may be given to members of the clergy even if they don’t ask for you by mane, unless you prohibit the release of this information. You have the right to prevent your information from being in the hospital directory or the release of any information about you from the hospital directory by choosing the classification as a “Do Not Publish” or “DNP” patient.
Family and Friends: We may release health information about you to a friend or family member who is involved in your medical care or who helps pay for your care. In addition, we may disclose health information about you to an entity assisting in a disaster relief effort so that your family can be notified about your condition, status, and location.
Health Information Exchange (HIE): We participate in electronic health exchanges, where we may share information that we obtain or create about you with other health care providers or other health care entities, as permitted by law. Exchange of health information through HIEs can provide faster access, better coordination of care, and assist providers in making more informed decisions. You may opt out of sharing your information through the HIEs we participate in by contacting the Medical Records Department. Please also note that we may not be able to manage restrictions on disclosures of your health information through its participation in HIEs. Should you wish to restrict your information from a particular individual or entity and we grant your restriction, you should elect to opt out of the HIE(s) in order to protect your restriction.
Telemedicine/Telemonitoring and Pharmacy: As is true of most websites, we automatically gather information about your computer or mobile device such as your IP address, browser type, referring/exit pages, and operating system. We use this information to: fulfill your order, send you an order confirmation, respond to customer service requests and administer your account.
Research: At times, we may use or release health information about you for research purposes. However, all research projects require a special approval process before they begin. This process may include asking for your authorization. In some instances, your health information may be used or released for a research purpose without your authorization. Future Communications: We may communicate to you via newsletters, mail outs, or other means regarding treatment options, health related information, disease-management programs, wellness programs, or other community based initiatives or activities our facility is participating in.
Organized Healthcare Arrangement (OHCA): This facility and its medical staff members have organized and are presenting you this document as joint notice. Information will be shared as necessary to carry out treatment, payment, and health care operations of the OHCA. Members of the OHCA may share your protected health information to participate in joint activities, including: utilization review, quality assessment and improvement activities, and/or payment activities. As Required by Law, we may also use and disclose health information for the following types of entities, including but not limited to: a. Food and Drug Administration b. Public Health or Legal Authorities charged with preventing or controlling disease, injury, or disability c. Correctional Institutions d. Helping with product recalls e. Reporting adverse reactions to medications f. Reporting suspected abuse, neglect or domestic violence g. Preventing or reducing a serious threat to anyone’s health or safety h. Workers Compensation Agents i. Organ and Tissue Donation Organizations j. Military Command Authorities k. Health Oversight Agencies l. Funeral Directors, Coroners, and Medical Directors m. National Security and Intelligence Agencies n. Protective Services for the President and Others
Lawsuits and Disputes: If you are involved in a lawsuit or a dispute, we may disclose medical information about you in response to a court or administrative order. We may disclose medical information about you in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have been made to tell you about the request or to obtain an order protecting the information released.
Law Enforcement: We may release medical information if asked to do so by a law enforcement official: in response to a court order, subpoena, warrant, summons or administrative request; and in other limited circumstances.
State-Specific Requirements: Texas has some reporting requirements including population-based activities relating to improving health or reducing health care costs. Some Texas privacy laws may apply additional legal requirements. If the state privacy laws are stricter than federal privacy laws, the state law preempts the federal law.
If you have any questions regarding your privacy rights or this notice, please contact United Regional’s Privacy Officer. If you believe your privacy rights have been violated you may file a written complaint with the United Regional Privacy Officer at the address below, or with U.S. Department of Health and Human Services Office for Civil Rights at the contact information below. We will not retaliate against you for filing a complaint.
United Regional Health Care System
Attn: Privacy Officer Office
1600 Eleventh Street
Wichita Falls, TX 76301
U.S. Department of Health and Human Services for Civil Rights
200 Independence Avenue, S.W.
Washington, D.C. 20201
Other Uses of Health Information
Other uses and disclosures of health information not covered by this notice or the laws that apply to us will be made only with your written permission. If you provide us permission to use or disclose health information about you, you may revoke that permission, in writing, at any time. If you revoke your permission, we will no longer use or disclose health information about you for the reasons covered by your written authorization. You understand that we are unable to take back any disclosures we have already made with your permission, and that we are required to retain our records of the care that we provided for you.
United Regional, Notice of Privacy Practices, rev. 4/2019