Notice of Privacy Practices

We can use and share your health information, including mental health, chemical dependency treatment records, and HIV-related information, and share it with other professionals who are treating you, or other personnel who are involved in your care, as authorized by law. For substance use disorder-related (“SUD”) records, we must also follow confidentiality protections of 42 CFR Part 2, which are described further below. Where uses and disclosures are more limited by 42 CFR Part 2, we will abide by such restrictions.

Some or all of your health information may be created and/or stored in an Electronic Health Record, which may be accessed by providers or other personnel involved in your care with authority or need, or when permissible by law to do so. We use and share your health information across all Rochester Regional Health clinical services so there is one Electronic Health Record for each patient in the system.

Example: Your physician or nurse may access your medical record for the purpose of treating you. If you are being treated for a specific injury, they may ask another provider about your overall health condition.

Example: If you see a physician for primary care at one Rochester Regional Health location and you are referred to a different location for a specialty service, your specialist will have access to the information entered by your primary care physician.

We can use and share your health information when performing a variety of business activities, which we call “health care operations”. These health care operations allow us to run our hospitals and clinics, improve the quality of care we provide, and contact you when necessary. Rochester Regional Health personnel across the system have access to your Electronic Health Record so that we can conduct joint business operations.

Example: Rochester Regional Health personnel may access your Electronic Health Record to review and evaluate the skills, qualifications, and performance of health care providers taking care of you.

We can use and share your health information to bill and get payment from health plans or other entities.

Example: We give information about you to your health insurance plan so it will pay for your services.

We may disclose your health information to a relative, close personal friend, or any other person you identify if that person is involved in your care and the information is relevant to your care. If the patient is a minor, we may disclose the minor’s health information to a parent, guardian, or other person responsible for the minor, except in limited circumstances.

We may include limited information about you in a facility directory while you are at one of our facilities This information may include your name, location, and your religious affiliation. The directory information, except your religious affiliation, may be released to people who ask for you by name. You have the right to request that your name not be included in this directory.

We may contact you to remind you of appointments you’ve scheduled with us. We may also use or disclose your information to provide you with information about treatment alternatives or other health-related benefits and services that may be of interest to you.

Example: We may e-mail you a newsletter or other information on health-related benefits of interest to you.

We may disclose your health information to other health care providers and organizations who may potentially help coordinate and improve the services you receive. These communications help us manage your care and ensure that you get the necessary follow-up services to stay healthy.

Example: In order to develop your discharge plan, we may talk to a home health provider to see what services are available to help you manage your health at home.

We may use your PHI to create data that cannot be linked to you by removing certain elements from your protected health information (PHI), such as your name, address, telephone number, and medical record number.  We may use such de-identified information for certain business purposes, or disclose your PHI to a business associate for the purpose of creating de-identified information.

Example:  We may use de-identified information to create summary reports or to monitor trends in order to help us improve services delivery.

In order to ensure that communications essential to providing quality healthcare are not hindered, incidental disclosures may occur. We will make reasonable efforts to limit these incidental disclosures.

Example: After surgery, the nurse or physician may need to use your name to identify family members that may be waiting for you in a waiting area and other individuals waiting in the same area may hear your name called. 

We will use and disclose medical information about you whenever we are required by federal or state law to do so.

Example: State law requires us to report gunshot wounds and other injuries to the police and to report known or suspected child abuse or neglect to the Department of Social Services. We will comply with those state laws and with all other applicable laws.

We may access, share, store and/or transmit your health information, including sensitive information related to HIV, sexually transmitted diseases, mental health, drug and alcohol treatment, genetic testing, and reproductive health, electronically through the “SHIN-NY”, a statewide health information network, and with other health information exchanges (HIEs) for treatment, payment and health care operations purposes. RRH also uses data exchange technologies, such as record locator services, APIs (as described below), direct messaging services, and provider portals with its EHR to exchange your health records for permitted purposes. HIEs and data exchange technology providers function as our business associate, enabling the sharing of your health records for continuity of care and to improve the quality of health care services provided to you (i.e., avoiding unnecessary duplicate testing). These entities must implement administrative, technical, and physical safeguards that reasonably and appropriately protect the confidentiality, integrity, and security of your health information. Applicable law may provide you with rights to restrict, opt-in, or opt-out of HIEs, including the SHIN-NY. Please contact the designated Privacy Contact on Appendix A for more information.

We may disclose information to a person or entity we contract with to perform some of our business functions. We require all of our business associates to appropriately safeguard your information with the same diligence that we would. If receiving SUD information, the entity agrees to be bound by 42 CFR Part 2 and, if necessary, resist in judicial proceedings any efforts to obtain access to patient records except as permitted by law.

Example: We may disclose your health information to a billing service in order to bill your insurance company, or to our attorneys.

Greater Rochester Independent Practice Association (“GRIPA”) is an organization that helps to coordinate and manage health care in order to manage cost and reduce duplicate or unnecessary services. We may share your health information with GRIPA to help coordinate your care.  This may include certain sensitive information. Such disclosures are permitted based on the treatment, payment, or health care operations exceptions, and in some instances based on your consent.

We can use or share your information for health research if the research organization has satisfied certain conditions protecting the privacy of health information.

We can share health information about you with organ procurement organizations.

If you have newly diagnosed cancer, we will release your health information to the New York State Cancer Registry.

We can share health information with a coroner, medical examiner, or funeral director when an individual dies.

Example: This may be necessary to identify a deceased person or determine cause of death.

We can share health information about you in response to a court or administrative order, or in response to a subpoena, discovery request, warrant, summons or other lawful process as authorized or required by law.

We may use or disclose to our affiliated foundation limited identifying information from patient lists to send you material in connection with our fundraising efforts. You have the right to opt-out of receiving fundraising communications and any materials you receive will describe the opt-out process.

Mental Health and SUD treatment information is subject to enhanced protections under state and federal law, which we follow. Treatment of these conditions is increasingly done on an integrated basis in our Behavioral Health clinics and we encourage Behavioral Health providers to coordinate and manage care of patients seen at multiple sites. If you are a patient of one of these clinics, we will ask for your permission to disclose your information for treatment and care coordination purposes to Behavioral Health providers at other clinics where you have an established treatment relationship.

Download Notice of Privacy Practices

If you have selected someone to make health care decisions on your behalf, or if someone is your legal guardian, that person can exercise your rights and make choices about your health information.

We will make sure the person has this authority and can act for you before we take any action.

We are required by law to notify individuals affected by a breach of unsecured (i.e. unencrypted) protected health information. We will let you know promptly if a breach occurs that may have compromised the privacy or security of your information.

You have the right to request or authorize that your electronic PHI in your designated record set be transmitted to you or another person or organization through an API. APIs are computer coding mechanisms that permit two or more electronic computer applications or software programs to communicate with each other and share information. We are required by law to comply with requests regarding API transmissions, subject to certain exceptions. You understand that PHI transmitted through an API at your request will no longer be under our protection and control, will no longer be subject to the protections and rights outlined in this Notice, and may no longer be subject to the same laws, regulations, policies or procedures regarding its confidentiality, security, privacy, use, or disclosure. You understand and agree that you make any request to us to transmit your PHI through an API at your own risk and you assume all liability for the consequences of such action taken by us at your direction. We caution you to confirm any confidentiality, security or privacy protections with respect to your transmitted PHI with the recipient of the PHI prior to submitting a request to us to transmit your PHI through an API.

You can complain if you feel we have violated your rights by contacting the Privacy Contact for the applicable Affiliate designated on Appendix A of this Notice.

You can file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights using the following contact information:

Centralized Case Management Operations
U.S. Department of Health and Human Services
200 Independence Avenue, S.W.
Room 509F, HHH Building
Washington, D.C. 20201

• Website: https://www.hhs.gov/civil-rights/filing-a-complaint/index.html
• Email: OCRComplaint@hhs.gov

Violation of Part 2 is a crime. You may report suspected violations of Part 2 in the same manner as above.

We will not retaliate against you for filing a complaint.