This official notice regarding HIPAA and privacy laws describes how health information about you may be used and disclosed, and how you can get access to this information. Please review it carefully.
Effective: April 14, 2003
Revised: August 22, 2016 (Download)
If you have any questions about this notice, please contact our Privacy Officer:
- Erie County Medical Center
462 Grider Street
Buffalo, NY 14215
Phone: (716) 898-3256
- Terrace View Long-Term Care Facility
462 Grider Street
Buffalo, NY 14215
Phone: (716) 898-3256
Who Will Follow This Notice
This notice describes the practices of our facilities and that of:
- Any health care professional authorized to enter information into your medical record.
- Persons permitted by law to access your medical record, such as representatives of the Mental Hygiene Legal Service in matters of Behavioral Health.
- All departments and units of the network.
- Any member of a volunteer group we allow to help you while you are within the network.
- All employees, staff and other network personnel.
- Erie County Medical Center, Terrace View and Erie County Medical Center Outpatient Clinics. All these entities, sites and locations follow the terms of this notice. In addition, these entities, sites and locations may share medical information with each other for treatment, payment or operations as described in this notice.
Our Pledge Regarding Medical Information
We understand that your health and your Health Information and your health are personal. We are committed to protecting your Health Information.
- We create a record of the care and services you receive at our facilities. We need this record to provide you with quality care and to comply with certain legal requirements.
- This notice applies to all of the records of your care generated by the ECMC, whether made by facility personnel, personal doctor or laboratory results, being especially sensitive to the needs of the Behavioral Health, Substance Abuse and HIV patient.
- Your personal doctor may have different policies or notices regarding the doctor’s use and disclosure of your medical information created in the doctor’s office or clinic.
- This notice will tell you about the ways in which we may use and disclose your Health Information. We also describe your rights and certain obligations we have regarding the use and disclosure of medical information.
We are required by law to:
- Make sure that medical information that identifies you is kept private
- Give you this notice of our legal duties and privacy practices with respect to medical information about you
- Follow the terms of the notice that is currently in effect
How We May Use and Disclose Your Health Information
The following categories describe different ways that we use and disclose medical information that identifies you (“Health Information”). Except for the purposes described below, we will use and disclose Health Information only with your written permission. You may revoke such permission at any time by writing to our practice Privacy Officer. For each category of uses or disclosures we will explain what we mean and try to give some examples. Not every use or disclosure in a category will be listed. However, all of the ways we are permitted to use and disclose information will fall within one of the categories.
- We may use Health Information to provide you with medical treatment or services.
- We may disclose Health Information to doctors, nurses, technicians, medical students, or other hospital personnel who are involved in taking care of you. For example, a doctor treating you for a broken leg may need to know if you have diabetes because diabetes may slow the healing process. In addition, the doctor may need to tell the dietitian if you have diabetes so that we can arrange for appropriate meals.
- Different departments of the facility also may share Health Information in order to coordinate the different things you need, such as prescriptions, lab work and x rays.
- We also may disclose Health Information, with your specific written authorization, to people outside the facility who may be involved in your medical care after you leave the facility, such as family members, clergy or others we use to provide services that are part of your care.
- Please note that additional authorizations may be required.
- We may use and disclose Health Information so that the treatment and services you receive may be billed to and payment may be collected from you, an insurance company or a third party. For example, we may need to give your health plan information about surgery you received at the hospital so your health plan will pay us or reimburse you for the surgery.
- We may also tell your health plan about a treatment you are going to receive in order to obtain prior approval or to determine whether your plan will cover the treatment.
- If an individual has paid for services out-of-pocket, in full, and the individual requests that the ECMC not disclose PHI related solely to those services to a health plan, ECMC must accommodate the individual’s request, except where the healthcare provider is required by law to make a disclosure (45 C.F.R. §164.520(b)(1)(iv)(A)).
>> Health Care Operations
- We may use and disclose Health Information for network operations. These uses and disclosures are necessary to run the ECMC Healthcare Network and to ensure that all of our patients receive quality care. For example, we may use medical information to review our treatment and services and to evaluate the performance of our staff in caring for you.
- We may also combine medical information about many patients to decide what additional services we should offer, what services are not needed, and whether certain new treatments are effective.
- We may also disclose information to doctors, nurses, technicians, medical students, and other personnel for review and learning purposes.
- We may also combine the medical information we have with medical information from other facilities to compare how we are doing and see where we can make improvements in the care and services we offer.
- We may remove information that identifies you from this set of medical information so others may use it to study health care and health care delivery without learning your identity.
>> Appointment Reminders
- We may contact you as a reminder that you have an appointment for treatment or medical care.
>> Treatment Alternatives
- We may use and disclose Health Information to tell you about or recommend possible treatment options or alternatives that may be of interest to you.
>> Health-Related Benefits & Services
- We may use and disclose Health Information to tell you about health related benefits or services that may be of interest to you.
>> Fundraising Activities
- We may use Health Information to contact you in an effort to raise money for the network and its operations. This will exclude all patients treated in Behavioral Health, Substance Abuse and Immunodeficiency Services.
- We may disclose information to a foundation related to the network so that the foundation may contact you in an effort to raise money. Information released will be limited to your name, address and phone number and the dates you received treatment or services. If you do not want to be contacted for fundraising efforts, you must notify the facility’s Privacy Officer in writing.
>> Patient Information
- Unless you ask us not to do so, we may disclose certain limited Health Information about you while you are a patient. For Behavioral Health patients, Substance Abuse and HIV patient, no Health Information will be provided without your explicit permission. This information may include your name, location, and your general condition (e.g., fair, etc.).
- This information, except for your religious affiliation, may also be released to people who ask for you by name. Unless you object, your religious affiliation may be given to a member of the clergy.
>> Individuals Involved in Your Care or Payment for Your Care
- While you are in our facility, we may discuss Health Information with a family member or friend who is involved in your medical care.
- We may also give information to someone who helps pay for your care.
- We may also tell your family or friends your condition and that you are in the facility.
- In addition, we may disclose Health Information to an entity assisting in a disaster relief effort so that your family can be notified about your condition, status and location.
- For Behavioral Health and Substance Abuse patients, no information will be disclosed without your written authorization except as permitted or required by law.
- Under certain circumstances, we may use and disclose Health Information for research purposes. For example, a research project may involve comparing the health and recovery of all patients who received one medication to those who received another, for the same condition. All research projects, however, are subject to a special approval process. This process evaluates a proposed research project and its use of medical information, trying to balance the research needs with patients’ need for privacy.
- Before we use or disclose medical information for research, the project will have been approved through a research approval process. ECMC is prohibited from using or disclosing genetic information of an individual for underwriting purposes (45 CFR 164.520(b)(1)(iii)(C)).
- Even without special approval, we may permit researchers to look at records to help them identify patients who may be included in their research project or for other similar purposes, as long as they do not remove or take a copy of any Health Information.
The following categories describe special situations in which we may use and disclose medical information that identifies you (“Health Information”).
>> As Required By Law
- We will disclose Health Information when required to do so by federal, state or local law.
>> To Avert a Serious Threat to Health or Safety
- We may use and disclose Health Information when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat.
>> Business Associates
- We may disclose Health Information to our business associates that perform functions on our behalf or provide us with services if the information is necessary for such functions or services. For example, we may use another company to perform billing services on our behalf.
- All of our business associates are obligated to protect the privacy of your information and are not allowed to use or disclose any information other than as specified in our contract.
>> Organ & Tissue Donation
- If you are an organ donor, we may release Health Information to organizations that handle organ procurement or organ, eye or tissue transplantation or to an organ donation bank, as necessary to facilitate organ or tissue donation and transplantation.
>> Military & Veterans
- If you are a member of the armed forces, upon your authorization, we may release Health Information as required by military command authorities.
- We may also release medical information about foreign military personnel to the appropriate foreign military authority.
>> Workers’ Compensation
- Upon your written authorization, we may release Health Information for workers’ compensation or similar programs. These programs provide benefits for work related injuries or illness.
>> Public Health Risks
- We may disclose Health Information for public health activities. These activities generally include the following:
- To prevent or control disease, injury or disability;
- To report births and deaths;
- To report child abuse or neglect;
- To report reactions to medications or problems with products;
- To notify people of recalls of products they may be using;
- To notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition;
- To notify the appropriate government authority if we believe a patient has been the victim of abuse, neglect or domestic violence. We will only make this disclosure if you agree or when required or authorized by law.
>> Health Oversight Activities
- We may disclose medical information to a health oversight agency for activities authorized by law. These oversight activities include, for example, audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws.
>> Data Breach Notification Purposes
- We may use or disclose your Health Information to provide legally required notices of unauthorized access to or disclosure of your health information.
>> Lawsuits & Disputes
- If you are involved in a lawsuit or a dispute, we may disclose Health Information in response to a judicial subpoena, court order or administrative order as allowed by federal, state or local law.
- We may also disclose Health Information in response to other lawful process, for example, a written request by any of the parties involved in the lawsuit or dispute when such a written request is accompanied by your duly executed authorization consenting to the release of medical information.
>> Law Enforcement
- We may release your Health Information if asked to do so by a law enforcement official:
- In response to a court order, judicial subpoena, warrant, summons or similar process;
- To identify or locate a suspect, fugitive, material witness, or missing person;
- About the victim of a crime if, under certain limited circumstances, we are unable to obtain the person’s agreement;
- About a death we believe may be the result of criminal conduct;
- About criminal conduct at the facility; or
- In emergency circumstances to report a crime; the location of the crime or victims; or the identity, description or location of the person who committed the crime.
>> Coroners, Medical Examiners & Funeral Directors
- We may release Health Information to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or to determine the cause of death.
- We may also release Health Information about patients of the facility to funeral directors as necessary to enable them to carry out their duties.
>> National Security & Intelligence Activities
- We may release Health Information to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law.
>> Protective Services for the President of the United States & Others
- We may disclose Health Information to authorized federal officials so they may provide protection to the President of the United States, other authorized persons or foreign heads of state or conduct special investigations.
- If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may release Health Information to the correctional institution or law enforcement official. This release would be necessary:
- (1) for the institution to provide you with health care;
- (2) to protect your health and safety or the health and safety of others; or
- (3) for the safety and security of the correctional institution.
Object & Opt Out Required
The following categories describe situations that require us to give you an opportunity to object and opt out prior to disclosing medical information that identifies you (“Health Information”).
>> Individuals Involved in Your Care or Payment for Your Care
- Unless you object, we may disclose to a member of your family, a relative, a close friend or any other person you identify, your Health Information that directly relates to that person’s involvement in your health care.
- If you are unable to agree or object to such a disclosure, we may disclose such information as necessary if we determine that it is in your best interest based on our professional judgment.
>> Disaster Relief
- We may disclose your Health Information to disaster relief organizations that seek your Health Information to coordinate your care, or notify family and friends of your location or condition in a disaster.
- We will provide you with an opportunity to agree or object to such a disclosure whenever we practically can do so.
Written Authorization Required
The following uses and disclosures of your Health Information will be made only with your written authorization:
- Uses and disclosures of Health Information for marketing purposes; and
- Disclosures that constitute a sale of your Health Information.
Other uses and disclosures of Health Information not covered by this Notice or the laws that apply to us will be made only with your written authorization. If you do give us an authorization, you may revoke it at any time by submitting a written revocation to our Privacy Officer and we will no longer disclose Health Information under the authorization. But disclosure that we made in reliance on your authorization before you revoked it will not be affected by the revocation.
Your Rights Regarding Your Health Information
You have the following rights regarding medical information we maintain about you:
>> Right to Inspect and Copy
- You have the right to inspect and/or receive copies of medical information that may be used to make decisions about your care. Usually, this includes medical and billing records, other than psychotherapy notes.
- To inspect and/or receive copies of medical information that may be used to make decisions about you, you must submit your request in writing to the facility’s Health Information Management Department. If you request a copy of the information, we have up to 30 days to make your Health Information available to you and we may charge a fee for the costs of copying, mailing or other supplies associated with your request, as permitted by New York State law.
- We may deny your request to inspect and copy in certain very limited circumstances. If you are denied access to medical information, you may request a review of the denial under New York State law.
- We may not charge you a fee if you need the information for a claim for benefits under the Social Security Act or any other state of federal needs-based benefit program.
>> Right to an Electronic Copy of Electronic Medical Records
- If your Health Information is maintained in an electronic format (known as an electronic medical record or an electronic health record), you have the right to request that an electronic copy of your record be given to you or transmitted to another individual or entity.
- We will make every effort to provide access to your Health Information in the form or format you request, if it is readily producible in such form or format. If the Health Information is not readily producible in the form or format you request your record will be provided in either our standard electronic format or if you do not want this form or format, a readable hard copy form.
- We may charge you a reasonable, cost-based fee for the labor associated with transmitting the electronic medical record.
>> Right to Be Notified of Breach
- You have the right to be notified when a breach of your unsecured PHI has occurred.
>> Right to an Accounting of Disclosures
- You have the right to request an accounting of disclosures. This is a list of certain disclosures we made of Health Information. To request this list or accounting of disclosures, you must submit your request in writing to the facility’s Privacy Officer.
- Your request must state a time period which may not be longer than six years and may not include dates before April 14, 2003.
- Your request should indicate in what form you want the list (for example, on paper or electronically). The first list you request within a 12 month period will be free.
- For additional lists, we may charge you for the costs of providing the list. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time before any costs are incurred.
- We are not required to provide an accounting of disclosures under certain circumstances. For example, if you requested us to make the disclosure to a third party through your written authorization, or if the disclosure is for purposes of treatment, payment, or healthcare operations, we are not required to provide you an accounting.
>> Right to Request Restrictions
- You have the right to request a restriction or limitation on the medical information we use or disclose about you for treatment, payment or health care operations.
- You also have the right to request a limit on ‘the medical information we disclose about you to someone who is involved in your care or the payment for your care, like a family member or friend. For example, you could ask that we not use or disclose information about a surgery you had. We are not required to agree to your request unless you are asking us to restrict the use and disclosure of your Health Information to a health plan for payment or health care operation purposes and such information you wish to restrict pertains solely to a health care item or service for which you have paid us “out-of-pocket” in full.
- If we agree, we will comply with your request unless the information is needed to provide you with emergency treatment. To request restrictions, you must make your request in writing to the facility’s Privacy Officer. Your request must tell us what information you want to limit, whether you want to limit our use, disclosure, or both, and to whom you want the limits to apply.
>> Out-of-Pocket Payments
- If you paid out-of-pocket (or in other words, you have requested that we not bill your health plan) in full for a specific item or service, you have the right to ask that your Health Information with respect to that item or service not be disclosed to a health plan for purposes of payment or health care operations, and we will honor that request.
>> Right to Request Confidential Communications
- You have the right to request that we communicate with you about medical matters in a certain way or at a certain location. For example, you can ask that we only contact you at work or by mail.
- To request confidential communications, you must make your request in writing to the facility’s Privacy Officer. Although we are not required by law to agree with your request, we will make every effort to accommodate all reasonable requests. Your request must specify how or where you wish to be contacted.
>> Right to a Paper Copy of This Notice
- You have the right to a paper copy of this notice. You may ask us to give you a copy of this notice at any time. Even if you have agreed to receive this notice electronically, you are still entitled to a paper copy of this notice.
- You may obtain a copy of this notice at our website.
- To obtain a paper copy of this notice, contact the facility’s Privacy Officer.
Changes to This Notice
We reserve the right to change this notice. We reserve the right to make the revised or changed notice effective for medical information we already have about you as well as any information we receive in the future.
We will post a copy of the current notice in the facility. The notice will contain, on the first page, the effective date. In addition, when you register at or are admitted to the facility for treatment or health care services as an inpatient or outpatient, we will offer you a copy of the current notice in effect.
If you believe your privacy rights have been violated, you may file a complaint with the facility or with the Secretary of the Department of Health and Human Services. To file a complaint with the facility, contact the facility’s Privacy Officer. All complaints must be submitted in writing.
You will not be penalized for filing a complaint.
Other Uses of Medical Information
Other uses and disclosures of medical information not covered by this notice or the laws that apply to us will be made only with your written permission.
- If you provide us permission to use or disclose Health Information, you may revoke that permission, in writing, at any time.
- If you revoke your permission, we will no longer use or disclose Health Information for the reasons covered by your written authorization.
- You understand that we are unable to take back any disclosures we have already made with your permission, and we are required to retain our records of the care that we provided to you.