Patient Privacy & HIPAA

Privacy & HIPAA

Protecting Patient Privacy

ECMCC understands that you may have concerns about privacy. Our patients are our number one priority, and we believe that patient privacy is an integral part of the health care we provide to you. 

To ensure the development of a lasting bond of trust with our patients, we have many safeguards to protect the privacy and security of your personal information. Our Privacy Officer can answer any questions a patient may have about the way in which their health information will be used. We also have many policies in place to protect the privacy and security of your personal information and our employees are educated from the moment they are hired and continually after, to respect and protect our patient’s privacy. 

Also, federal and state laws such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) provide guidance for patients regarding their privacy rights and the use or disclosure of their medical information. These rights are described in detail in ECMCC’s Notice of Privacy Practices below. 

According to a recent industry report, 15.4 million consumers were victims of identity theft or fraud last year, stealing a total of $16 billion dollars from victims. 

Awareness is key to helping you avoid becoming a victim of identity theft. ECMCC would like to make you aware of what to do if you suspect your identity has been stolen. 

If you have insurance, contact your insurance company immediately if: 

  • You have unexpectedly been told that you have reached your benefit limit. 
  • You experience a denial of service because your plan shows you have a condition that you do not have. 
  • Debt collectors start to call you about a medical debt you do not believe you owe. 

Individuals have rights under HIPAA to access their Health Information under the regulation 45 CFR § 164.524. Please see ECMCC’s policy, Release of Patient Medical Records and forms needs to be completed to receive records.  

Please find the following policy and forms under the policy and forms section below.

  1. ECMCC’S Release of Patient Medical Records Policy
  2. Release of Information Forms:

At ECMCC, we not only care for your well-being, but we are also committed to protecting the security and privacy of your personal health information. We utilize sophisticated technologies and processes to protect your data, and we require that our external partners and vendors meet the same high standards we follow. Our computer networks, data centers, personal computing devices, and all systems are being continuously monitored to prevent unwanted intrusions and computer infections. Like your health, we take security very seriously. All ECMCC workforce members are trained to follow strict guidelines to make sure that your information is protected and remains secure.

The ECMCC’s Privacy Officer is here to address any question or complaint related to the way in which the privacy of medical information is handled. We can be reached as follows: 

Laura Fleming, Privacy Officer

Additionally, toll-free, anonymous, confidential, non-retaliatory reporting is available 24 hours, 7 days a week. Call our Compliance and HIPAA Anonymous Hotline at (855) 222-0758. 

While we hope you will contact ECMCC’s Privacy Officer so we may address your concerns, you also have the right to contact the Office for Civil Rights to file a complaint. 

Office for Civil Rights
U.S. Department of Health and Human Services
Jacob Javits Federal Building
26 Federal Plaza – Suite 3312
New York, NY 10278
Voice Phone: (212) 264-3313
FAX: (212) 264-3039
TDD: (212) 264-2355

Frequently Asked Questions

HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996. It is a federal law designed to help protect your health information.

HIPAA protects the privacy and security of patient medical information in both written and electronic forms and establishes safeguards that health care providers must implement to protect that information. It also sets the terms on which medical information can be transmitted to other providers and to health insurers. It gives patients more control over, and access to, their medical information and sets limitations on the use and release of that information.

Yes. HIPAA applies to what are termed “covered entities” and include:

  • Healthcare providers
  • Health plans (self-insured/insured, HMOs, health insurance companies, employer health plans, and similar arrangements)
  • Healthcare clearinghouses (entities that standardize health information)

Often, contractors, subcontractors, and other outside persons and companies that are not employees of a covered entity will need to have access to your health information when providing services to the covered entity. These entities are called “business associates” and also are required to comply with HIPAA.

The HIPAA Privacy Rule protects “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “Protected Health Information,” which is also referred to as “PHI.” PHI is information created or received by a covered entity that: (i) may relate to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the payment for the provision of health care to an individual; and (ii) identifies the individual who is the subject or based on which there is a reasonable basis to believe that the individual who is the subject can be identified. 

The following are examples of identifiers that could be considered individually identifiable information: 

  • Names 
  • Geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code in certain situations. 
  • All elements of date (except year) for dates directly related to an individual, including birth date, discharge data, date of death; and all ages over 89 and all elements of dates indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older. 
  • Telephone numbers 
  • Fax numbers 
  • Electronic mail addresses 
  • Social security numbers 
  • Medical record numbers 
  • Health plan beneficiary numbers 
  • Account numbers 
  • Certificate/license numbers 
  • Vehicle identifiers and serial numbers 
  • Medical device identifiers 
  • Web universal resource locators (URLs) 
  • Internet protocol (IP) address numbers 
  • Biometric identifiers, including finger and voice prints 
  • Full face photographic images and any comparable images 
  • Any other unique identifying number, characteristic, or code

ECMCC has implemented several controls to comply with HIPAA. Some of them are: 

  • Privacy Officer 
  • Regular, periodic training for the members of its workforce 
  • Policies and procedures to help protect the privacy and security of patients’ individually identifiable health information 
  • HIPAA audits 
  • FairWaring – A proactive privacy monitoring tool 
  • A Notice of Privacy Practices that is available to all patients

HIPAA provides many rights to patients. These rights include: 

  • The right to receive ECMCC’s Notice of Privacy Practices 
  • To request in writing a restriction on certain uses or disclosures of your medical information for treatment, payment, or health care operations (e.g., a restriction on who may access your medical information). 
  • To obtain a paper copy of this notice upon request  
  • To inspect and obtain a copy of your medical information, in most cases. If you request a copy (paper or electronic), we may charge you a reasonable, cost- based fee.  
  • To request in writing an amendment to your records if you believe the information in your record is incorrect or important information is missing.  
  • To obtain an accounting of disclosures.  
  • To request that medical information about you be communicated to you in a certain way or at a certain location.

You can access the form that you must fill out to request a copy of your medical records by clicking the link above, under Authorization for release of health information pursuant to HIPAA, in paper of electronic form.

Using the authorization form referenced above, you may limit the request to only specific dates of service. Most of the information in your medical record pertaining to those particular dates of service will be included in the response to your request. However, certain portions of your record, such as psychotherapy notes, may not be included in the response.

You may request an amendment to your medical record if you believe that information in your record is inaccurate. Subject to your health care provider’s discretion and applicable law, we will do our best to accommodate all reasonable requests. Please refer ECMCC’s Amendment policy and form to be completed, these can be found under the policy and forms section below.

Request for Amendment Form

All requests must be in writing and submitted to the Privacy Office at ECMC, 462 Grider Street, Buffalo NY 14215. For questions please call the Privacy Officer at (716) 898-5880.

ECMCC’s Privacy Officer is here to assist you with any questions related to the privacy of your health information. Please call the Privacy Office at (716) 898-5880 for further information.

You may be asked to participate in research studies while you are a patient at ECMCC. However, your identifiable medical information will not be used for research purposes without your prior authorization.

For more information about the privacy of your medical information, we recommend that you consult the following website:

You are now leaving

Erie County Medical Center Corporation (ECMCC) is not responsible for the content, privacy policy, accuracy or legality of any website accessed through a link on A link to another website does not constitute an endorsement, guarantee or approval by ECMCC of the linked website, or the information, products or services contained therein.