Alverno Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
OUR PLEDGE REGARDING PHI
Alverno Laboratories, on behalf of itself and all legal entities that make it up, including their department and units, the staff within our health care facilities, health care professionals permitted by us to provide services to you on our behalf, and others involved in providing your care on our behalf (collectively, “Alverno,” “we” or “us”) understands that medical information about you and your health is personal. We are committed to protecting the privacy and security of your protected health information (“PHI”). We create a record of the care and services you receive from us. We need this record to provide you with quality care and to comply with certain legal requirements. This notice applies to all the protected health information about you created, received, or maintained by us. Other health care providers may have different policies or notices regarding use and disclosure of your PHI.
This notice will tell you about the ways in which we protect, use and disclose your PHI. This notice also describes your rights and certain obligations we have regarding the use and disclosure of PHI. If you have any questions about this notice, please contact us as provided at the end of this notice.
Protected Health Information or “PHI” refers to any information, transmitted or maintained in any form or medium, which we create or receive that relates to your physical or mental health, the delivery of health care services to you, or payment for health care services, and that identifies you or could be used to identify you, in accordance with the Health Insurance Portability and Accountability Act of 1996 and its related regulations (“HIPAA”).
Alverno, including all of the people and places that make up Alverno, maintains its patient health record through the use of an electronic health record system ("EHR system") shared with Franciscan Health and Ascension Illinois (“Providers”). Through the EHR system, PHI of Alverno patients is combined with that of the other Providers, such that each patient has a single, longitudinal health record with respect to health care services provided by Alverno and the Providers. Through the EHR system, Alverno and the Providers have formed an organized system of health care in which Alverno and the Providers participate in joint utilization management and/or quality assurance activities and as such qualify to participate in an Organized Health Care Arrangement (“OHCA”) as defined under HIPAA. With limited exceptions, as OHCA participants, Alverno and the Providers may use and disclose the PHI contained within the EHR system for treatment, payment and health care operations purposes of the OHCA.
We participate in IHIE (Indiana Health Information Exchange) to share your medical records via secure, encrypted connections to enable your treating providers to access your health information when treating you. The information shared includes your medical history, previous diagnoses, test results (i.e. labs and imaging), current medications, allergies, and progress notes. This connection allows for real-time access without having to wait for records to be transferred between facilities. You may opt-out if you do not want your record shared with your treating providers through [Insert HIE Name].
We are required by law to:
- Implement reasonable and appropriate safeguards to maintain the privacy of your PHI;
- Give you this notice of our legal duties and privacy practices with respect to PHI about you; and
- Follow the terms of the notice that are currently in effect.
This notice does not apply to health information that is not subject to HIPAA or similar state health information privacy laws, or information used or shared in a manner that cannot identify you. This notice does not apply to any Alverno health plan or to Alverno as an employer. Any Alverno health plan is considered a separate covered entity for the purpose of HIPAA and has its own notice of privacy practices. This notice only applies to those parts of Alverno’s websites and mobile device applications where you can access your PHI or interact with a clinician regarding your specific care, such as Alverno’s patient portal with respect to your PHI. However, these websites and applications may contain additional terms associated with your use. You should review those terms as well as the website terms contained on the Alverno website that you visit.
The following paragraphs describe examples of ways we may use and disclose PHI:
USE FOR TREATMENT, PAYMENT OR HEALTH CARE OPERATIONS
- For Treatment. We may use PHI about you to provide, coordinate or manage your medical treatment and related services. We may disclose PHI about you to doctors, nurses, hospitals, clinics and other health care providers who are involved in taking care of you. Our various departments also may share PHI about you in order to coordinate your medical treatment and related services. For example, we may disclose PHI about you to people outside Alverno, such as other health care providers involved in providing medical treatment to ensure that the health care provider has appropriate information regarding your previous treatments and diagnoses.
- For Payment. We may use and disclose PHI about you so that the services and items you receive from us, or other health care providers from whom you receive treatment, may be billed to, and payment may be collected from, you, an insurance company, or a third-party payor. For example, we may need to give your insurance company information about the services or items you received from us so your insurance company will pay us or reimburse you for your services or items. We may also tell your insurance company about a service or item you are going to receive to obtain prior approval or to determine whether your plan will cover the service or item.
- For Health Care Operations. We may use and disclose PHI about you to carry out health care operations. These are activities that are necessary to operate our facilities and for administrative and quality assurance purposes. They include, but are not limited to, for example: conducting quality assessment and improvement activities; reviewing the qualifications and performance of health care providers; training and performing accreditation, certification, or licensing activities; managing our business and performing general administrative activities; and responding to a government or commercial payor audit. We may also share your PHI for case management and care coordination purposes.
OTHER USES AND DISCLOSURES OF PHI
Listed below are a number of other ways that PHI can be used or disclosed. This list is not exhaustive. Therefore, not every use or disclosure in a category is listed.
- Business Associates. We obtain some services provided through contracts with business associates pursuant to which PHI is disclosed. For example, we may use a third party for billing and collections, document destruction, software support or quality assurance. At times, we may disclose your PHI to our business associates so that the business associates can provide services to, or on behalf of, us. We will require that any business associate who receives your PHI appropriately safeguards your PHI through a written business associate agreement. If our business associate discloses the PHI to its own subcontractor, it must enter into a similar agreement with the subcontractor regarding your PHI as we have with it. Business Associates are obligated to provide us with any breach of your unsecured PHI so that we may ensure you are notified in accordance with applicable law.
- Individuals Involved in Your Care or Payment for Your Care. Unless you object, we may release PHI about you to a friend or family member whom you have identified as being involved in your medical care or who helps pay for your care. We may share your PHI with these persons if you are present or available and you do not object to our sharing your PHI with them, or we reasonably believe that you would not object to this. If you are not present and certain circumstances indicate to us that it would be in your best interests to do so, we will share information with a friend or family member or someone else involved in your care, to the extent necessary.
- Disaster Relief Efforts. We may disclose PHI about you to an entity assisting in a disaster relief effort so that your family can be notified about your condition, status and location. You have the right to object to such disclosure, unless you are unable to function or there is an emergency.
- As Required By Law. We may use and disclose PHI about you when required to do so by federal, state, or local law.
- Law Enforcement/Legal Proceedings. We may release PHI to a law enforcement official as required or permitted by law or in response to a court or administrative order. This includes, but is not limited to, assisting with identifying or locating a suspect, fugitive, material witness or missing person; complying with a court order or warrant, and grand jury subpoena; reporting information about a victim of a crime, reporting a death we believe resulted from criminal conduct, reporting criminal conduct occurring on our premises, or reporting crime in an emergency, such as the location of the crime or victims or the identity, description or location of the person who committed the crime. We may use and disclose your PHI in conjunction with judicial or administrative proceedings or for purposes of litigation as permitted by law. We may disclose PHI about you in response to a subpoena, discovery request or other lawful process by someone else involved in a dispute, but only if efforts have been made to tell you about the request or to obtain an order protecting the information requested.
- Public Health Risks. We may disclose PHI about you for public health activities as permitted or required by federal and state law. These activities generally include the following:
- Prevent or control disease, injury, or disability
- Report births and deaths
- Report abuse, neglect or, in some jurisdictions, domestic violence
- Report reactions to medications or problems with products
- Help with recalls of products
- Coroners, Medical Examiners, and Funeral Directors. We may release PHI to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death. We may also release PHI to funeral directors as necessary to carry out their duties.
- Organ and Tissue Donation. If you are an organ donor, we may disclose your PHI to organizations that handle organ procurement or organ, eye or tissue transplantation, or to an organ donation bank, as necessary to facilitate organ or tissue donation and transplantation.
- Worker’s Compensation. We will disclose only the Protected Health Information necessary for Worker’s Compensation in compliance with Worker’s Compensation laws. This PHI may be reported to your employer and/or your employer’s representative regarding an occupational injury or illness.
- De-Identified Protected Health Information. We may de-identify your PHI as permitted by law, which means that we have removed certain unique identifiers from the information about you, your employer, and your household members so that it no longer reasonably identifies you. We may use or disclose to others the de-identified information for any purpose, without your further authorization or consent, including but not limited to, research studies, use or development of artificial intelligence tools, and health care/health operations improvement activities. We may also share your PHI with a Business Associate who will remove information that identifies you so that the remaining information can be used or disclosed for purposes outside of this notice.
- Research. Under certain circumstances, we may use and disclose PHI about you for research purposes, including, but not limited to (1) when the research has been approved by an Institutional Review or Privacy Board and in compliance with law governing research; or (2) where you have provided your authorization. As an example under the first scenario, a research project may involve comparing the laboratory test results of all patients who received one medication to those who received another for the same condition. All research projects, however, are subject to a special approval process by an Institutional Review or Privacy Board. This process evaluates a proposed research project and its use of PHI, balancing the research needs with patients’ need for privacy of their PHI as required by law governing research. Before we use or disclose PHI for research, the project will have been approved through this research approval process.
As an example under the second scenario, you may choose to participate in a research study that requires you to obtain related health care services. In this case, we may share your PHI (1) with the researchers involved in the study who ordered the hospital or other health care services; and (2) with your insurance company in order to receive payment for those services that your insurance agrees to pay for.
Additionally, we may use and share your PHI with a researcher if certain parts of your PHI that would identify you are removed before we share it with the researcher. This will only be done if the researcher agrees in writing not to share the information, will not try to contact you, and will obey other requirements that the law provides.
- To Avert a Serious Threat to Health or Safety. We may use and disclose PHI about you when necessary to prevent a serious threat to your health or safety or the health or safety of the public or another person. State laws may require such disclosure when an individual or group has been specifically identified as the target or potential victim.
- Military, National Security, and other Specialized Government Functions. We may disclose your PHI, if you are in the Armed Forces, for activities deemed necessary by appropriate military command authorities for determination of benefit eligibility by the Department of Veterans Affairs or to foreign military authorities if you are a member of that foreign military service. We may disclose your PHI to authorized federal officials for conducting national security and intelligence activities or special investigations (including for the provision of protective services to the President of the United States, other authorized persons, or foreign heads of state) or to the Department of State to make medical suitability determinations.
- Inmates and Correctional Institutions. If you are an inmate at a correctional institution, then under certain circumstances we may disclose your PHI to the correctional institution or law enforcement official. This may be necessary 1) for the institution to provide you with health care; 2) to protect your health and safety or the health and safety of others; or 3) for the safety and security of the correctional institution and its staff.
- About a Decedent. In the event of your death, disclosures about you (the decedent) can be made to family members or others involved in your care or payment for your care prior to your death unless inconsistent with your prior expressed preferences that are known to us. Disclosures may also be made to your personal representative.
- Health-Related Benefits and Services. We may use and disclose PHI, as necessary, to contact you to remind you of your appointment or for important services and to tell you about health-related benefits or services that may be of interest to you.
- Health Oversight Activities. We may disclose your PHI to a health oversight agency for audits, investigations, inspections, licensures, and other activities as authorized by law. The relevant agencies include governmental units that oversee or monitor the health care system, government benefit and regulatory programs, and compliance with civil rights laws.
- Ownership Change. If our business is sold, acquired, or merged with another entity, your PHI may be transferred to the new owner. However, you will still have the right to request copies of your records and have copies transferred to another provider.
Minors: PHI of minors will be disclosed to their parents or legal guardians acting as personal representatives, unless prohibited by law or in circumstances where the law permits us to withhold PHI, such as to prevent harm to the minor or another person or in cases of suspected child abuse or neglect.
Additional State and Federal Requirements: Some state and federal laws provide additional privacy protection of your health information or grant you greater rights. Applicable state or federal laws that provide greater privacy protection or broader privacy rights will continue to apply and we will comply with such laws to the extent they are applicable. These include:
- Sensitive Information. Some types of health information are particularly sensitive, and the law, with limited exceptions, may require that we obtain your written permission or in some instances, a court order, to use or disclose that information. Sensitive health information subject to these laws may include information related to genetics, HIV/AIDS, mental health, sexual assault and alcohol and substance abuse.
- Information Used in Certain Disciplinary Proceedings. State law may require your written permission if certain health information is to be used in various review and disciplinary proceedings by state health oversight boards.
- Information Used in Certain Litigation Proceedings. State law may require your written permission for us to disclose information in certain legal proceedings.
- Disclosures to Certain Registries. Some laws require your written permission if we disclose your health information to certain state-sponsored registries.
OTHER USES AND DISCLOSURES OF PHI
Other uses and disclosures of PHI not covered by this notice or the laws that apply to us will be made only with your written permission. Use and disclosures that require your written permission include, but are not necessarily limited to, most uses and disclosures of psychotherapy notes, for marketing purposes (subject to certain exceptions as set forth in HIPAA), and for sale of your PHI as defined by HIPAA. If you provide us permission to use or disclose PHI about you, you may revoke that permission, in writing, at any time. If you revoke your permission, we will no longer use or disclose PHI about you for the reasons covered by your written authorization. You understand that we are unable to take back any uses and disclosures we have already made with your permission. You may obtain a valid authorization form from us.
We may engage in fundraising activities and may contact you in connection with those activities. If we do, you have the right to opt out of receiving such communications by notifying our Privacy Officer in writing.
YOUR RIGHTS REGARDING YOUR PHI AND HOW TO EXERCISE THEM
You have the following rights regarding PHI we maintain about you, subject to certain limitations:
- Right to Inspect and Copy. You have the right to inspect and copy PHI about you maintained by us in a designated record set, as defined by HIPAA. Copies may be made available either in paper or electronic format. Usually, this includes medical and billing records, but does not include psychotherapy notes; information restricted by law; information prepared in anticipation of or for use in a civil, criminal, or administrative action; information related to medical research in which you have agreed to participate; information obtained under a promise of confidentiality; and information whose disclosure may result in harm or injury to yourself or others. You have the right to request only a summary of your PHI if you do not desire to obtain a copy of your entire record. You also have the option to request an explanation of the PHI to which you were provided access when you request your entire record.
To inspect and/or obtain copies of your PHI maintained by us, you must submit your request in writing to our Privacy Officer, at the address listed below. If you request a copy of the information, we may charge a reasonable fee for the costs of copying, mailing, or other expenses associated with your request, consistent with federal and state law, including where you have designated a third-party recipient.
We may deny your request to inspect and copy your PHI for the reasons set forth above or under certain other limited circumstances. If you are denied access to PHI, you will receive a written denial. If we deny your request for certain reasons, we will provide you notice that you may request that the denial be reviewed. Thereafter, a licensed health care professional chosen by us will review your request and the denial. The person conducting the review will not be the person who originally denied your request. We will comply with the outcome of the review.
You may also request that we transmit an electronic copy of your PHI to you or another person when we maintain such PHI in an Electronic Health Record. We will make every attempt to provide the records in the format you request; however, in the case that the information is not readily accessible or producible in the format you request, we will provide the record in a standard electronic format or a legible hard copy form. To do so you must request this in writing, you must sign the request, and it must clearly identify the designated person and where to send the copy of the PHI. We provide the Alverno patient portal as one option for patients to electronically access their PHI. You may set up access to the Alverno patient portal by visiting our website at www.alvernolabs.com Under the ‘Patients’ section, click ‘Access your Results’. There is no fee for you to access information through the Alverno patient portal.
- Right to Amend. If you feel that PHI we have about you in a designated record set is incorrect or incomplete, you may ask us to amend the PHI we have about you. You have the right to request an amendment for as long as the information is kept by or for us.
To request an amendment, your request must be made in writing and submitted to our Privacy Officer. In addition, you must provide a reason that supports your request. We will generally make a decision regarding your request for amendment no later than sixty (60) days after receipt of your request. However, if we are unable to act on the request within this time, we may extend the time for thirty (30) more days but we will provide you with a written notice of the reason for the delay and the approximate time for completion. Please note that submitting a request for an amendment does not necessarily mean the PHI will be amended. If we deny your requested amendment, we will provide you with a written denial.
- Right to Amend. If you feel that PHI we have about you in a designated record set is incorrect or incomplete, you may ask us to amend the PHI we have about you. You have the right to request an amendment for as long as the information is kept by or for us.
To request an amendment, your request must be made in writing and submitted to our Privacy Officer. In addition, you must provide a reason that supports your request. We will generally make a decision regarding your request for amendment no later than sixty (60) days after receipt of your request. However, if we are unable to act on the request within this time, we may extend the time for thirty (30) more days but we will provide you with a written notice of the reason for the delay and the approximate time for completion. Please note that submitting a request for an amendment does not necessarily mean the PHI will be amended. If we deny your requested amendment, we will provide you with a written denial.
We may deny your request for an amendment if it is not in writing or does not include a reason to support the request. In addition, we may deny your request if you ask us to amend PHI that:
- Was not created by us, unless the person or entity that created the information is no longer available to make the amendment;
- Is not part of the PHI kept by or for us;
- Is not part of the PHI which you would be permitted to inspect and copy; or
- Is already accurate and complete.
If we approve your request, we will include the amendment in any future disclosures of the relevant PHI. If we deny your request for an amendment, you may file a written statement of disagreement, which we may rebut in writing. The denial, statement of disagreement, and rebuttal will be included in any future disclosures of the relevant PHI.
- Right to an Accounting of Disclosures. You have the right to request an “Accounting of Disclosures.” This is a list of certain disclosures we made of PHI about you. Your “Accounting of Disclosures” will not, however, list uses and disclosures that are exempted from the accounting requirement by federal or state law, such as (but not limited to) disclosures required by law, those incidental to a permissible use or disclosure, those made pursuant to a prior authorization by you, those made for treatment; payment; health care operations purposes, permissible notification and communication with family and/or friends, or for certain law enforcement purposes. To request this list or accounting of disclosures, you must submit your request in writing to our Privacy Officer. Your request must state a time period that may not be longer than six years prior to the date of your request. Your request should indicate in what form you want the list (for example, on paper or electronically). The first list you request within a 12-month period will be free. For additional lists, we may charge you for the costs of providing the list. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time before any costs are incurred.
- Right to Receive Notice of Breach. We will notify you in the event we become aware of a breach of your unsecured PHI in accordance with applicable law, including a brief description of what happened and a description of the types unsecured PHI involved in the breach. We will also inform you of any steps we believe you should take to protect yourself from potential harm resulting from the breach and a brief description of what we are doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches.
- Right to Request Restrictions. You have the right to request restrictions on how we use and/or disclose your PHI to carry out treatment, payment, or health care operations. You also have the right to request restrictions on the PHI we disclose about you to someone who is involved in your care or the payment for your care, like a family member or friend.
With the exception of disclosures to health plans for purposes of payment or health care operations that are not otherwise required by law for items or services paid in full, we are not required to agree to your request. If we are required to comply or do agree to a requested restriction, we will comply with your request unless the information is needed to provide you emergency treatment.
We may terminate a restriction if you agree to or request a termination in writing, if you orally agree to the termination and the oral agreement is documented, or if we inform you that we are terminating the agreement to a restriction, except that such termination is not effective for PHI restricted as provided in the above paragraph and is only effective with respect to PHI created or received after we have so informed you.
To request restrictions, you must make your request in writing to our Privacy Officer. In your request, you must tell us (1) what PHI you want to limit; (2) whether you want to limit our use, disclosure or both; and (3) to whom you want the limits to apply, for example, disclosures to your spouse.
- Right to Request Confidential Communications. You have the right to request that we communicate with you about medical matters in a certain way or at a certain location. For example, you can ask that we only contact you at work or by mail. To request confidential communications, you must make your request in writing to our Privacy Officer. We will make reasonable efforts to accommodate your request. You do not need to provide a reason, but your request must specify how or where you wish to be contacted.
- Right to a Paper Copy of this Notice. You have the right to a paper copy of this notice. You may ask us to give you a copy of this notice at any time. Even if you have agreed to receive this notice electronically, you are still entitled to a paper copy of this notice. You may also obtain a copy of this notice at our website, www.alvernolabs.com. To obtain a paper copy of this notice, you may request a copy of the Notice of Privacy Practices from our registration clerk or our Privacy Officer at the contact information below.
- Right to Appoint a Personal Representative. You have the right to appoint a personal representative, such as a medical power of attorney or if you have legal guardian. Your personal representative may be authorized to exercise your rights and make choices about your PHI. We will confirm the person has this authority and can act for you before we take any action based on their request.
ELECTRONIC HEALTH INFORMATION SHARING THROUGH APPLICATION PROGRAMMING INTERFACES
You have the right to request or authorize that your electronic PHI in your designated record set be transmitted to you or another person or organization through an application programming interface (API). APIs are computer coding mechanisms that permit two or more electronic computer applications or software programs to communicate with each other and share information. Alverno is required by law to comply with requests regarding API transmissions, subject to certain exceptions. You understand that PHI transmitted through an API at your request will no longer be under Alverno’s protection and control, will no longer be subject to the protections and rights outlined in this notice, and may no longer be subject to the same laws, regulations, policies or procedures regarding its confidentiality, security, privacy, use, or disclosure. You understand and agree that you make requests to Alverno to transmit your PHI through an API at your own risk and you assume all liability for the consequences of such action taken by Alverno at your direction. Alverno cautions you to confirm any confidentiality, security, or privacy protections with respect to your transmitted PHI with the recipient of the PHI prior to submitting a request to Alverno to transmit your PHI through an API.
CHANGES TO THIS NOTICE
We reserve the right to change our privacy practices that are described in this notice. We reserve the right to make the revised or changed privacy practices effective for PHI we already have about you as well as any information we receive in the future. Prior to a material change to the uses or disclosures, your rights, our legal duties or other privacy practices stated in this notice, we will promptly revise this notice. The notice will contain the effective date. We will post an updated form in our office and on our website. We will also make copies available of our new notice if you wish to obtain one.
COMPLAINTS
If you believe your privacy rights have been violated, you may file a complaint with us or with the Secretary of the Department of Health and Human Services. To file a complaint with us, please write to our Privacy Officer at the address provided at the end of this document. All complaints must be submitted in writing. Complaints to the Secretary of the Department of Health and Human Services may be filed either in paper or electronically.
You will not be penalized or retaliated against for filing a complaint.
OUR ADDRESS & OTHER CONTACT INFORMATION
Alverno Laboratories
2434 Interstate Plaza Drive
Hammond, Indiana 46324
Attention: Privacy (Compliance) Officer
(800) 937-5521
ACOCOMPLIANCETEAM@alvernolabs.com
ACKNOWLEDGEMENT FORM
Please download our acknowledgment form here.