Protecting Your Privacy (HIPAA)

Notice of Privacy Practices

This Notice of Privacy Practices can be printed in English , Spanish, French, Chinese, Arabic, Korean, Russian and Japanese.

A.   THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.  This Notice of Privacy Practices (Notice) applies to all information about care that you receive from the following: 

  • University of Michigan Health System (UMHS) which includes our hospitals, doctors, home health services, pharmacy services, laboratory services, and other related health care providers
  • Portions of the University of Michigan that provide health care services (UM Providers) such as University Health Service, the University of Michigan School of Dentistry, etc.
  • UMHS and its organized health care arrangements where the UMHS participates in quality improvement and assessment activities as part of an organized health care arrangement where the providers work jointly to help improve the quality of your care.   Examples of current Organized Health Care Arrangements in which the UMHS participates are available at https://www.uofmhealth.org/patient-visitor-guide/ocha

In addition to the above, this Notice applies to other portions of the University of Michigan that support the health care activities of UMHS and the UM providers.  All of these entities may use and share your health information for treatment, payment or health care operations as described in this Notice.

B.    WE ARE REQUIRED TO SAFEGUARD YOUR PROTECTED HEALTH INFORMATION (PHI).             

We are committed to protecting the privacy of your health information, called “protected health information” or “PHI”. PHI is information that can be used to identify you that we have created or received about your past, present, or future health or condition, the provision of health care to you, or payment for health care provided to you. We are required to provide you with this notice to explain our privacy practices and how, when, and why we use and disclose your PHI.  In general, we may not use or disclose any more of your PHI than is necessary to accomplish the purpose of the use or disclosure, although there are some exceptions. We are legally required to follow the privacy practices described in this notice and notify you following a breach of your unsecured PHI.

C.     HOW WE USE AND DISCLOSE YOUR PHI.  We use and disclose PHI for different reasons, and some require your prior specific authorization.  The different categories of our uses and disclosures are described below, with examples of each.

1. Uses and Disclosures Relating to Treatment, Payment or Health Care Operations Do Not Require Your Consent.

1.1. For Treatment. We may use and disclose your PHI to physicians, nurses, medical students and other health care personnel who provide health care services to you or who are involved in your care. For example, if you are treated for a knee injury, we may disclose your PHI to the physical therapy provider to coordinate your care.

1.2. To Obtain Payment. We may use and disclose your PHI to bill and collect payment for the health care services provided to you. For example, our billing department may use some of your PHI and disclose it to your health plan for payment.

1.3. For Health Care Operations. We may use and disclose your PHI to operate our hospitals, clinics and other health care service facilities. For example, we may use your PHI to review the care provided to you or to evaluate the performance of the health care professionals and processes involved in your care. We may also provide your PHI to University of Michigan units and our business associates that support our health care operations, such as our accountants, attorneys, consultants and other companies.  Other examples include educational programs, resolution of internal grievances, business planning, development and management, administrative activities, including data and information systems management, and consolidations with other providers.

2. Certain Other Uses and Disclosures That Do Not Require Your Consent.  We may also use and disclose your PHI:

2.1. When disclosure is required by federal, state or local law, judicial or administrative proceedings, or law enforcement. For example, we make disclosures when a law requires that we report information to government agencies and law enforcement personnel about victims of abuse, neglect or domestic violence, when dealing with gunshot and other wounds, or when ordered in a judicial or administrative proceeding.

2.2. For public health activities. For example, we must report to government officials in charge of collecting specific information related to births, deaths, and certain diseases and infections.  Also, we provide coroners, medical examiners and funeral directors necessary information relating to an individual’s death.  Additionally, under Michigan law we are required to report information about patients with certain conditions, such as HIV/AIDS and cancer, to central registries; we also are required to report information about immunizations.  We also may disclose PHI to manufacturers of drugs, biologics, devices, and other products regulated by the federal Food and Drug Administration when the information is related to their quality, safety, or effectiveness. PHI also may be disclosed to certain people exposed to communicable diseases and to employers in connection with occupational health and safety or worker’s compensation matters.

2.3. For health oversight activities. For example, we will provide information to government officials to conduct an investigation or inspection of a health care provider or organization.

2.4. For purposes of organ donation. We may provide information to organ procurement organizations to assist them in organ, eye or tissue donation and transplants.

2.5. For research purposes. In certain circumstances, we may use or provide PHI to conduct research.  This research generally is subject to oversight by an institutional review board.  In most cases, while PHI may be used to help prepare a research project or to contact you to ask whether you want to participate in a study, it will not be further disclosed for research without your authorization.  However, where permitted under federal law, institutional policy and approved by an institutional review board or a privacy board, PHI may be further used or disclosed.  In addition, PHI may be used or disclosed for research as “limited or de-identified data sets” which do not include your name, address or other direct identifiers.

2.6. To avoid harm. To avoid a serious threat to the health or safety of a person or the public, we may provide PHI to law enforcement personnel or persons able to prevent or lessen the potential harm.

2.7. For specific government functions. We may disclose the PHI of military personnel and veterans in certain situations. We also may disclose PHI for national security purposes, such as protecting the president of the United States or conducting intelligence operations.

2.8. For workers’ compensation purposes. We may provide PHI to comply with workers’ compensation laws.

2.9. To provide appointment reminders and health-related benefits or services. We may use PHI to provide appointment reminders.  We may also give you information about treatment alternatives, or other health care services or benefits we provide.

2.10. For fundraising activities. We may use PHI to raise funds for our organization. You have the right to opt out of receiving fundraising communications.

3. Uses and Disclosures to Which You Have an Opportunity to Object.

3.1. Patient directories. We may include your name, general condition, location in a UMHS facility, and religious affiliation (if any) in our patient directory for use by clergy and others who ask for you by name, unless you object in whole or in part when you are admitted to our facilities.

3.2. Disclosure to family, friends, or others. We may provide your PHI to a family member, friend or other persons who are involved in your care or responsible for the payment for your health care, unless you object in whole or in part.

3.3. Health Information Exchanges.  We may make your PHI available electronically through health information exchanges (HIEs) to other health care providers, health plans and health care clearinghouses. Participation in HIEs also lets us see their information about you which helps us provide care to you.  You have the right to opt out of participating in such efforts by contacting the person listed at the end of this notice.

4. Applicable Michigan Law.  Our use and disclosure of PHI must comply not only with federal privacy regulations but also with applicable Federal and Michigan law.  Michigan law and/or Federal Regulations place certain additional restrictions on the use and disclosure of PHI for mental health, substance abuse, HIV/AIDS conditions, and certain genetic information.  In some instances, your specific authorization may be required.

5. All Other Uses and Disclosures Require Your Prior Written Authorization.  In situations that are not covered by this Notice,  your written authorization is needed before using or disclosing your PHI, including most uses and disclosures of psychotherapy notes (if recorded or maintained by us),  financially-supported marketing of 3rd party products or services, and the sale of PHI, unless otherwise specified by law.  Your authorization can always be revoked in writing (but it would not apply to prior disclosures made based on your initial authorization). 

D. YOUR RIGHTS REGARDING YOUR PHI.  You have the following rights with respect to your PHI:

1. The Right to Request Restrictions on Uses and Disclosures of Your PHI. You have the right to ask us to limit how we use and disclose your PHI for treatment, payment or health care operations.  This request must be in writing.  We are not required to agree to your restriction request, but if we do, we will honor our agreement except in cases of an emergency or in cases where we are legally required or allowed to make a use or disclosure.  We are required, however, to agree to a written request to restrict disclosure of your PHI to a health plan if the disclosure is for payment or health care operations and is not otherwise required by law, and your PHI pertains solely to a health care item or service for which you have paid in full and out of pocket.  Also, you may request us to limit PHI disclosures to family members, other relatives, or close friends involved in your care or payment for it.

2. The Right to Request Confidential Communications Involving Your PHI. You can ask in writing to send information to you in a certain way or location.  For example, you can request we mail PHI to a Post Office Box rather than your home. We must agree to your request so long as we can easily provide it in the format you requested.   

3. The Right to Receive Copies of Your PHI. In most cases you have the right to receive copies of your PHI, such as health or billing records, used by us to make decisions about you.  You must make the request in writing.  We will respond within 30 days after receiving your written request, and we may charge a reasonable fee.  In certain situations, we may deny your request, but we will do so in writing, and we will provide our reasons for the denial and explain your right to have the denial reviewed.

4. The Right to Get a List of the Disclosures We Have Made. You have the right to get a list of instances in which we have disclosed your PHI ( an Accounting of Disclosures.)  This right does not apply to certain disclosures such as those made for treatment, payment or health care operations, disclosures made to you or to others involved in your care, disclosures made with your authorization, or disclosures made for national security or intelligence purposes or to correctional institutions or law enforcement purposes. Your request for an Accounting of Disclosures must be made in writing to the person and address below.  We will respond within 60 days of receiving your request by providing a list of disclosures made within the last six years from the receipt date of your request, unless a shorter time period is requested.  If you make more than one request in the same year, we may charge a fee.

5. The Right to Amend or Update Your PHI. If you believe your PHI is incorrect or incomplete, you have the right to request us to add to or amend the existing information.  Your request must be in writing and must include the reason for your request.  We will respond within 60 days of receiving your request.  We may deny your request in writing if the PHI (i) is correct and complete, (ii) was not created by us, (iii) is not allowed to be disclosed, or (iv) is not part of our records.  Our denial will include the reason(s) for the denial and will explain your right to file a written statement of disagreement. If you don’t file a written statement of disagreement, you have the right to request that your amendment request and our denial be attached to your PHI.  If your amendment request is approved, we will make the change to your PHI and let you know it has been completed.  An amendment may take several forms, such as an explanatory statement added to your record.

6. The Right to a Copy of this Notice.   You have a right to request a paper copy of this Notice be mailed to you. It is also available at: http://www.uofmhealth.org/Patient+and+Visitor+Guide/hipaa

E. WHO YOU CAN CONTACT FOR INFORMATION ABOUT THIS NOTICE OR OUR PRIVACY PRACTICES.  If you have questions about this Notice or complaints about our privacy practices, or if you would like to know how to file a complaint with the Office for Civil Rights of the U.S. Department of Health and Human Services, you can contact our Privacy Director at 734-615-4400 or [email protected]. You will not be penalized for filing your complaint.  Written complaints must be submitted to:

University of Michigan Health System

Privacy Director
1500 E. Medical Center Drive
Ann Arbor, MI 48109-5729

We may change our privacy practices at any time.  Before we make an important change, we will revise this Notice and post it in our facilities and on our website at: http://www.uofmhealth.org/Patient+and+Visitor+Guide/hipaa.  

F. EFFECTIVE DATE OF THIS NOTICE: April 14, 2003, revised July 1, 2012 and Sept. 23, 2013.