UPMC’s Notice of Privacy Practices
Effective Date: November 14, 2018
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU
MAY BE USED AND DISCLOSED (SHARED) AND HOW YOU CAN GET
ACCESS TO (SEE AND COPY) THIS INFORMATION.
PLEASE REVIEW IT CAREFULLY.
UPMC creates and maintains a record of information about the care and
services you receive at UPMC. This includes information that UPMC
receives from other doctors and medical facilities that are not part of
UPMC, but that UPMC keeps to help give you better care. UPMC may
share and use your health information for purposes of treating
you, obtaining payment for services provided to you, health care
operations as described in this Notice, as well as purposes authorized
by you or permitted by law. You can learn more about UPMC at
What Is a Notice of Privacy Practices?
The Notice tells you about the ways we may use and share your health
information, as well as the legal duties we have about your health
information. The Notice also tells you about your rights under federal
(United States) and state (Pennsylvania) laws. In this Notice, the words
“we,” “us,” and “our” mean UPMC and all the people and places that
make up UPMC. This Notice does not apply to the UPMC Health Plan
or UPMC as an employer.
Who Follows UPMC’s Notice of Privacy Practices? A
list of entities that are bound by this Notice can be found within the
privacy information section of www.upmc.com. This includes
hospitals, doctors, rehabilitation services, skilled nursing services,
home health services, pharmacy services, laboratory services, and other
related health care providers. This also includes departments, units, and
staff within our health care facilities, health care professionals permitted
by us to provide services to you, and students, residents, trainees,
volunteers, and others involved in providing your care whether or
not these individuals are employed by UPMC.
This Notice does not apply to the UPMC Health Plan or UPMC as an
employer. These UPMC entities are separate covered entities for the
purpose of the Health Insurance Portability and Accountability Act
(HIPAA) and have their own Notice. Additionally, if your doctor is not
a member of a physician practice that is owned by UPMC, he or she
may have different policies about how to handle your information and
will have a separate Notice.
Our Duty to Protect Your Health Information
We are required by law to:
Make sure that information that identifies you is kept private and is
used in accordance with this notice (as currently in effect).
Make available to you this Notice that describes the ways we use
and share your health information as well as your rights under the
law about your health information.
How We May Use and Share Your Health
Information with Others
The law permits us to use and share your health information in certain
ways. When we act in response to your written permission, share
information to help treat you, or are directed by the law, we will share
all information that you, your health care provider, or the law permits
or requires. The list below tells you about different ways that we may
use your health information and/or share it with others. We have also
provided you with examples of what we mean. Every possible example
of how we may use or share information is not listed below. However,
all of the ways we are permitted to use and share information fall into
one of the groups below. When possible, we will use health information
that does not identify you.
A. Ways We Are Allowed to Use and Share Your Health Information
With Others Without Your Consent or as the UPMC Consent for
Treatment, Payment, and Health Care Operations Provides:
1. Treatment. We may use your health information to give you
medical treatment or services. We may also share your health
information with people and places that provide treatment to you.
For example, if you have diabetes, the doctor may need to tell the
dietitian about your diabetes so that you get the kind of meals you
need. We may share health information about you with people
outside of UPMC who provide follow-up care to you, such as
your physicians, other providers, EMS providers, nursing homes
and home care agencies. At all times, we will comply with any
regulations that apply.
2. Payment. In order to receive payment for the services we provide
to you, we may use and share your health information with your
insurance company or a third party. We also may share your
health information with other health care service or product
providers who provide follow-up care to you, such as your
physicians, other providers, EMS providers, nursing homes and
home care agencies so they can bill you, your insurance company,
or a third party. For example, some health plans require your
health information to pre-approve you for surgery and require pre-
approval before they pay us.
3. Health Care Operations. We may use and share your health
information so that we, or others that have provided treatment to
you, can better operate the office or facility. For example, we may
use your health information to review the treatment and services
we gave you and to see how well our staff cared for you. We may
share your health information with our researchers, so they can
develop plans to conduct research. We may share information
with our students, trainees, and staff for review and learning
purposes. We may share your information for case management
and care coordination purposes. We will not sell your name or
any identifiable health information to others without your
4. Health Information Exchanges. We may share your
information using a variety of Health Information Exchanges both
on a regional and a national basis. You have the right not to
participate in these exchanges. If you choose not to participate in
the exchanges, your health information will no longer be
accessible through the exchange. However, it does not affect the
information that was exchanged prior to the time you chose not to
participate. You can learn more about the health information
exchanges UPMC participates in at www.upmc.com.
5. Business Associates. We may share your health information with
others called “business associates,” who perform services on our
behalf. The Business Associate must agree in writing to protect
the confidentiality of the information. For example, we may share
your health information with a billing company that bills for the
services we provided.
6. Appointment Reminders. We may use and share your health
information to remind you of your appointment for treatment or
medical care. For example, if your doctor has sent you for a test,
and you have approved communication, the place where the
testing will be done may call, text, or e-mail you to remind you of
the date you are scheduled.
7. Appointment Confirmations. We may use and share your health
information to confirm the time, place and attendance of your
appointment for treatment with third-party transportation
8. Treatment Options and Other Health-Related Benefits and
Services. We may use and share your health information to tell
you about possible treatment options and other health-related
benefits and services that may interest you. For example, if you
suffer from an illness or condition, we may tell you about a
special treatment or research study that is being offered.
9. Fundraising Activities. We may use and share with a Business
Associate or a foundation that is related to us your name,
address, phone number, and other such information (called
“demographic information”) , the dates that health care was
provided to you, general department information regarding the
department where services were rendered, the name of your
treating physician and outcome information. You may then be
asked for a donation to UPMC. For example, you may receive
a letter from a UPMC foundation asking for a donation to
support enhanced patient care, treatment, education or research
at UPMC. Any fund-raising materials will explain how you can
tell us, a business associate, or a foundation that you do not
want to be contacted in the future.
10. Marketing Activities. We may use or share your health
information for marketing purposes without your permission
when we discuss such products or services with you face to face
or to provide you with an inexpensive promotional gift related
to the product or service. For example, you may receive samples
of products or drugs during a visit to a UPMC hospital or
facility. For other types of marketing activities, we will obtain
your written permission before using or sharing your health
information. We will not sell your identifiable health
information to others without authorization.
11. Research. We may use and share your health information for
research 1) if our researcher obtains permission from a special
UPMC committee that decides if the request meets certain
standards required by law; or 2) if you provide us with your
written permission to do so. You may participate in a research
study that requires you to obtain hospital and other health care
services. In this case, we may share the information that we
create 1) to our researcher who ordered the hospital or other
health care services; and 2) to your insurance company in order
to receive payment for services that your insurance will pay for.
We may use and share with a UPMC researcher your health
information if certain parts of your information that would
identify you, such as your name and other items that the law
describes, are removed before we share it with the UPMC
researcher. This will be done when the researcher signs a written
agreement with us that the researcher will not share the
information again, will not try to contact you, and will obey
other requirements that the law provides. We may also share
your health information with a Business Associate who will
remove information that identifies you so that the remaining
information can be used for research.
12. Special Situations. In the following situations, the law either
permits or requires us to use or share your health information
with others. Pennsylvania law may further limit these
disclosures; for example, in cases of behavioral health
information, drug and alcohol treatment information, and HIV
a. As Required by Law. We will share your health
information when required by federal, state, or local law.
If we believe that you have been a victim of abuse,
neglect, or domestic violence, we will share your health
information with an authorized government agency. If we
share your health information for this purpose, we will tell
you unless we believe that telling you would put you or
someone else at risk of harm.
b. To Prevent a Serious Threat to Health or Safety. We may
use and share your health information with persons who may
be able to prevent or lessen the threat or help the potential
victim of the threat when doing so is necessary to prevent a
serious threat to the health and safety of you, the public, or
another person. Pennsylvania law may require such disclosure
when an individual or group has been specifically identified
as the target or potential victim.
c. Organ and Tissue Donation. To assist in the process of eye,
organ or tissue transplants, in the event of your death, we may
share your health information with organizations that obtain,
store, or transplant eyes, organs, or tissue.
d. Special Government Purposes. We may use and share your
health information with certain government agencies, such as:
Military and Veterans. We may share your health
information with military authorities as the law permits if
you are a member of the armed forces (of either the United
States or a foreign government).
National Security and Intelligence. We may share your
health information with authorized federal officials for
intelligence, counter-intelligence and other national
security activities authorized by law.
Protective Services for the President and Others. We
may share your health information with authorized federal
officials to protect the President of the United States, other
authorized persons, or foreign heads of state. We may also
share your health information for purposes of conducting
special investigations as authorized by law.
e. Workers’ Compensation. We may share your health
information for Workers’ Compensation or similar programs
that provide benefits for work-related injuries or illness.
f. Public Health. We may share your health information with
public health authorities for public health purposes to prevent
or control disease, injury, or disability. This includes, but is
not limited to, reporting disease, injury, and important events
such as birth or death, and conducting public health
monitoring, investigations, or activities. For example, we may
share your health information to 1) report child abuse or
neglect; 2) collect and report on the quality, safety, and
effectiveness of products and activities regulated by the Food
and Drug Administration (FDA) (such as drugs and medical
equipment, and could include product recalls, repairs, and
monitoring); or 3) notify a person who may have been
exposed to or is at risk of spreading a disease.
g. Health Oversight. We may share your health information
with a health oversight agency for purposes including 1)
monitoring the health care system; 2) determining benefit
eligibility for Medicare, Medicaid, and other government
benefit programs; and 3) monitoring compliance with
government regulations and civil rights laws.
h. Coroners, Medical Examiners, and Funeral Directors.
We may share your health information with a coroner or
medical examiner in order to identify a deceased person,
determine the cause of death, or for other reasons allowed
by law. We also may share your health information with
funeral directors, as necessary, so they can carry out their
i. Inmates. If you are an inmate of a correctional institution or
under the custody of a law enforcement official, we may
share your health information with the correctional
institution or law enforcement official. This would be
necessary 1) for the institution to provide you with health
care; 2) to protect your health and safety or the health and
safety of others; or 3) for the safety and security of the
correctional institution and its staff.
B. Other Ways We Are Allowed to Use and Provide Your Health
Information to Others
1. Hospital Directory. We may include limited information about
you in the hospital directory while you are a patient at a UPMC
hospital or other facility. The information may include your
name, location in the building, general condition, such as
“stable,” “serious,” “critical,” and your religious affiliation.
Except for your religious affiliation, the directory information
may be released to people who ask for you by name. We may
give your religious affiliation to a member of the clergy, such as
a priest or rabbi, even if they don’t ask for you by name. This
helps your family, friends, and clergy who visit you to know
how you are doing. You have the right to ask that all or part of
your information not be given out. If you do so, we will not be
able to tell your family or friends your room number or that you
are in the hospital or facility.
2. People Involved in Your Care or Payment for Your Care.
We may share your health information with a friend, family
member, or another person identified by you who is involved in
your medical care or the payment of your medical care. We may
share your health information with these persons if you are
present or available before we share your health information
with them and you do not object to our sharing your health
information with them, or we reasonably believe that you would
not object to this. If you are not present and certain
circumstances indicate to us that it would be in your best
interests to do so, we will share information with a friend or
family member or someone else identified by you, to the extent
necessary. This could include sharing information with your
family or friend so that they could pick up a prescription or a
medical supply. We may tell your family or friends that you are
in a UPMC hospital and your general condition. We may share
medical information about you with an organization assisting in
a disaster relief effort.
3. Permissible Disclosures to Law Enforcement. We may share
your health information with a law enforcement official or
a. in response to a court order, subpoena, warrant, summons
or similar process;
b. to identify or locate a suspect, fugitive, material witness, or
c. about the victim of a crime if, under certain limited
circumstances, we are unable to obtain the person’s
d. about a death we believe may be the result of criminal
e. about criminal conduct at the hospital; or in emergency
circumstances to report a crime; the location of the crime or
f. or the identity, description or location of the person who
committed the crime.
4. Exception to the Above. If you are a patient in a
psychiatric/mental/behavioral health facility or drug and alcohol
facility, additional authorization may be required to release your
information outside of UPMC. If you are under 14 years of age,
this permission must come from your parents or legal guardians.
If you are 14 years or older, this permission must come from you.
C. In All Other Ways, We Will Require Your Written Permission
Before Your Health Information Is Used or Shared With Others
Except as stated in Sections A and B, your written permission is
required before we can use or share your health information with
anyone outside of UPMC. This permission is provided through a
form. If you give us permission to use or share health information
about you, you may cancel that permission, in writing, at any time. If
you cancel your permission, we will no longer use or share your
health information for the reasons you have given us in your written
permission. However, we are unable to take back any information that
we have already shared with your permission.
Your Rights Concerning Your Health Information
The law gives you the following rights about your health information:
1. Right to Ask to See and Request a Copy. You have the right to ask
to see and request a copy of the health information we used to make
decisions about your care. This includes your right to request a copy
of your electronic medical record in electronic form. Your request
must be in writing and given to your doctor or the place where you
were treated. You can call your doctor’s office or the place where you
were treated to find out how to do this. If you ask to see or request a
copy of your health information, you may have to pay fees as
permitted by law. We may tell you that you cannot see nor have a
copy of some or all of your health information. If we tell you this, you
may ask that someone else at UPMC review this decision. A licensed
health care professional chosen by UPMC will review those that can
be reviewed. This person will not be the same person who refused
your request. We will do whatever this person decides.
2. Right to Ask for a Correction. If you feel that health information
we have about you is incorrect or incomplete, you may ask us to
correct the information. You have the right to ask for a correction for
as long as the information is kept by or for UPMC. You must put your
request in writing and give it to your doctor or the place where you
received care. If you do not ask in writing or give your reasons in
writing, we may tell you that we will not do as you have asked. We
have the right to refuse your request if 1) we determine that the
information is correct and complete; 2) the information is not part of
the health information created or kept by or for UPMC; 3) the person
or place who created the information is no longer available to make
the correction and we believe the information to be correct; or 4) the
information is not part of the information that you are permitted by
law to see and/or copy.
3. Right to Ask for an “Accounting of Disclosures.”
a. Generally. You have the right to ask us for an “accounting of
disclosures.” This is a list of those people and organizations who
have received or have accessed your health information. This
right does not include information made available for treatment,
payment, or health care operations, or made available when you
have provided us with permission to do so. You must put your
request in writing and give it to your doctor or the place where
you received care. You can call your doctor’s office or the place
where you received care to find out how to ask for the list. You
must include in your written request how far back in time you
want us to go, which may not be longer than six years.
b. Information that is Maintained Electronically. Subject to a
schedule established by federal law, if we maintain your health
information electronically (in our computer), you have the right
to ask for an accounting of disclosures of where UPMC
disclosed your health information. In accord with federal law,
you may request an accounting for a period of three years prior
to the date the accounting is requested. You also have the right
to ask our business associates for an accounting of their
disclosures. We will post a list of all of our business associates
and how to contact them on our website.
4. Right to Ask for Limits on Use and Sharing.
5. Generally. You have the right to ask us to limit the health
information we use or share with others about you for treatment,
payment, or health care operations. You also have the right to
ask us to limit health information that we share with someone
who is involved in your care or payment for your care, like a
family member or friend. You can call your doctor’s office or
the place where you received your care to get instructions on
how to submit such a request. In your request, you must tell us
1) what information you want to limit; 2) whether you want to
limit our use, disclosure or both; and 3) the person or institution
the limits apply to (for example, your spouse). For example, you
could ask that we not use or share information about a surgery
you had. You must put your request in writing and give it to
your doctor or the place where you received your care. We are
not required to agree to your request. If we do agree to your
request, we still may provide information, as necessary, to give
you emergency treatment.
a. Services Paid For by You. Where you have paid for your
services out of pocket in full, at your request, we will not share
information about those services with a health plan for purposes
of payment or health care operations. “Health plan” means an
organization that pays for your medical care.
6. Right to Ask for Confidential Communications. You have the
right to ask that we contact you about your health information in a
certain way or at a certain location that you believe provides you
with greater privacy. For example, you can ask that we contact you
at work or by mail. Your request must state how or where you wish
to be contacted. You must make your request in writing to your
doctor or the place where you received care. You do not need to
provide a reason for your request. We will comply with all
7. Right to Ask for a Paper Copy of This Notice. You may ask us to
give you a copy of this Notice at any time. Even if you have agreed
to receive this Notice electronically (for example, through the
computer), you still have the right to a paper copy of this Notice. You
can also get a copy of this Notice at our website. To obtain a paper
copy of this Notice, contact your doctor’s office or the registration
department of the place where you received care.
8. UPMC Insurance Division is prohibited from requesting,
requiring or purchasing genetic information with respect to any
individual prior to such individual’s enrollment in a health plan,
and from using genetic information for underwriting purposes.
Violation of Privacy Rights
In the event that a breach of your protected health information occurs by
UPMC or one of its Business Associates, you will be provided with
written notification as required by law.
If you believe your privacy has been violated by us, you may file a
confidential complaint directly with us. You can do this by contacting the
UPMC Privacy Officer at the hospital or facility where you received care
or by calling the UPMC Compliance Help Line at 1-877-983-8442, or the
UPMC Office of Patient and Consumer Privacy at 412-647-5757.
You also may file a complaint with the Secretary of the U.S. Department
of Health and Human Services. To file a complaint with the Secretary of
Health and Human Services, you must 1) name the UPMC place or
person that you believe violated your privacy rights and describe how that
place or person violated your privacy rights; and 2) file the complaint
within 180 days of when you knew or should have known that the
violation occurred. All complaints to the Secretary of the U.S.
Department of Health and Human Services must be in writing and
U.S. Department of Health and Human Services 200
Independence Ave. S.W.
Washington, DC 20201
You will not be penalized for filing a complaint.
Changes to This Notice
We reserve (have) the right to change this Notice. We reserve (have) the
right to make the revised or changed Notice effective for health
information we already have about you and for any future health
information. We will post a copy of the revised Notice in the places where
we provide medical services and on our website. The Notice will contain
the effective date on the first page, in the top right-hand corner. We will
provide to you, if you ask us, a copy of the Notice that is currently in
effect each time you register at UPMC as an inpatient or outpatient for
treatment or health care services.
If You Have Questions About This Notice
If you have any questions about this Notice, please contact your doctor
or the place where you received care. You also may contact UPMC’s
Notice of Privacy inquiry line at 412-647-6286 or the UPMC Office of
Patient and Consumer Privacy at 412-647-5757
UPMC’s Notice of Privacy Practices