Duquesne University's HIPAA Policy


This notice describes how patient health information (PHI) about you may be used and disclosed and how you can get access to this health information. Please read it carefully and ask any questions.


Each time that a service is rendered or a procedure is done, even as simple as a routine blood pressure check, data and information are collected. This is health information or what is commonly referred to as information for or in the medical record or the patient record. Accurate, credible, and timely data and information are used by this organization, covered entity, as the basis for planning your care, as a means of having multiple healthcare providers know about your current health status, for health insurance, as a health legal document, as a record for billing purposes, as a source of data for research, planning, and marketing, as a source of required information for public health officials, and as a means to continue to improve the care that we provide. At this organization, we have always, and will continue to protect the privacy of your health information and the dignity of you as an individual. On July 6, 2001, the U.S. Federal Government passed compliance regulations that mandate all healthcare facilities, health plans, and clearinghouses to protect health information and inform consumers of the healthcare information practices of the facility. Overtime amendments and additions have been made and are incorporated into this Notice.


This facility maintains a medical record for you containing medical information concerning you. With this in mind, you have the right to:

-Request a restriction on use and disclosure of health information, although the facility is not required to comply except as follows. A covered entity must agree to the request of an individual to restrict disclosure of PHI about the individual to a health plan if the disclosure is for the purpose of carrying out payment or healthcare operations and is not otherwise required by law and the PHI pertains solely to a healthcare item or service for which the individual or another on behalf of the individual, other than the health plan, has paid the covered entity in full. A covered entity may terminate a restriction by informing the individual except for the above. (45CFR164.522)
-Obtain a copy of this notice
-Inspect, have access to, and receive a copy of your medical record (45CFR 164.524) A fee for labor and materials can be assessed.
-Amend your medical record (45 CFR 164.528)
-Obtain an accounting of disclosures of your medical record (45 CFR 164.528)
-Request your medical record by alternative means or location. You are entitled to receive electronic copies of PHI only if that PHI is already maintained in electronic format. The method of electronic transmission, the sending and receiving, must be deemed secure.
-Revoke your authorization to use or disclose your health information except to the extent that action has already been taken


This organization's mission of quality service and respect of the individual has always taken into account protecting health information privacy. Our responsibilities are to:
-Maintain the privacy of your health information
-Provide you this notice of health information practices
-Notify you if we are unable to satisfy a request or a restriction.
-Accommodate all reasonable requests while maintaining quality care and respect for you
-Make you aware of all health information practice policy changes
-We will not use or disclose your PHI your approval except as stated in this notice.
-When PHI is disclosed as above, it will be disclosed at the minimum necessary level.
-Account for how patient data are being used.
-Notify affected individuals following a breach of unsecured protected health information


If you would like further information or have questions, this organization employs a HIPAA Compliance Officer who can be reached at 412-396-1387.

If you believe that your privacy rights have been violated, you can file a complaint with the Compliance Officer or with the Secretary of Health and Human Services. There will be no penalty or retaliation for filing a complaint.

Examples of Permitted Types of Uses and Disclosures of Health Information:

This organization may use or be required to use your health information without your authorization or consent for normal business activities as follows:

For Care and Treatment: Health information obtained by a healthcare practitioner such as a physician, nurse, or therapist, will be entered into your medical record and used to determine a plan of care. For example, healthcare members will write and read what others have written such that your care can be coordinated and everyone is aware of how you are responding to your treatment plan. In addition, your health information may go with you such that future healthcare providers will have a record of your care. Your health insurer may disclose health information to the sponsor of the plan.

For Billing and Payment: In addition to demographic information, information on a bill sent to an insurer may include health information. This health information is restricted to that which is needed for the financial transactions.

For Healthcare Operations: In order to provide quality care and for payment, this organization may use your health information, for example, to analyze the care, treatment, and outcomes of your medical case and of others. This health information will be used to continually improve the care of the services that are provided. If a health plan receives protected health information for the purpose of underwriting, premium rating, or other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits, and if such health insurance or health benefits are not placed with the health plan, such health plan may only use or plan, such health plan may only use or disclose such protected health information for such purposes or as may be required by law, subject to the prohibition at 164.502 (a)(5)(i) with respect to the genetic information included in the protected health information.

In accordance with 164.504(f) , the group health plan, or a health insurance issuer or HMO with respect to a group health plan, may disclose protected health information to the sponsor of the plan with the exception of genetic information as above.

For Directory Purposes: Where applicable, we will use your name, location, general medical condition, and religious affiliation for directory purposes unless you instruct us not to. This health information is only for the use of clergy and to people who ask for you specifically by full name (although religious affiliation will not be given to the latter).

For Business Associates: In order to provide quality services, this organization requires business services such as pharmacy, health insurance, clinic services, information technology, vendors, etc.. These services will have use of your health information at the minimum necessary level as it pertains to their service delivery. Also, business associates and their subcontractors must follow Federal standards for protecting your health information and sign a business associate agreement. In addition, the business associates must follow the HIPAA Privacy Rule, the Security Rule as specified in the Health Information Technology for Economic and Clinical Health Act (HITECH)/Energy and Commerce Recovery and Reinvestment Act, Subtitle D, Section 4401,and 45CFR164.502(a)(5)(ii)(A).

For Clergy: Where applicable, unless you specify that you object, health information such as your name and general medical condition will be given to clergy for professional purposes only.

For Notification: We may use or disclose health information, such as your general condition, to notify or assist in notifying a family member or person responsible for your care.

For Communication: We may use or disclose health information relevant to your care to family member's or those that you deem responsible for your care on a need to know basis.

For Research: We may disclose health information to researchers if they have appropriate consent forms and the research has been approved by our institutional review board. The researchers will be held to this facility's health information privacy standards.

For Funeral Directors: We may disclose health information to funeral directors in accordance with state laws and for professional purposes only.

For Organ Procurement Organizations: Consistent with applicable law, we may disclose health information to organ procurement organizations or organizations involved in the procurement, banking, or transplantation of organs for the purpose of tissue donation and transplant.

For Marketing Purposes: Where applicable, we may contact you to provide information on appointment reminders or alternative treatments and services that may benefit you given your medical condition. In addition, a covered entity or business associate shall not directly or indirectly receive remuneration in exchange for any protected health information of an individual unless the covered entity obtained from the individual, in accordance with section 164.508 of title 45, Code of Federal Regulations, a valid authorization that includes a specification of whether the protected health information can be further exchanged for remuneration by the entity receiving protected health information of that individual. Exceptions under HITECH include, when the purpose of the exchange is for research, public health, treatment, health care operations, providing an individual with a copy of their protected health information, and for remuneration that is provided by a covered entity to a business associate for activities involving the exchange of protected health information that the business associate undertakes on behalf of and at the specific request of the covered entity pursuant to a business associate agreement. The price charged must reflect not more than the costs of preparation and transmittal of the data for such purpose.

For Fundraising: We may contact you for fundraising efforts conducted for this organization's benefit. Per 45CFR164.514(f)(1)(i-vi), the PHI used without an authorization is limited. You also have the right to opt out of receiving any further fundraising communication, and to opt back in.

For the Food and Drug Administration: As requested or required by the FDA, we may disclose health information relative to an adverse health condition related to food, food supplements, product and product defects related to food, or post marketing surveillance information to allow product recalls, repairs, or replacements.

For Workers Compensation Issues: In compliance with Worker's Compensation laws, health information may be revealed to the extent necessary to comply with the law and your individual case.

For Public Health Requirements: As required by law, health information may be disclosed to public health or legal authorities for the jurisdiction of disease, injury, disability prevention or control and to assist in disaster relief efforts. In addition, about information disclosure at a school in regards to an individual who is a student or a perspective student, if the PHI that is disclosed is limited to proof of immunization.

For Correctional Institutions: Should you be an inmate in a correctional institution, health information may be disclosed to the institution or its agents which would be necessary for your health and safety and the health and safety of other individuals.

For Law Enforcement Agencies: Health information may be disclosed to law enforcement agencies for purposes required by law or subpoena.

For Judicial and General Administrative Proceedings: Patient health information may be released per minimum necessary requirements for proceedings.

For Healthcare Oversight: Patient health information may be used by health oversight agencies for activities such as audits, inspections, and licensure activities.

For Specialized Government Functions: In the event that appropriate military authorities require information, it may be released at the minimum necessary level.

For Victim of Abuse, Neglect, and Domestic Violence: Information may be released to social service agencies or protective services in order to protect an individual.

For Emergency Circumstance: If the opportunity to agree or object to the use or disclosure of phi cannot practically be provided because of your incapacity or in an emergency circumstance, the covered entity may, in the exercise of professional judgment, determine whether the disclosure is in the best interest of the individual and if so disclose only the phi that is directly relevant to the person's involvement with the individual's care or payment.

Examples of uses and disclosures that require an authorization such as psychotherapy notes [where deemed appropriate], participation in research, and marketing that involves financial remuneration, are to be made with your written authorization and you may revoke such authorization at any time as provided by 164.508(b)(5). Other uses and disclosures not described in the notice will be made only with your written authorization

Examples of uses and disclosures requiring an opportunity for the individual to agree or to object include the following.
A covered entity may disclose, with your agreement, to a family member, other relative, a close personal friend, or any other person identified by you, the phi directly relevant to such person's involvement with your healthcare treatment or payment related to your healthcare episode.

When an individual is deceased, a covered entity may disclose to a family member, or other persons who were involved in the individual's care or payment for health care prior to the individual's death, protected health information of the individual that is relevant to such person's involvement, unless doing so is inconsistent with any prior expressed preference of the individual that is known to covered entity.

Any other uses and disclosures not specified in this Notice will be made only with an authorization from you.

Thank you for reading the Notice of Health Information Practices.

Effective Date: 3/31/2013