Notice of Privacy Practices (NPP) for Protected Health Information (PHI)
Your Information. Your Rights. Our Responsibilities.
This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.
Alternate Translation Español >
(AVISO DE LAS PRÁCTICAS DE PRIVACIDAD DE INFORMACIÓN DE LA SALUD PROTEGIDA >)
Who Will Follow This Notice
This notice summarizes the privacy practices of health care providers within Sutter Health’s Affiliated Covered Entity (“ACE”), which are health care facilities and other health care providers that are now or in the future controlled by or under Sutter Health’s common ownership or control. The Sutter Health ACE members are located in California, Hawaii, Oregon and Utah. The health care components of any current or future hybrid entity under common ownership or control of Sutter Health are also included as part of the Sutter Health ACE. As the members of Sutter Health’s ACE may change over time, the complete list of ACE members can be found in Attachment A or online using this link.
Sutter Health operates certain alcohol and drug abuse treatment programs that may have an additional notice of privacy practices governing their records. For those treatment programs, Sutter Health will comply with both notices of privacy practices.
This notice also describes the privacy practices of the physicians, nurse practitioners and other health care professionals on affiliated medical staffs when they provide health care services in our hospitals, clinics and other sites. The Sutter Health ACE and these health care professionals may share your health information for joint treatment, payment activities, and health care operations.
Federal and State Law
Federal and state laws require Sutter Health to protect your health information and federal law requires Sutter Health to describe to you how we handle that information. When federal and state privacy laws differ, and the state law is more protective of your information or provides you with greater access to your information, then we comply with the more stringent state law.
Your Rights
When it comes to your health information, you have rights. You may contact the Sutter Health privacy office at 1-855-771-4220 to exercise the following rights:
Get an electronic or paper copy of your medical record
- You can ask to see or get an electronic or paper copy of your medical record and other health information we have about you.
- You have to put your request in writing and we will provide you with access to your medical record.
Additional Applicable State Law Requirements:
California law generally requires access to be provided within five (5) business days.
We will provide a copy or, if you prefer, a summary of your health information, usually within 30 days of your request. We may charge a reasonable, cost-based fee.
Additional Applicable State Law Requirements:
California law requires provision of your record within fifteen (15) days of your request.
Ask us to correct your medical record
- You can ask us to correct health information about you that you think is incorrect or incomplete. You have to put your request in writing.
- We may say “no” to your request, but we’ll tell you why in writing within 60 days.
Request confidential communications
- You can ask us to contact you in a specific way (for example, home or office phone) or to send mail to a different address.
- We require you to ask us in writing, but we will honor any reasonable request.
Ask us to limit what we use or share
- You can ask us, in writing, not to use or share certain health information for treatment, payment, or our operations. We are not required to agree to your request, and we may say “no” if it would affect your care.
- If you pay for a service or health care item out-of-pocket in full, you can ask us not to share that information for the purpose of payment or our operations with your health insurer. We will say “yes” unless a law requires us to share that information.
Get a list of those with whom we’ve shared information
- You can ask for a list (accounting) of the times we’ve shared your health information for up to six years prior to the date you ask, who we shared it with, and why.
- We will include all the disclosures except for those about treatment, payment, and health care operations, and certain other disclosures (such as any you asked us to make). We’ll provide one accounting a year for free but will charge a reasonable, cost-based fee if you ask for another one within 12 months.
Get a copy of this privacy notice
You can ask for a paper copy of this notice at any time, even if you have agreed to receive the notice electronically. We will provide you with a paper copy promptly.
Choose someone to act for you
- If you have given someone medical power of attorney or if someone is your legal guardian, that person can exercise your rights and make choices about your health information.
- We will make sure the person has this authority and can act for you before we take any action.
File a complaint if you feel your rights are violated
- You can complain if you feel we have violated your rights by contacting our Chief Privacy and Information Security Officer in the Office of General Counsel at:
Privacy Office, 2200 River Plaza Drive,
Sacramento, CA 95833, or
Phone: 1-855-771-4220.
- You can file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights.
- We will not retaliate against you for filing a complaint.
Your Choices
For certain health information, you can tell us your choices about what we share. Let us know if you have a clear preference for how we share your information in the situations described below. We will follow your instructions where we can.
In these cases, you have both the right and choice to tell us to:
- Share (or not share) information with your family, close friends, or others involved in your care
- Share information in a disaster relief situation
- Include your information in a hospital directory
If you are not able to tell us your preference, for example if you are unconscious, we may still be able to share minimal information if we believe it is in your best interest or when needed to lessen a serious and imminent threat to health or safety.
Fundraising:
We may contact you for fundraising efforts, but you can tell us not to contact you again. If you change your mind, you can always ask to start receiving fundraising information again.
Our Uses and Disclosures
We use or share your health information in the following ways.
Treat you
We can use your health information and share it with other professionals who are treating you. We may use your health information to provide you with medical care in our facilities or in your home. We may also share your health information with others who provide care to you such as hospitals, nursing homes, doctors, nurses, or others involved in your care. We may share your information with third party transportation providers, such as ridesharing or taxi services, to facilitate your transportation needs.
Example: Your doctor speaks with a behavioral health professional within our clinic about getting you help for an anxiety disorder.
Run our organization
We can use and share your health information to run our practice, improve your care, and contact you when necessary.
Example: We use health information about you to manage your treatment and services.
Sutter Health may use and share your health information to support necessary business, legal, auditing, financial and clinical functions. Examples of these functions may include: auditing our clinical procedures, analyzing our cost of care, arranging for patient satisfaction surveys, fundraising and determining the need for new health care services.
Bill for your services
We can use and share your health information to bill and get payment from health plans or other entities.
Example: We give information about you to your health insurance plan so it will pay for your services.
How else can we use or share your health information?
We are allowed or required to share your information in other ways – usually in ways that contribute to the public good, such as public health and research. We have to meet many conditions in the law before we can share your information for these purposes. For more information see: https://www.hhs.gov/ocr/privacy/hipaa/understanding/%20consumers/index.html
Help with public health and safety issues
We can share health information about you for certain situations such as:
- Preventing disease
- Helping with product recalls
- Reporting adverse reactions to medications
- Reporting suspected abuse, neglect, or domestic violence
- Preventing or reducing a serious threat to anyone’s health or safety
Do research
We can use or share your health information for health research.
Additional Applicable State Law Requirements:
Oregon law protects the genetic privacy of individuals and gives you the right to decline to have your health information or biological samples used for research. We will provide you with a separate notice where you can make your choice known to us.
Comply with the law
We will share information about you if state or federal laws require it, including with the Department of Health and Human Services if it wants to see that we’re complying with federal privacy law.
Respond to organ and tissue donation requests
We can share health information about you with organ procurement organizations.
Work with a medical examiner or funeral director
We can share health information with a coroner, medical examiner, or funeral director when an individual dies.
Address workers’ compensation, law enforcement, and other government requests
We can use or share health information about you:
- For workers’ compensation claims
- For law enforcement purposes or with a law enforcement official
- With health oversight agencies for activities authorized by law
- For special government functions such as military, national security, and presidential protective services
Respond to lawsuits and legal actions
We can share health information about you in response to a court or administrative order, or in response to a subpoena.
Health Information Exchange
Sutter Health participates in electronic exchange networks and some of the uses and disclosures of information described above may be done through electronic means, such as a Health Information Exchange (“HIE”). Other entities may access your health information for treatment or other permitted uses.
Example: Health information may be securely exchanged between your treating health care providers at different organizations to coordinate your care.
For additional information about HIEs or to learn how you can opt-out of having your information shared through HIE, visit our webpage at: http://www.sutterhealth.org/yourhealth/healthinformation-exchange.html
Business Associates
There are some services provided in our organization through contracts with business associates. Examples include transcribing your medical record, surveying for patient satisfaction, and a copy service we use when making copies of your health record. When services are provided by contracted business associates, we may disclose the appropriate portions of your health information to them so they can perform the job we have asked them to do. However, our business associates are also required by law to safeguard your information.
Other Uses of Health Information
Uses and disclosures of health information that are not discussed by this notice or required by law will only be made with your written permission. Your written authorization will typically be required for most uses and disclosures of psychotherapy notes, if you receive treatment in an addiction treatment program, most uses and disclosures for marketing and most arrangements involving the sale of health information. We comply with state and federal laws that require extra protection for your health information. If you provide us permission to use or disclose health information about you, you may revoke that permission, in writing, at any time.
Additional Applicable State Law Requirements:
California: Your written authorization will typically be required for most uses and disclosures of HIV test results, outpatient psychotherapy information, involuntary commitment records, and alcohol and drug abuse treatment information.
Utah: Your written authorization will typically be required for most uses and disclosures of confidential communications provided to a psychologist, licensed substance abuse counselor, or mental health therapist.
Oregon: Your written authorization will typically be required for most uses and disclosures of genetic information, and alcohol and treatment information.
Our Responsibilities
- We are required by law to maintain the privacy and security of your protected health information.
- We will let you know promptly if a breach occurs that may have compromised the privacy or security of your information.
- We must follow the duties and privacy practices described in this notice and give you a copy of it.
- We will not use or share your information other than as described here unless you tell us we can in writing. If you tell us we can, you may change your mind at any time. Let us know in writing if you change your mind.
For more information see: www.hhs.gov/ocr/privacy/hipaa/understanding/ consumers/noticepp.html
Changes to the Terms of this Notice
We may change our Notice of Privacy Practices from time to time. The changes will apply to all health information we have about you. The new notice will be available upon request in Sutter Health facilities and Sutter Health websites.
Contact: If you have any questions, you may contact:
Privacy and Information Security Office
2200 River Plaza Drive
Sacramento, CA 95833
1-855-771-4220
Effective Date: June 12, 2017