Notice of Privacy Practices
We understand that medical information about you and your health is personal and we are committed to protecting privacy while providing quality care. This Notice of Privacy Practices applies to all records generated by Mobridge Regional Hospital & Clinics, including departments, medical staff, clinics, employees, volunteers, and affiliated programs and services.
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN ACCESS THIS INFORMATION. PLEASE REVIEW IT CAREFULLY
We are legally required to protect the privacy of your health information. We call this information “protected health information,” or (PHI) and it includes information that can be used to identify you that we have created or received about your past, present, or future health or condition, the provision of health care to you, or the payment for health care services. We must provide you with this notice about our privacy practices that explains how, when, and why we use and disclose your PHI. With some exceptions, we may not use or disclose any more of your PHI than is necessary to accomplish the purpose of the use or disclosure.
We reserve the right to change the terms of this notice and our privacy policies. Any changes will apply to the PHI which is currently in our possession as well as any information we receive in the future. Before we make an important change to our policies, we will promptly change this notice and post a new notice in our main reception areas. The Notice of Privacy Practices will contain the current “Effective Date”. You can also request a copy of this notice from our Privacy Officer, (605) 845-8167, or you may obtain a copy of the notice from our Web site at www.mrhonline.org
We are required to abide by the terms of the Privacy Notice that is then currently in effect. If we revise the Privacy Notice, the revision date will be the effective date of the Notice.
Effective Date of this Notice
December 2024
HOW WE MAY USE AND DISCLOSE YOUR PROTECTED HEALTH INFORMATION
The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI).""Individually identifiable health information" is information, including demographic data, that relates to:
- the individual's past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
General Principle for Uses and Disclosures
De-Identified Health Information. There are no restrictions on the use or disclosure of de-identified health information. De-identified health information neither identifies nor provides a reasonable basis to identify an individual. There are two ways to de-identify information; either: (1) a formal determination by a qualified statistician; or (2) the removal of specified identifiers of the individual and of the individual's relatives, household members, and employers is required, and is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual.
Basic Principle. A major purpose of the Privacy Rule is to define and limit the circumstances in which an individual's protected health information may be used or disclosed by covered entities. A covered entity may not use or disclose protected health information, except either: (1) as the Privacy Rule permits or requires; or (2) as the individual who is the subject of the information (or the individual's personal representative) authorizes in writing.
Required Disclosures. A covered entity must disclose protected health information in only two situations: (a) to individuals (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their protected health information; and (b) to HHS when it is undertaking a compliance investigation or review or enforcement action.
Permitted Uses and Disclosures Which do NOT Require your Authorization
A covered entity is permitted, but not required, to use and disclose protected health information, without an individual's authorization, for the following purposes or situations: (1) To the Individual (unless required for access or accounting of disclosures); (2) Treatment, Payment, and Health Care Operations; (3) Opportunity to Agree or Object; (4) Incident to an otherwise permitted use and disclosure; (5) Public Interest and Benefit Activities; and (6) Limited Data Set for the purposes of research, public health or health care operations. Covered entities may rely on professional ethics and best judgments in deciding which of these permissive uses and disclosures to make.
For Treatment. We may disclose your PHI to physicians, nurses, medical students, and other health care personnel who provide you with health care services or are involved in your care.
For Payment. We may use and disclose your PHI in order to bill and collect payment for the treatment and services provided to you.
For Health Care Operations. We may disclose your PHI in order to operate this Medical Center. For example, we may use your PHI in order to evaluate the quality of health care services that you received or to evaluate the performance of the health care professionals who provided health care services to you. We may also provide your PHI to our accountants, attorneys, consultants, and others in order to make sure we are complying with the laws that affect us.
As Required by Law. When a disclosure is required by federal, state or local law, judicial or administrative proceedings, or law enforcement. For example, we make disclosures when a law requires that we report information to government agencies and law enforcement personnel about victims of abuse, neglect, or domestic violence; when dealing with gunshot or other wounds; or when ordered in a judicial or administrative proceeding.
For Public Health Activities. For example, we report information about births, deaths, and various diseases, to government officials in charge of collecting that information. We may provide coroners, medical examiners, and funeral directors necessary information relating to an individual’s death.
For Health Oversight Activities. For example, we will provide information to assist the government when it conducts an investigation or inspection of a health care provider or organization.
For Purposes of Organ Donation. We may notify organ procurement organizations to assist them in organ, eye, or tissue donation or transplants.
For Research Purposes. In certain circumstances, we may obtain, create, and/or disclose PHI in order to conduct medical research.
To Avoid Harm. In order to avoid a serious threat to the health or safety of a person or the public, we may provide PHI to law enforcement personnel or persons able to prevent or lessen such harm.
For Specific Government Functions. We may disclose PHI of military personnel and veterans in certain situations. And we may disclose PHI for national security purposes, such as protecting the president of the United States or conducting intelligence operations.
For Workers’ Compensation Purposes. We may provide PHI to workers’ compensation or similar agencies to determine if you are eligible for a work-related injury or illness benefit.
Appointment Reminders and Health-Related Benefits or Services. We may use PHI to provide appointment reminders or give you information about treatment alternatives, or other health care services or benefits we offer.
Fund-Raising Activities. We may use PHI to raise funds for our organization. The money raised through these activities is used to expand and support the health care services and educational programs we provide to the community. If you do not wish to be contacted as part of our fund-raising efforts, please contact our Foundation Office at (605) 845-8128.
Authorized Uses and Disclosures
A covered entity must obtain the individual's written authorization for any use or disclosure of protected health information that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule. A covered entity may not condition treatment, payment, enrollment, or benefits eligibility on an individual granting an authorization, except in limited circumstances.
An authorization must be written in specific terms. It may allow use and disclosure of protected health information by the covered entity seeking the authorization, or by a third party. Examples of disclosures that would require an individual's authorization include disclosures to a life insurer for coverage purposes, disclosures to an employer of the results of a pre-employment physical or lab test, or disclosures to a pharmaceutical firm for their own marketing purposes.
All authorizations must be in plain language, and contain specific information regarding the information to be disclosed or used, the person(s) disclosing and receiving the information, expiration, right to revoke in writing, and other data.
Psychotherapy Notes. A covered entity must obtain an individual's authorization to use or disclose psychotherapy notes with the following exceptions:
- The covered entity who originated the notes may use them for treatment.
- A covered entity may use or disclose, without an individual's authorization, the psychotherapy notes, for its own training, and to defend itself in legal proceedings brought by the individual, for HHS to investigate or determine the covered entity's compliance with the Privacy Rules, to avert a serious and imminent threat to public health or safety, to a health oversight agency for lawful oversight of the originator of the psychotherapy notes, for the lawful activities of a coroner or medical examiner or as required by law.
Marketing Purposes. The HIPAA Privacy Rule gives individuals important controls over whether and how their protected health information is used and disclosed for marketing purposes. With limited exceptions, the Rule requires an individual’s written authorization before a use or disclosure of his or her protected health information can be made for marketing. The HIPAA Privacy Rule expressly requires an authorization for uses or disclosures of protected health information for ALL marketing communications, except in two circumstances:
- When the communication occurs in a face-to-face encounter between the covered entity and the individual;
OR
- The communication involves a promotional gift of nominal value.
If the marketing communication involves direct or indirect remuneration to the covered entity from a third party, the authorization must state that such remuneration is involved.
Limiting Uses and Disclosures to the Minimum Necessary
Minimum Necessary. A central aspect of the Privacy Rule is the principle of "minimum necessary" use and disclosure. A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request.
WHAT RIGHTS YOU HAVE REGARDING YOUR PHI
You have the following rights with respect to your PHI:
The Right to Request Limits on Uses and Disclosures of Your PHI. You have the right to ask that we limit how we use and disclose your PHI. We will consider your request but are not legally required to accept it. If we accept your request, we will put any limits in writing and abide by them except in emergency situations. You may not limit the uses and disclosures that we are legally required or allowed to make.
The Right to Choose How We Send PHI to You. You have the right to ask that we send information to an alternate address (for example, sending information to your work address rather than your home address) or by alternate means (for example, e-mail instead of regular mail). We must agree to your request as long as we can reasonably provide it in the format you requested.
The Right to Get a List of the Disclosures We Have Made. You have the right to get a list of instances in which we have disclosed your PHI. The list will not include uses or disclosures for: treatment, payment or healthcare operations; information which you have authorized us to disclose; national security; law enforcement as required by state or federal law.
We will provide the list to you at no charge, but if you make more than one request in the same year, we may charge you for the costs of providing the list. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time, before any costs are incurred. To request this list, or accounting, you must submit your request on our designated form.
The Right to Correct/Update/Copy/Inspect Your PHI. If you believe that medical information we have about you is incorrect or incomplete, you have the right to request that we correct the existing information or add the missing information. You must provide the request and your reason for the request in writing. We will respond within 60 days of receiving your request. We may deny your request in writing if the PHI is (1) correct and complete, (2) not created by us, (3) not allowed to be disclosed, or (4) not part of our records. Our written denial will state the reasons for the denial and explain your right to file a written statement of disagreement with the denial. Your rights allow you to have your request and our denial attached to all future disclosures of your PHI. If we approve your request, we will make the change to your PHI, tell you that we have done it, and tell others that need to know about the change to your PHI.
The Right to a Copy of this Notice. You have the right to a paper copy of this notice, at any time, even if you have agreed to receive the notice electronically.
The Right to Object
Patient Directories. If you are admitted to the hospital, we may include your name, location in the Medical Center, general condition, and religious affiliation, in our patient directory for use by clergy and visitors who ask for you by name, unless you object in whole or in part. The opportunity to consent may be obtained retroactively in emergency situations.
Disclosures to Family, Friends, or Others. We may provide your PHI to a family member, friend, or other person that you indicate is involved in your care or the payment of your health care, unless you object in whole or in part. The opportunity to consent may be obtained retroactively in emergency situations.
Other Uses of Health Information. In any other situation, not described in this notice, we will ask for your written authorization before using or disclosing any of your PHI. If you choose to sign an authorization to disclose your PHI, you can later revoke that authorization in writing to stop any future uses and disclosures (to the extent that we have not taken any action relying on the authorization).
FOR MORE INFORMATION OR TO REPORT A PROBLEM
If you have questions or wish to make a complaint about our privacy practices, you may contact the Medical Center’s Privacy Officer at (605) 845-8167 or by writing to Mobridge Regional Hospital, Privacy Officer, 1401 10th Ave West, Mobridge SD, 57601.