Advocate Health Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED, YOUR RIGHTS WITH RESPECT TO YOUR HEALTH INFORMATION, HOW YOU CAN GET ACCESS TO YOUR HEALTH INFORMATION, AND HOW TO FILE A COMPLAINT CONCERNING A VIOLATION OF THE PRIVACY OR SECURITY OF YOUR HEALTH INFORMATION OR OF YOUR RIGHTS CONCERNING YOUR INFORMATION. YOU HAVE A RIGHT TO A COPY OF THIS NOTICE (IN PAPER OR ELECTRONIC FORM) AND TO DISCUSS IT WITH THE PRIVACY OFFICER AT 1-888-847-6331 OR EMAIL privacy@advocatehealth.org IF YOU HAVE ANY QUESTIONS. PLEASE REVIEW IT CAREFULLY.
Last Revised February 16, 2026
Advocate Health complies with applicable Federal civil rights laws and does not discriminate on the basis of race, color, national origin, age, disability, or sex. For more information, please see advocatehealth.org/policies-notices.
A copy of this Notice is also available in Spanish.
Una copia de este anuncio esta disponible tambien en Espanol
Protecting Your Privacy
At Advocate Health, we understand that your health information is personal. This Notice describes how your health information may be used and disclosed, how we protect your information and your rights under the Health Insurance Portability and Accountability Act (“HIPAA”). We are required by law to:
- Maintain the privacy of your Protected Health Information (“PHI” or “your information”) as outlined in this Notice
- Implement safeguards to maintain the privacy of PHI
- Provide you with notice of our legal duties and privacy practices related to your PHI
- Follow the terms of the Notice currently in effect
This Notice only applies to those parts of our websites and mobile device applications where you can access your PHI or interact with a clinician regarding your specific care, such as the patient portal with respect to your PHI. However, these websites and applications may contain additional terms associated with your use. You should review those terms as well as the website terms contained on the website that you visit.
This Notice does not apply to health information that is not subject to HIPAA or similar state health information privacy laws, or information used or shared in a manner that cannot identify you.
Who Follows This Notice
Advocate Health encompasses the following health systems, including their affiliates and subsidiaries:
- Advocate Health Care
- Atrium Health
- Aurora Health Care
- Wake Forest University School of Medicine
These health systems have designated themselves and function as a singular Affiliated Covered Entity (ACE). An ACE is a group of covered entities that are fully or partially owned by the same parent company and designate themselves as a single covered entity for purposes of compliance with HIPAA, which means that they may share, access, use and disclose protected health information as if they were one organization. This Notice of Privacy Practices applies to entities that are owned, controlled or affiliated with one of these Advocate Health systems, including its facilities, practices, departments, and other sites of service; personnel who are employed by, contracted by, train with, or volunteer with such Advocate Health entities; members of our various medical staffs and their approved personnel while they care for you at an Advocate Health location; and other Advocate Health workforce members authorized to use or access PHI. In addition, any Advocate Health academic medical center will require its faculty, residents, fellows, students, and trainees also follow this Notice while they are learning with an Advocate Health entity.
Advocate Health entities also may participate in organized health care arrangements (OHCAs), such as with medical staff and care coordinators while at our locations, as well as in affordable care organizations (ACOs). These enable us to share information among participating entities and providers in a clinically integrated setting; for treatment, payment, and health care operations purposes; and, for joint activities in support of the OHCA’s purposes.
Please note that this Notice does not apply to any Advocate Health entity in its capacity as an employer or to any Advocate Health health plan. Any Advocate Health health plan is considered a separate covered entity for the purpose of HIPAA and has its own notice of privacy practices.
Additionally, providers that are independent of Advocate Health are legally separate and responsible for their own acts. Advocate Health is not responsible for how they provide care or handle your information.
How Your PHI Is Used and Disclosed
For Treatment We may use and share your PHI to provide, coordinate, or manage your health care and related services, both with our own providers and with others involved in your care. Different personnel may also share your PHI to coordinate the different things you need, such as prescriptions, lab work and x-rays. For example, a doctor treating you for a broken leg may need to know if you have diabetes so she can treat you properly and work with our dietitian so you can have low sugar meals. Our case manager will need to know about your diabetes so he can connect with other agencies to get you access to the proper resources after discharge. We may also share your PHI with a health registry so we can access information that may help us identify a different way to treat you. We may share and receive your PHI from other providers, including within our system, to treat you.
Treatment Alternatives We may use and share your PHI to tell you about possible treatment options or alternatives that may be of interest. For example, if you have cardiac issues, we may tell you about exercise resources or apps that could support your heart health. In many situations, you sign up directly with a vendor to use the apps, not through Advocate Health. We encourage you to carefully review any terms of use that may apply to the apps or other tools that you may use, as we are not responsible for what they do with your information.
Health-Related Benefits and Services We may use and disclose your information to tell you about health-related benefits or services that may be of interest to you. For example, if you just had a baby, we may use that information to send you tips for caring for a newborn or resources for new Moms. As a general rule, we do not sell your information or get paid by vendors to communicate with you without your written authorization. You may choose not to receive any communication from us that encourages you to purchase or use any particular product or service.
Communicating With You We may use and share PHI to contact you about treatment, care, or payment. For example, we may use your phone numbers (including mobile) and email addresses that we have on file to send you phone calls, emails, text messages, or other communications related to your care. We may also send appointment reminders or remind you that it is time for an annual checkup. We may also reach out to you for feedback about a recent visit or to see if you are feeling better. We may also contact you about health-related benefits or services that may be of interest to you (such as information about upcoming health screening events or research information) or to tell you about a new practice opening near you. These messages may be sent using automated dialing and/or pre-recorded messages. You have the right to opt out of receiving these messages. To opt out of text messages, please follow the opt out prompt in the text message. If you send us unencrypted emails or texts, you understand there are security risks in doing so and you accept those risks.
For Payment We may use and share your PHI with others to bill and collect payment for the services we provide to you, such as with billing departments, vendors, collection agencies, insurance companies, health plans and their agents, and consumer reporting agencies. For example, if you broke your leg, we may need to share information about your condition, the supplies used, and the services you received (such as X-rays or surgery) with your health plan so they can pay your bill. We may also contact payors before you receive scheduled services, such as for pre-approval from your health plan or to confirm your procedure qualifies for coverage. Unless you specifically tell us otherwise, we will assume you want us to bill your insurance that is on file in our records.
For Health Care Operations We may use and share your PHI to carry out business activities that help us operate our health system, improve the quality and cost of patient care, perform case management and care coordination functions, and conduct other health care operations. For example, we may look at patient information to evaluate the performance of our staff, plan new services, identify new locations for services, or send you a survey about your experience. We may also use patient information to train personnel and students, respond to governmental agencies, support our licensing, analyze data, and for legal and other purposes. We can also share your PHI with other providers who have a relationship with you for their own health care operations. For example, if you come to us in an ambulance, EMS may want to know the resolution to your care to determine if their medics delivered appropriate treatment to you in the ambulance. We may also use and share your PHI to confirm the time, place, and attendance of your appointment for treatment with third-party transportation services.
Photos, Images, and Audio We may take, collect, capture, produce, use and store photos, video and/or audio recordings, reproductions and digital images, including biometric information for treatment, training, identification, education and health care operations purposes.
Artificial Intelligence We may utilize computers, electronic devices, artificial intelligence systems or other technology to provide and assist in providing our patients with care, treatment, and services.
Business Associates Sometimes, we hire other people and companies known as business associates to help us perform services and manage operations. We may need to share your PHI with these business associates so that they can perform their job for us. For example, we may hire healthcare monitoring companies, collection agencies, or information technology vendors. We may also share your PHI with a Business Associate who will remove information that identifies you so that the remaining information can be used or disclosed for purposes outside of this Notice. We require any Business Associate to sign a written contract requiring that they comply with HIPAA, protect your PHI and keep it confidential in the same manner as HIPAA requires of us.
Minors We may generally share PHI of minors with their parents or legal guardians acting as personal representatives, unless prohibited by law or in circumstances where the law permits us to withhold PHI, such as to prevent harm to the minor or another person or in cases of suspected child abuse or neglect.
Required by Law or Judicial or Administrative Proceeding We will use or disclose your PHI when required to do so by local, state, federal, and international law. For example, we may share your PHI as required to report a suspicious death or suspected child abuse or neglect. We may use and disclose your PHI in conjunction with judicial or administrative proceedings or for purposes of litigation as permitted by law. We may also share your PHI in response to an administrative or court order, or in response to a subpoena, a discovery request, or other legal process if we are advised that you have been made aware of the request or that efforts were made to secure a qualified protective order.
Abuse, Neglect, and Domestic Violence or Other Threats to Safety Your PHI will be disclosed to the appropriate government agency if we believe that a patient has been or is currently the victim of abuse, neglect, or domestic violence and the patient agrees to the disclosure or we are otherwise permitted or required by law to do so. In addition, your PHI may also be disclosed when necessary to prevent a serious threat to your health or safety or the health and safety of others to someone who may be able to help prevent the threat. State laws may require such disclosure when an individual or group has been specifically identified as the target or potential victim.
Law Enforcement We will disclose your PHI for law enforcement purposes when all applicable legal requirements have been met. This includes, but is not limited to, law enforcement due to identifying or locating a suspect, fugitive, material witness or missing person; complying with a court order or warrant, and grand jury subpoena; reporting information about a victim of a crime, reporting a death we believe resulted from criminal conduct, reporting criminal conduct occurring on our premises, or reporting crime in an emergency, such as the location of the crime or victims or the identity, description, or location of the person who committed the crime.
Public Health Your PHI may be disclosed and may be required by law to be disclosed for public health purposes. This includes: to prevent or control disease; report births and deaths; reporting of reactions to medications or problems with health products; reporting a person who may have been exposed to a disease or may be at risk of contracting and/or spreading a disease or condition. We may share your PHI with public health authorities for public health purposes to prevent or control disease, injury, or disability and for conducting public health monitoring, investigations, or activities.
Health Oversight Activities We may disclose your PHI to a health oversight agency for audits, investigations, inspections, licensures, and other activities as authorized by law. The relevant agencies include governmental units that oversee or monitor the health care system, government benefit and regulatory programs, and compliance with civil rights laws.
Military, National Security, and Other Specialized Government Functions We may disclose your PHI, if you are in the Armed Forces, for activities deemed necessary by appropriate military command authorities for determination of benefit eligibility by the Department of Veterans Affairs or to foreign military authorities if you are a member of that foreign military service. We may disclose your PHI to authorized federal officials for conducting national security and intelligence activities or special investigations (including for the provision of protective services to the President of the United States, other authorized persons, or foreign heads of state) or to the Department of State to make medical suitability determinations.
Inmates and Correctional Institutions If you are an inmate at a correctional institution, then under certain circumstances we may disclose your PHI to the correctional institution or law enforcement official. This may be necessary 1) for the institution to provide you with health care; 2) to protect your health and safety or the health and safety of others; or 3) for the safety and security of the correctional institution and its staff.
Workers Compensation We will disclose only the PHI necessary for Worker's Compensation in compliance with Worker's Compensation laws. This PHI may be reported to your employer and/or your employer's representative regarding an occupational injury or illness.
Change in Ownership If our business is sold in whole or part, acquired, or merged with another entity, your PHI may become the property of the new owner. However, you will still have the right to request copies of your records and have copies transferred to another provider.
Research We may disclose your PHI to researchers for the purpose of conducting research when an Institutional Review or Privacy Board has approved the research and in compliance with law governing research, or where you have provided your authorization. You may choose to participate in a research study that requires you to obtain related health care services. In this case, we may share your PHI 1) with the researchers involved in the study who ordered the hospital or other health care services; and 2) with your insurance company in order to receive payment for those services that your insurance agrees to pay for. We may use and share your PHI with a researcher if certain parts of your PHI that would identify you are removed before we share it with the researcher. This will only be done if the researcher agrees in writing not to share the information, will not try to contact you, and will obey other requirements that the law provides.
Decedents We may disclose your PHI to a coroner, medical examiner, or funeral director as necessary for them to perform their duties.
Organ, Eye or Tissue Donation Purposes If you are an organ donor, we may disclose your PHI to organizations that handle organ procurement or organ, eye, or tissue transplantation, or to an organ donation bank, as necessary to facilitate organ or tissue donation and transplantation.
Breach Notification Purposes If for any reason there is an unsecured breach of your PHI, we will utilize the contact information you have provided us with to notify you of the breach, as required by law. In addition, your PHI may be disclosed as a part of the breach notification and reporting process.
Right to Opt Out of Certain Uses and Disclosures
Fundraising Activities We may use some of your PHI to identify causes you may care about and wish to support through a donation to advance patient care, health care education, and research. This information may include your contact, demographic, and insurance information; date(s) and location of treatment; provider name; and if you would be likely to support our charitable causes. You have the right to opt out of fundraising communications. Opting out of fundraising communications will not affect your ability to obtain health care at Advocate Health. Note: Your household may still receive general fundraising materials from us that do not require use of PHI.
Facility Directory We may include your name, your location in the hospital, and your general condition (e.g., good, fair, serious, etc.) in our hospital directory while you are a patient. We will share this directory information with people who ask for you by name. We can also share your religious affiliation with clergy affiliated with your faith, regardless of whether they ask for you by name. To opt out of being included in the facility directory, please notify the staff member registering you or providing your care. The opt out only applies to that encounter, and you will have to make a new request to opt out if you would like to be removed from the directory during your next stay.
Individuals Involved in Your Care or Payment We may share your PHI with a family member, personal representative, friend or other person you identify or who is involved in your care or payment, unless you object. For example, if you bring a sibling to your appointment or have a friend pick you up from a procedure and you do not object to them hearing your medical information, then we can share relevant information with them or when they are present. We could also tell your family how to care for you at home or share billing information if they are helping with your bills or covering your services. We may also share information to notify people involved in your care about your location, general condition or death. Some laws also require us to notify those involved in your care that you have been admitted, transferred, or discharged from a facility. To opt out of these notifications, please notify the staff member registering you or providing your care. If you are unable to make decisions for yourself or it is an emergency, we will use our professional judgment to decide if it is in your best interest to share your PHI with those involved in your care.
Disaster In the event of a disaster, we may disclose your PHI to disaster relief organizations to coordinate your care and/or to notify family members or friends of your location and condition. Whenever possible, we will provide you with an opportunity to agree or object.
Health Information Exchanges We may participate in certain health information networks or exchanges ("HIEs") that permit health care providers or other health care entities, such as your health plan or health insurer, to share your PHI for treatment, payment and other purposes permitted by law, including those described in this Notice. Your health information will be stored in our electronic medical record, including Epic, so your care community can help you. Your information may also be available through health information exchanges or through clinically integrated networks that allow member providers to securely exchange health information for treatment purposes. By seeing records of past care received at other locations in an HIE, providers can make more informed decisions about care plans and avoid duplicative or unnecessary treatment. You do not have to participate in an HIE to receive care from us, and may choose to opt out, though note that opting out of an HIE does not stop us from using or sharing your information as otherwise described in this Notice. Your decision to opt out of sharing your PHI through an HIE does not affect the information that was exchanged prior to the time you opted out of participation.
Use and Disclosure of Substance Use Disorder Records Subject to Part 2
Federal law protects the confidentiality of substance use disorder patient records and places additional restrictions on the use or disclosure of such health information. A substance use disorder is a cluster of cognitive, behavioral, and physiological symptoms indicating that the individual continues using the substance (such as drugs or alcohol but not including tobacco or caffeine) despite significant substance-related problems such as impaired control, social impairment, risky use, and pharmacological tolerance and withdrawal. If you receive services from Advocate Health covered by such laws, we comply with the federal Confidentiality of Substance Use Disorder Patient Records laws and regulations that protect information regarding substance use disorder diagnosis, treatment, and referral for treatment. See 42 U.S.C 290dd-3 and 42 U.S.C. 290ee-3 for Federal laws and 42 CFR Part 2 for Federal regulations (collectively, "Part 2").
Please note that Part 2 does not protect all substance use disorder information that Advocate Health may have. Part 2 applies to certain programs (which could be limited to certain programs, persons, or departments of Advocate Health) that are federally funded and hold themselves out as and/or have the primary purpose of providing substance use disorder treatment, diagnosis, or referral for treatment. Additionally, if we receive records regarding your substance use disorder from another Part 2 program pursuant to your specific consent, Part 2 generally will continue to protect such records. Where Part 2 is applicable, Advocate Health we will not disclose your substance use disorder records, that you are enrolled in a Part 2 program, or any other information that would identify you as having or having had a substance use disorder (collectively, "Part 2 Records") except in compliance with this Section. If Part 2 Records are disclosed to us or our business associates pursuant to your written consent for treatment, payment, and healthcare operations or are disclosed by you or another person involved in your care to a non-Part 2 provider at Advocate Health, we or our business associates may use and disclose such health information without your written consent to the extent that the HIPAA regulations permit such uses and disclosures, consistent with the other provisions in this Notice regarding PHI. We will obtain your written consent to use and disclose your Part 2 Records unless we are permitted to use and disclose Part 2 Records without your written consent consistent with Part 2. The following categories describe the ways that we may use and disclose your Part 2 Records without your written consent under Part 2.
- Medical Emergencies We may disclose your Part 2 Records to medical personnel to the extent necessary to meet a bona fide medical emergency in which the your prior written consent cannot be obtained or in which we are closed and unable to provide services or obtain your prior written consent during a temporary state of emergency declared by a state or federal authority as the result of a natural or major disaster, until such time as we resume operations. Advocate Health will obtain your authorization prior to disclosing your information for non-emergency treatment. Advocate Health may also disclose your Part 2 Records to medical personnel of the Food and Drug Administration (FDA) who assert a reason to believe that your health may be threatened by an error in the manufacturer, labeling, or sale of a product under the FDA jurisdiction, and that your Part 2 Records will be used for the exclusive purpose of notifying you or your physicians of potential danger.
- Research Under certain circumstances, we may use and disclose your Part 2 Records without your consent for research purposes. Generally, we would first obtain your written consent; however, in certain circumstances, we may be permitted to use or disclose your Part 2 Records for research purposes without your consent to the extent permitted by HIPAA, FDA and HHS regulations related to human subject research where a waiver of consent has been granted.
- Management and Financial Audits and Program Evaluation Under certain circumstances we may use or disclose your Part 2 Records for purposes of the performance of certain program financial and management audits and evaluations. For example, we may disclose your identifying information to any federal, state, or local government agency that provides financial assistance to the Part 2 program or is authorized by law to regulate the activities of Part 2 programs. We may also use or disclose your identifying information to qualified personnel who are performing audit or evaluation functions on behalf of any person that provides financial assistance to the Part 2 program, which is a third-party payer or health plan covering you in your treatment, or which is a quality improvement organization (QIO), performing QIO review, the contractors, subcontractors, or legal representatives of such person or QIO, or an entity with direct administrative control over our program.
- Fundraising Consistent with provisions elsewhere in this policy, we may also use or disclose your Part 2 records for fundraising purposes.
- Public Health We may use or disclose to a public health authority for public health purposes. However, the contents of the information from the Part 2 Records disclosed will be de-identified in accordance with the requirements of the HIPAA regulations, such that there will be no reasonable basis to believe that the information can be used to identify you.
- Designated Persons or Entities We may use and disclose your Part 2 Records in accordance with the consent to any person or category of persons identified or generally designated in the consent. For example, if you provide written consent naming your spouse or a healthcare provider, we will share your health information with them as outlined in your consent.
- Single Consent for Treatment, Payment, or Healthcare Operations We may also use and disclose your Part 2 Records when the consent provided is a single consent for all future uses and disclosures for treatment, payment, and healthcare operations, as permitted by the HIPAA regulations, until such time you revoke such consent in writing.
- Central Registry or Withdrawal Management Program We may disclose your Part 2 Records to a central registry or to any withdrawal management or treatment program for the purposes of preventing multiple enrollments, with your written consent. For instance, if you consent to participating in a drug treatment program, we can disclose your information to the related program to coordinate care and avoid duplicate enrollment.
- Criminal Justice System We may disclose information from your Part 2 Records to those persons within the criminal justice system who have made your participation in the Part 2 program a condition of the disposition of any criminal proceeding against you. The written consent must state that it is revocable upon the passage of a specified amount of time or the occurrence of a specified, ascertainable event. The time or occurrence upon which consent becomes revocable may be no later than the final disposition of the conditional release or other action in connection with which consent was given. For example, if you consent, we can inform a court-appointed officer about your treatment status as part of legal agreement or sentencing conditions.
- PDMPs We may report any medication prescribed or dispensed by us to the applicable state prescription drug monitoring program if required by applicable state law. We will first obtain your consent to a disclosure of Part 2 Records to a prescription drug monitoring program prior to reporting such information.
Any Part 2 Record, or testimony relaying the content of such Part 2 Records, shall not be used or disclosed in a civil, administrative, criminal, or legislative proceeding against you unless you provide specific written consent (separate from any other consent) or a court issues an appropriate order. Your Part 2 Records will only be used or disclosed based on a court order after notice and an opportunity to be heard is provided to you, Advocate Health, or the other holder of the Part 2 Record in accordance with Part 2. A court order authorizing use or disclosure of Part 2 Records must be accompanied by a subpoena or other similar legal mandate compelling disclosure before the Part 2 Records may be used or disclosed.
Part 2 does not protect health information about a crime committed on Advocate Health’s premises or against any Advocate Health personnel or about any threat to commit such crime. Part 2 also does not prohibit the disclosure of health information by Advocate Health to report suspected child abuse or neglect under state law to appropriate state or local authorities. The restrictions on use and disclosure in Part 2 do not apply to communications of Part 2 Records between or among personnel having a need for them in connection with their duties that arise out of the provision of diagnosis, treatment, or referral for treatment of patients with substance use disorders if the communications are within the program (or with an entity that has direct administrative control over the program the communications between a part 2 program) and to communications of Part 2 Records to a qualified service organization if needed by the qualified service organization to provide services to or on behalf of Advocate Health (similar to provisions herein regarding Business Associates). To the extent that applicable state law is even more stringent than Part 2 on how we may use or disclose your health information, we will comply with the more stringent state law.
Authorization for Other Uses of PHI
Before we use or share your PHI or Part 2 Records in a manner not covered by this Notice or required or permitted by applicable laws, we will ask for your written permission. For example, we are required to obtain your written permission for the specific uses and disclosures of your PHI discussed below. Note that we can remove or combine individual identifiers so the information no longer identifies or can be used to identify you. Once de-identified, we can use or share it without permission as it is no longer subject to this Notice.
- Disclosure of Psychotherapy Notes Unless we have your written authorization, in most circumstances we will not disclose your psychotherapy notes. Some circumstances in which we will disclose your psychotherapy notes include the following: for your continued treatment; training of medical students and staff; to defend ourselves during litigation; if the law requires; health oversight activities regarding your psychotherapist; to avert a serious or imminent threat to yourself or others; and to the coroner or medical examiner upon your death.
- Marketing Disclosures for marketing purposes which result in our receiving financial payment from a third party whose product or services are being marketed will require your written authorization. This does not include compensation that merely covers our cost of reminding you to take and refill your medication or otherwise communicate about a drug or biologic that is currently prescribed to you. However, we may use or disclose your PHI without your authorization to send you information about alternative medical treatments, our own programs or about health-related products and services that may be of interest to you, provided that we do not receive financial remuneration for making such communications. For example, if you suffer from a chronic illness or condition, we may use your PHI to assess your eligibility and propose newly available treatments. When we see you face-to-face, we may also use your PHI without your authorization to encourage you to maintain a healthy lifestyle and get recommended tests, suggest that you participate in a disease management program, provide you with promotional gifts of nominal value, or tell you about government sponsored health programs.
- Sale of PHI Any activity constituting a sale of your PHI will require your prior written authorization.
Your Rights Regarding Your PHI
You have certain rights regarding the PHI we maintain about you, which are outlined below. Our Health Information Management Department (HIM) oversees many of these rights. Your patient portal account (e.g., MyAtriumHealth, LiveWell, etc.) also has some of these request forms. If you have any questions or need help obtaining these forms, please contact HIM and they will be happy to help you. All rights and their limitations with respect to your PHI apply equally with respect to your Part 2 Records.
Right to a Copy of Your Health Records
You can ask to inspect or ask for a copy of part or all of your designated record set (defined by HIPAA as the grouping of records including your medical records, billing records and other information used to make decisions about your health care), though certain exceptions may apply that permit us to deny your request. For example, if your doctor decides something in your record might endanger you or someone else, your request may be denied in whole or in part. There are also records which may contain information about you, but that you don’t have a right to access, such as psychotherapy notes or records compiled in anticipation of a legal proceeding. To request a copy of your record, go to the HIM website and submit the Patient Request for Access form, submit the request form electronically through the patient portal, or request a copy of such form from your provider and submit it to the HIM Department. In most cases, you will receive the information within 30 days of when we receive your request, unless we let you know we need another 30 days, such as if the records are in storage. Where permitted by law, we may charge a reasonable fee for the costs of copying, mailing, or other supplies associated with your request, including where you designate a third-party recipient. If we deny you access to your PHI for certain reasons, we will provide you with an opportunity to request that the denial be reviewed. A licensed health care professional chosen by us will perform such a review. This person will not be the same person who refused your request.
- Right to a summary or explanation of your PHI: You have the right to request only a summary of your PHI if you do not desire to obtain a copy of your entire record. You also have the option to request an explanation of the PHI to which you were provided access when you request your entire record.
- Right to Obtain an electronic copy of your medical records: You have the right to request an electronic copy of your medical record for yourself or to be sent to another individual or organization when your PHI is maintained in an electronic format. We will make every attempt to provide the records in the format you request; however, in the case that the information is not readily accessible or producible in the format you request, we will provide the record in a standard electronic format or a legible hard copy form. Please note that we provide access to our patient portals as one option for patients to electronically access their PHI. You may set up access to a patient portal through our organization’s websites. There is no fee for you to access information through the patient portal.
Right to Revoke or Cancel an Authorization
You can sign an Authorization to give us permission to share your PHI with others, such as with your employer or a life insurance company. You can revoke (cancel) that permission at any time by going to the HIM website and submitting the Revocation of Authorization for Release of Information form or request a copy of such form from your provider and submit it to the HIM Department. Once we have processed your revocation, we will no longer use or share your PHI under the revoked Authorization. We cannot, however, take back information we have already shared. Revocation of an authorization also does not affect our ability to share information in accordance with applicable law in manners described in this Notice that do not require your authorization.
Right to Request Changes to Your PHI
You can ask to change or add information to your designated record set that you think is wrong or incomplete for as long as the information is kept by Advocate Health. For example, you may remember telling the doctor that you fell riding your bike, but the record says you tripped over your dog. To request an amendment, go to the HIM website and submit the Health Information Amendment form, submit the request form electronically through the patient portal, or request a copy of such form from your provider and submit it to the HIM Department. Your provider has the right to decide whether to accept or deny your request in whole or in part. We will let you know the decision within 60 days, though we may let you know if we need another 30 days and why. We may deny your request if you ask us to amend PHI that is not part of the PHI maintained by us or was not created by us, unless the person or entity that created the information is no longer available to make the amendment; is not part of the information which you would be permitted to inspect and copy or is accurate and complete. Regardless of the decision, your amendment request will be noted in your record, as well as your disagreement letter if you choose to send one. We may also include a rebuttal to your disagreement letter in the record.
Request an Accounting of Disclosures
You have the right to ask for a list of the persons and entities with whom we’ve shared your PHI over the last 6 years, known as an “accounting of disclosures”. Note that, as provided by the HIPAA regulations, the list will not include certain disclosures, such as those made to those involved in treatment, payment, or for health care operations, or those authorized by you. To request an accounting of disclosures, go to the HIM website and submit the Request for Accounting form or request a copy of such form from your provider and submit it to the HIM Department. You must include the time frame for the request. You can get one accounting of disclosures at no charge every 12 months; after that, there may be a fee. In most cases, we will send the accounting of disclosures within 60 days. If we need an extra 30 days, we will let you know. If you are requesting an accounting of disclosures of Part 2 Records made pursuant to your written consent in the 3 years prior to the date of the request (or a shorter time period chosen by you), we will provide such accounting consistent with HIPAA requirements and Part 2. When regulations are effective requiring such accountings pursuant to HIPAA and Part 2, we will provide a patient with an accounting of disclosures of records for treatment, payment, and health care operations only where such disclosures are made through an electronic health record and during only the 3 years prior to the date on which the accounting is requested.
Request Restrictions on Sharing Your Information
You have the right to ask that we limit how we use or share your PHI for treatment, payment or health care operations. You can also ask us to limit sharing your PHI with others involved in your care, such as a family member or friend. To request a restriction, go to the HIM website and submit the Request for Restrictions on Use and Disclosure of Information form or request a copy of such form from your provider and submit it to the HIM Department. Note that we are not required to agree to your request, except as stated below. If we do agree to the restriction, it goes into effect when we notify you and even then, it may not be followed in some situations, such as emergencies or when required by law. If you restrict us from sharing your PHI with your health plan by paying for the visit in advance, we will not share your information (note this does not affect our ability to share your information for treatment). You must complete certain forms for a self-pay billing restriction at each location of care, which are available at registration.
Request That We Change How We Contact You
You can make reasonable requests to be contacted at different places or in different ways. For example, you may ask that we call you on your cell phone instead of your home number or that we send results to your office instead of your home. To request confidential communications, go to the HIM website and submit the Request for Confidential or Alternative Means of Communication form or request a copy of such form from your provider and submit it to the HIM Department. You are not required to tell us the reason for your request. We will accommodate reasonable requests, but your request must specify how or where you wish to be contacted.
Right to A Paper Copy of This Notice
You have the right to a paper copy of this Notice upon request. You may also obtain a copy of this Notice at any time from our websites or from the location where you obtained treatment.
Right to Be Notified of a Breach
You have the right to be notified if your unsecured PHI is acquired, used, or shared in a manner not permitted under law that results in more than a low risk of compromise to its security or privacy.
Right to appoint a personal representative
You have the right to appoint a personal representative, such as a medical power of attorney or if you have a legal guardian. Your personal representative may be authorized to exercise your rights and make choices for you about your PHI. We will confirm the person has this authority and can act for you before we take any action based on their request.
Other State and Federal Laws
Where state and federal laws require additional privacy protections or grant you additional rights, we will comply with such state and federal laws to the extent applicable. For example, if you receive treatment at one of our licensed behavioral health facilities, some state laws may allow you to restrict your PHI from being shared with providers outside of those facilities (certain exceptions apply). Ask your behavioral health facility for more information. Other types of information that may be subject to more stringent state or federal law requirements include, but are not necessarily limited to, behavioral health information, drug and alcohol treatment information, reproductive health information, and information related to HIV/AIDS or other communicable diseases.
Electronic Medical Information Sharing Through Application Programming Interfaces
You have the right to request or authorize that your electronic PHI in your designated record be transmitted to you or another person or organization through an application programming interface (API). APIs are computer coding mechanisms that permit two or more electronic computer applications or software programs to communicate with each other and share information. Advocate Health is required by law to comply with requests regarding API transmissions, subject to certain exceptions. You understand that PHI transmitted through an API at your request will no longer be under Advocate Health’s protection and control, will no longer be subject to the protections and rights outlined in this Notice, and may no longer be subject to the same laws, regulations, policies or procedures regarding its confidentiality, security, privacy, use, or disclosure. You understand and agree that you make any request to Advocate Health to transmit your PHI through an API at your own risk and you assume all liability for the consequences of such action taken by Advocate Health at your direction. Advocate Health cautions you to confirm any confidentiality, security, or privacy protections with respect to your transmitted PHI with the recipient of the PHI prior to submitting a request to Advocate Health to transmit your PHI through an API.
Notice of Redisclosure
PHI that is disclosed pursuant to this Notice may be subject to redisclosure by the recipient and no longer protected by HIPAA. Law applicable to the recipient may limit their ability to use and disclose the PHI received, such as if they are another covered entity subject to HIPAA or a program or entity subject to Part 2.
Changes to this Notice of Privacy Practices
We reserve the right to change and update this Notice at any time. The revised Notice will be effective for PHI we already have about you, as well as for any PHI we create or receive in the future. The effective date is listed on the first page of the Notice and we will post the current copy at each registration location and on our websites.
Complaints and Contacts
If you believe we impermissibly shared or used your PHI or that your rights were denied under HIPAA, you can file a complaint with Advocate Health by calling the Compliance Hotline at 1-888-847-6331. You can also email us at privacy@advocatehealth.org.
To file a complaint with the Secretary of the Department of Health and Human Services, go to the Office for Civil Rights (www.hhs.gov/ocr/hipaa/), call 202-619-0257 (toll free 877-696-6775), or mail to:
Secretary of the US – Department of Health and Human Services
200 Independence Ave S.W.
Washington, D.C. 20201
To file a complaint with the Secretary, you must 1) name the Advocate Health place or person that you believe violated your privacy rights and describe how that place or person violated your privacy rights; and 2) file the complaint within 180 days of when you knew or should have known that the violation occurred. Violation of Part 2 is a crime. You may report suspected violations of Part 2 to the Secretary of the United States Department of Health and Human Services in the same manner that you report HIPAA violations. You will not be punished for filing a complaint.
If you have any questions in reference to this Notice, you may contact Advocate Health Privacy at 1-888-847-6331 or email privacy@advocatehealth.org.