Notice of Privacy Practices

• Notice of Privacy Practices (English)
• AVISO DE PRÁCTICAS DE PRIVACIDAD (Spanish)
• إشعار ممارسا ت الخصوصي ة (Arabic)
• 개인정보보호 관행 고지 (Korean)
• POWIADOMIENIE O PRAKTYKACH W ZAKRESIE OCHRONY PRYWATNOŚCI (Polish)
• УВЕДОМЛЕНИЕ О ПОРЯДКЕ ИСПОЛЬЗОВАНИЯ КОНФИДЕНЦИАЛЬНОЙ ИНФОРМАЦИИ (Russian)
• THÔNG BÁO VỀ CÁC BIỆN PHÁP THỰC HÀNH BẢO VỆ QUYỀN RIÊNG TƯ (Vietnamese)

THIS NOTICE OF PRIVACY PRACTICES, “NOTICE”, DESCRIBES HOW YOUR MEDICAL RECORD INFORMATION MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

PLEASE REVIEW IT CAREFULLY.

NorthShore - Edward-Elmhurst Health and all of its Subsidiaries, Affiliates and Participants, (“NS-EEH” or “we” or “us” or “our”), are required by law to maintain the privacy of your Medical Record Information, which encompasses your Protected Health Information or “PHI” (“Medical Record Information”), and to provide you notice of our legal responsibilities and privacy practices to protect this information.

We use this Notice to comply with applicable federal laws, privacy rights and protections for patients whose rights are described below. We reserve the right to change this Notice for any reason, as required by Law or not prohibited by Law. The changes will apply to all Medical Record Information and any other information we have about you. 

YOUR RIGHTS:

Get a paper or electronic copy of your medical record information:

• You or your legal representative may request a paper or electronic copy of your Medical Record Information we maintain about you.
• If you have access to a NS-EEH Patient Portal (e.g., MyChart, NorthShore Connect, MyEEHealth, etc.), you can review and print a limited portion of your Medical Record Information yourself.
• Please see Exhibit A for details on how you or your legal representative can obtain a paper or electronic copy of your Medical Record Information.
• We may charge you a reasonable cost-based fee set by the State of Illinois annually for copies of your Medical Record Information.
• We may provide a summary or a copy of your Medical Record Information in the format you request. We will respond to your request within 30 days from the date we receive it.
• We will notify you in writing if: (1) we need an additional 30 days to fulfil your request, (2) we are unable to provide your Medical Record Information in the format you requested, or (3) we must deny your request and will provide a reason.

Ask us to correct or amend your record:

• You may ask us to correct your Medical Record Information that you think is incorrect or incomplete.
• The request must be made in writing.
• We may deny your request and will send you a letter with the reason within 60 days from the date we receive your written request.

You may ask us, in writing, to contact you in a specific way, call you at another phone number or send mail to a specified address. You do not need to give us a reason. We will try to honor all reasonable requests. If we are unable to contact you using the locations, telephone numbers or ways you have requested, we may contact you using any information we have.  Our communication practices include the following:

• NS-EEH and/or a contracted third-party vendor may contact you by phone and in writing or, with your consent, by text or email with information related to your care, such as reminding you of an appointment, giving you instructions about your test or procedure, and/or reminding you about preventive health services, screenings, testing, etc.
• We may communicate with you in-person, in writing, by telephone, secure email, unsecure email upon patient request after being informed of the risks and the patient being willing to accept those risks, via our Patient Portals, or leave automated or pre-recorded messages on your voice mail.

Ask us to limit what we use or share:

You may ask us not to use or share some of your Medical Record Information with other providers treating you, with your health or other insurance company for payment reasons, or for healthcare operations purposes such as being contacted to participate in a research study or clinical trial and fundraising or for other reasons not prohibited by law. This request has to be made in writing or through your Patient Portal account. We are not required to agree to your request.

If you pay the entire cost of a health care service, treatment or other item out-of-pocket, you may ask us not to share that information with your insurance company for the purposes of payment. We will say “yes” unless a law requires us to share your information.

We participate in electronic medical record programs called Epic CareEverywhere®, Epic CareEquality, EpicCare®Link, and other data sharing programs not listed here. These data sharing programs allow providers outside of and across NS-EEH to see your Medical Record Information for treatment purposes. You may request not to participate in Epic CareEverywhere®, Epic CareEquality, EpicCare®Link, and/or other similar data sharing programs. This request is required to be made in writing to the applicable address listed in Exhibit A or by using your Patient Portal account. 

Ask us with whom we have shared your medical record information:

We will provide you a list (accounting) of certain disclosures of your Medical Record Information not including disclosures about treatment, payment, healthcare operations, certain other disclosures required by law, and any disclosures you asked us to make (collectively as “Accounting of Disclosures”). You may ask us for an Accounting of Disclosures for up to six (6) years prior to the date you ask. The Accounting of Disclosures will include with whom we shared your Medical Record Information, and why. This request is required to be made in writing as described in Exhibit A. In most cases, we will send the Accounting of Disclosures within 60 days of receipt of your request. If we need an extra 30 days, we will let you know.

We will provide this list for free one time within a 12-month period from the date the request was received. You may request additional copies within the 12-month period, and we will charge you a reasonable, cost-based fee for each additional accounting requested.

Ask for a copy of this notice:

You can receive a copy of this notice electronically through email, the Patient Portal, or through our websites. You can ask for a paper copy of this notice at any time, in person or by mail, even if you have agreed to receive the notice electronically.

Choose someone to act for you:

If you have designated someone as your Personal Representative through a medical power of attorney or someone is your legal guardian, that person may be able to exercise certain rights and make medical decisions for you, and we will share your Medical Record Information with this person.

File a complaint if you believe your rights have been violated:

You may file a complaint if you feel that we have violated your rights by contacting:

• The designated Privacy Office for NS-EEH: in writing at NorthShore University HealthSystem, Corporate Compliance Department – Privacy Office, 1301 Central Street, Room 140, Evanston, IL 60201; by telephone at 847.570.5079; or by email at hipaa@northshore.org;
• You may file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights by mail: U.S. Department of Health and Human Services Office for Civil Rights 200 Independence Avenue, SW, Washington, DC 20201; by telephone at 877.696.6775; or by email at www.hhs.gov/privacy/hipaa/complaints/.

We will not retaliate against you for filing a good faith complaint.

Communicate your choices:

You may have some choices about how we use your Medical Record Information. Also, you can tell us with whom you would like us to share your Medical Record Information or, in certain circumstances, you can tell us with whom you do not want your Medical Record Information shared.

You have the right to tell us how to:

• Share your Medical Record Information with your family, personal contacts or others involved in your care;
• Share your Medical Record Information in an emergency or disaster; and
• Include your Medical Record Information in our hospital directory.

For example, for hospital operations purposes, we many include your name, hospital location, your general condition, and/or identified religion in our hospital directory unless you ask us not to. We may disclose this information to members of our spiritual care team. You may tell us that you don’t want to be listed in the directory or what information you want shared. If you are unable to tell us this information, we may proceed and share this information if we believe it is in your best interest. We may also share this information when needed to lessen a serious and/or imminent threat of harm to you or others.

Unless we have your authorization or it is allowed by law, we will not:

• Use your Medical Record Information for marketing purposes;
• Sell your Medical Record Information;
• Disclose your Medical Record Information relating to treatment for behavioral health, alcohol or substance use disorder, and/or other sensitive diagnoses, including psychotherapy notes; and
• Disclose any of your Medical Record Information to state sponsored registries.

Unless you tell us not to, we may contact you for fundraising purposes to support us and our mission to provide healthcare. By applicable law, we may use the following information to contact you: name, address, telephone number, dates of service, age, gender, department of service, treating physician, outcome information, and health insurance status.

If you do not want to be contacted, follow the instructions in Exhibit A for making the request.

How we will use and share your information:

Unless otherwise prohibited by law, we may without notice or permission use and/or share your Medical Record Information within NS-EEH and with outside parties, for purposes relating to treatment, payment, and operations. The following is a non-exhaustive list of examples of how NS-EEH may share your Medical Record Information:

• For research purposes such as preparing for a research study or if our Institutional Review Board (“IRB”) approves an alteration to or waiver of authorization;
• For public health reasons such as preventing the spread of disease;
• For safety reasons such as helping with product recall notification or for reporting bad reactions to medications;
• For reporting suspected abuse, neglect, or exploitation, such as child, domestic and elder abuse;
• For quality improvement;
• For complying with applicable Illinois law and federal law (such as HIPAA) that includes reporting to state and federal regulatory agencies like the State of Illinois Department of Public Health and/or the Secretary of Health and Human Services;
• For organ donation;
• For working with a coroner, medical examiner, or funeral director;
• For responses to Workers’ Compensation, law enforcement or other governmental requests to the extent allowed by law;
• For responding to lawsuits and other legal actions;
• For sharing with third parties who provide medical, payment, and healthcare operational services and may require the use of your Medical Record Information and are subject to HIPAA and are required to protect the privacy and security of your Medical Record Information in the same manner as NS-EEH is required to;
• For sending your immunization records to the State of Illinois Immunization Registry, employers, or schools for public health reasons, and if applicable, proper consent is obtained;
• For sending to a parent or legal guardian if you are a minor, under the age of 18, unless not allowed by Illinois law or Federal Law;
• For the development of health care technology, such as machine learning and artificial intelligence, which may improve the quality, process and/or outcome of care.

In addition to other uses and disclosures not prohibited by law, we may use your Medical Record Information to create De-identified Health Information (“DHI”) that is not identifiable to any individual in accordance with HIPAA. We may also disclose your Medical Record Information to a business associate for the purpose of creating DHI. We may use, share, and/or disclose the DHI for any lawful purpose, including but not limited to commercial purposes, without your permission and may permit third parties to do the same.

Our responsibilities:

• We are required by applicable Illinois and federal law to maintain the privacy and security of your Medical Record Information.
• We will let you know if the privacy or security of your Medical Record Information has been breached.
• We must follow the duties and privacy practices described in this Notice and give you a written copy of it upon request.
• We will not use or share your Medical Record Information other than as described in this Notice unless you tell us we can in writing. You may change your mind at any time by letting us know in writing. Your decision to change your mind will not affect any use or sharing of your Medical Record Information prior to the date NS-EEH receives your written request.
• We will protect your genetic information consistent with applicable law.

This Document is written in English. If this Document is translated into any other language, the English version shall control.

This Notice of Privacy Practices applies to the NorthShore – Edward-Elmhurst Health Affiliated Covered Entity. It applies to all of their departments, units, employed health care professionals, students, and members of volunteer groups who are allowed to help you while you are staying in or being treated at an NS-EEH facility. All of these entities follow the terms of this Notice of Privacy Practices, and may share your information with each other for treatment, payment or health care operations. This list may be updated from time to time. For a current list of participating entities, contact the NS-EEH Privacy Office at NorthShore University HealthSystem, Corporate Compliance Department– Privacy Office, 1301 Central Street, Room 140, Evanston, IL 60201; by telephone at 847.570.5079; or by email at hipaa@northshore.org.

NorthShore – Edward-Elmhurst Health maintains its Designated Record Set by using an electronic health record (“EMR System”) shared with certain other local physician practices that participate in an accountable care organization (the “ACO”). Through the EMR System, Medical Record Information of patients of NorthShore – Edward-Elmhurst Health is combined with that of other providers that participate in the EMR System (each, a “Participating Covered Entity” and collectively, the “Participating Covered Entities”), such that each patient has a single, longitudinal health record with respect to health care services provided by the Participating Covered Entities. As such, the Participating Covered Entities have formed one or more organized systems of health care in which the Participating Covered Entities participate in joint utilization review and/or quality assurance activities, and as such qualify to participate in an Organized Health Care Arrangement (“OHCA”). With limited exceptions, as OHCA participants, all Participating Covered Entities and the ACOs may use and disclose the Medical Record Information contained within the EMR System for the Treatment, Payment and Health Care Operations purposes of each of the OHCA participants and/or the ACOs.

Updated December 5, 2022