Privacy Policy


Effective Date: 7/18/13


Central Community Hospital (“Hospital”) is required by the Health Insurance Portability and Accountability Act of 1996, and the Health Information Technology for Economic and Clinical Health Act (found in Title XIII of the American Recovery and Reinvestment Act of 2009)(collectively referred to as “HIPAA”), as amended from time to time, to maintain the privacy of individually identifiable patient health information (this information is “protected health information” and is referred to herein as “PHI”). We are also required to provide patients with a Notice of Privacy Practices regarding PHI. We will only use or disclose your PHI as permitted or required by applicable state law. This Notice applies to your PHI in our possession including the medical records generated by us.

Hospital understands that your health information is highly personal, and we are committed to safeguarding your privacy. Please read this Notice of Privacy Practices thoroughly. It describes how we will use and disclose your PHI.

This Notice applies to the delivery of health care by Hospital and its medical staff in the main hospital, outpatient departments and clinics. This Notice also applies to the utilization review and quality assessment activities of Hospital.

I. Permitted Use or Disclosure

A. Treatment: Hospital will use and disclose your PHI to provide, coordinate, or manage your health care and related services to carry out treatment functions. The following are examples of how Hospital will use and/or disclose your PHI:
¨ To your attending physician, consulting physician(s), and other health care providers who have a legitimate need for such information in your care and continued treatment.
¨ To coordinate your treatment (e.g., appointment scheduling) with us and other health care providers such as name, address, employment, insurance carrier, etc.
¨ To contact you as a reminder that you have an appointment for treatment or medical care at our facilities.
¨ To provide you with information about treatment alternatives or other health-related benefits or services.
¨ If you are an inmate of a correctional institution or under the custody of a law enforcement officer, the Hospital will disclose your PHI to the correctional institution or law enforcement official.

B. Payment: Hospital will use and disclose PHI about you for payment purposes. The following are examples of how Hospital will use and/or disclose your PHI:
¨ To an insurance company, third party payer, third party administrator, health plan or other health care provider (or their duly authorized representatives) for payment purposes such as determining coverage, eligibility, pre-approval / authorization for treatment, billing, claims management, reimbursement audits, etc.
¨ To collection agencies and other subcontractors engaged in obtaining payment for care.

C. Health Care Operations: Hospital will use and disclose your PHI for health care operations purposes. The following are examples of how Hospital will use and/or disclose your PHI:
¨ For case management, quality assurance, utilization, accounting, auditing, population based activities relating to improving health or reducing health care costs, education, accreditation, licensing and credentialing activities of Hospital.
¨ To consultants, accountants, auditors, attorneys, transcription companies, information technology providers, etc.

D. Other Uses and Disclosures: As part of treatment, payment and health care operations, Hospital may also use your PHI for the following purposes:
¨ Fundraising Activities: Hospital will use and may also disclose some of your PHI to a related foundation for certain fundraising activities. For example, Hospital may disclose your demographic information, your treatment dates of service, treating physician information, department of service and outcomes information to the foundation who may ask you for a monetary donation. Any fundraising communication sent to you will let you know how you can exercise your right to opt-out of receiving similar communications in the future.
¨ Medical Research: Hospital will use and disclose your PHI without your authorization to medical researchers who request it for approved medical research projects. Researchers are required to safeguard all PHI they receive.
¨ Information and Health Promotion Activities: Hospital will use and disclose some of your PHI for certain health promotion activities. For example, your name and address will be used to send you general newsletter or specific information based on your own health concerns.

E. More Stringent State and Federal Laws: The State law of Iowa is more stringent than HIPAA in several areas. Certain federal laws also are more stringent than HIPAA. Hospital will continue to abide by these more stringent state and federal laws.

i. More Stringent Federal Laws: The federal laws include applicable internet privacy laws, such as the Children’s Online Privacy Protection Act and the federal laws and regulations governing the confidentiality of health information regarding substance abuse treatment.

ii. More Stringent State Laws: The State of Iowa is more stringent when the individual is entitled to greater access to records than under HIPAA. State law also is more restrictive when the records are more protected from disclosure by state law than under HIPAA. In cases where Hospital provides treatment to a patient who resides in a neighboring state, Hospital will abide by the more stringent applicable state law. Refer below for more stringent state law protections in states in which Hospital conducts business:

F. Health Information Exchange: (HIE) Hospital may elect to share your health records electronically with Iowa Health Exchange Network (IHEN) for the purpose of improving the overall quality of health care services provided to you (e.g., avoiding unnecessary duplicate testing). If shared with Iowa Health Exchange Network the electronic health records would include sensitive diagnosis such as HIV/AIDS, sexually transmitted diseases, genetic information, and mental health substance abuse, etc. The HIE would function as our business associate and, in acting on our behalf, the HIE would transmit, maintain and store your PHI for treatment purposes. The HIE has a duty to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality and integrity of your medical information.

You have the right to “opt-out” and prevent your health information from being sent to IHIN by completing and submitting an “Opt-Out” form** to IHIN. Please contact IHIN by calling (866) 924-4636 or via web-site at
The Opt Out form has been developed by the IHIN

A. Family/Friends: Hospital will disclose PHI about you to a friend or family member who is involved in or paying for your medical care. You have a right to request that your PHI not be shared with some or all of your family or friends. In addition, Hospital will disclose PHI about you to an agency assisting in disaster relief efforts so that your family can be notified about your condition, status, and location.

B. Hospital – Facility Directory: Hospital will include certain information about you in facility directory while you are a hospital patient at Hospital. This information will include your name, location in Hospital, your general condition (e.g., fair, stable, critical, etc.) and your religious affiliation. The directory information, except your religious affiliation, will be disclosed to people who ask for you by name. You have the right to request that your name not be included in Hospital’s directory. If you request to opt-out of the facility directory, we cannot inform visitors of your presence, location, or general condition.

C. Spiritual Care: Directory information, including your religious affiliation, will be given to a member of the clergy, even if they do not ask for you by name. Spiritual care providers are members of the health care team at Hospital and may be consulted upon regarding your care. You have the right to request that your name not be given to any member of the clergy.

D. Media Reports: Hospital will release facility directory information to the media (excluding religious affiliation) if the media requests information about you using your name and after we have given you an opportunity to agree or object.

A. Marketing: Subject to certain limited exceptions, your written authorization is required in cases where Hospital receives any direct or indirect financial remuneration in exchange for making the communication to you which encourages you to purchase a product or service or for a disclosure to a third party who wants to market their products or services to you.

B. Research: Hospital will obtain your written authorization to use or disclose your PHI for research purposes when required by HIPAA.

C. Psychotherapy Notes: Most uses and disclosures of psychotherapy notes require your written authorization.

D. Sale of PHI: Subject to certain limited exceptions, disclosures that constitute a sale of PHI requires your written authorization.

E. Other Uses and Disclosures: Any other uses or disclosures of PHI that are not described in this Notice of Privacy Practices require your written authorization. Written authorizations will let you know why we are using your PHI. You have the right to revoke an authorization at any time.

A. Law Enforcement Purposes: Hospital will disclose your PHI for law enforcement purposes as required by law, such as identifying a criminal suspect or a missing person, or providing information about a crime victim or criminal conduct.

B. Required by Law: Hospital will disclose PHI about you when required by federal, state or local law. Examples include disclosures in response to a court order / subpoena, mandatory state reporting (e.g., gun shot wounds, victims of child abuse or neglect), or information necessary to comply with other laws such as workers’ compensation or similar laws. Hospital will report drug diversion and information related to fraudulent prescription activity to law enforcement and regulatory agencies.

C. Public Health Oversight or Safety: The Hospital will use and disclose PHI to avert a serious threat to health and safety of a person or the public. Examples include disclosures of PHI to state investigators regarding quality of care or to public health agencies regarding immunizations, communicable diseases, etc. Hospital will use and disclose PHI for activities related to the quality, safety or effectiveness of FDA regulated products or activities, including collecting and reporting adverse events, tracking and facilitating in product recalls, etc.

D. Coroners, Medical Examiners, Funeral Directors: Hospital will disclose your PHI to a coroner or medical examiner. For example, this will be necessary to identify a deceased person or to determine a cause of death. Hospital may also disclose your medical information to funeral directors as necessary to carry out their duties.

E. Organ Procurement: Hospital will disclose PHI to an organ procurement organization or entity for organ, eye or tissue donation purposes.