Privacy

US Department of Health and Human Services: Health Information Privacy

Employee Privacy Practices

Public Act No. 08-167
An Act Concerning the Confidentiality of Social Security Numbers

Enacted by the Senate and House of Representatives in General

Assembly

Effective October 1, 2008
Any person in possession of personal information of another person shall safeguard the data, computer files
and documents containing the information from misuse by third parties, and shall destroy, erase or make
unreadable such data, computer files and documents prior to disposal.
Any person who collects Social Security numbers in the course of business shall create a privacy protection
policy that shall be published or publicly displayed. For purposes of this subsection, “publicly displayed”
includes, but is not limited to, posting on an Internet web page. Such policy shall: (1) Protect the confidentiality
of Social Security numbers, (2) prohibit unlawful disclosure of Social Security numbers, and (3) limit access to
Social Security numbers.
As used in this section, “personal information” means information capable of being associated with a particular
individual through one or more identifiers, including, but not limited to, a Social Security number, a driver’s
license number, a state identification card number, an account number, a credit or debit card number, a
passport number, an alien registration number or a health insurance identification number, and does not
include publicly or available information that is lawfully made available to the general public from federal,
state or local government records or widely distributed media.
For persons who hold a license, registration or certificate issued by a state agency other than the Department
of Consumer Protection, this section shall be enforceable only by such other state agency pursuant to such
other state agency’s existing statutory and regulatory authority.
Any person or entity that violates the provisions of this section shall be subject to a civil penalty of five
hundred dollars for each violation, provided such civil penalty shall not exceed five hundred thousand
dollars for any single event. It shall not be a violation of this section if such violation was unintentional.
The provisions of this section shall not apply to any agency or political subdivision of the state.

HIPAA

Health Insurance Portability and Accountability Act

NOTICE OF PRIVACY PRACTICES
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED
AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

This Notice is effective as of April 14, 2003

I. APPLICABILITY

This is a joint notice by Cobalt Health Care and Rehabilitation Center and its ON-SITE OR VISITING
MEDICAL ASSOCIATES, referred to jointly below as “the Facility”, “we”, or “our”. “On-site or visiting medical
associates” includes [Facility’s] attending physicians, physiatrists, wound care consultants, and other consultant
physicians.

As part of their joint arrangement, Cobalt Health Care and its on-site or visiting medical associates may use
or share health information about you as necessary to carry out treatment, payment, or health care operations,
with one another and as described in the remainder of this notice.

If you have any questions about this notice, please contact Cobalt Health Care’s Privacy Officer or his or
her designee. These individuals can be reached through Cobalt Health Care’s Business Office, either in-
person or by phone or mail at:

Cobalt Health Care and Rehabilitation Center

Attn: Privacy Officer

29 Middle Haddam Road, Cobalt, CT 06414

II. OUR COMMITMENT AND RESPONSIBILITY TO PROTECT YOUR PRIVACY

We respect the privacy and confidentiality of your health information. This Notice of Privacy Practices (“Notice”)
applies to uses and disclosures we may make of all your health information, whether created or received by us, as
outlined by the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Connecticut State Law may
further restrict some of the uses or disclosures described in this Notice. It is our responsibility and commitment to
apply the appropriate state or federal standard when safeguarding your privacy.

We are required by HIPAA to:

1. Maintain the privacy of your health information and to provide you with notice of our legal duties and privacy
practices.

2. Comply with the terms of our Notice currently in effect.
We reserve the right to change our privacy practices and to make the new provisions effective for all health
information we maintain, including both health information we already have and health information we create
or receive in the future. Should we make material changes to our privacy practices, we shall: (1) Notify you
accordingly; and (2) Provide you with a revised Notice by posting it in a clear and prominent location in the
Facility and by other means as appropriate or necessary.

III. YOUR HEALTH INFORMATION MAY BE USED OR DISCLOSED FOR THE FOLLOWING PURPOSES WITHOUT YOUR PRIOR AUTHORIZATION

We may use and disclose your health information for the following purposes without obtaining your written
or oral authorization, unless otherwise specified below, as permitted by Facility policy and/or law:

1. Treatment. We may use and disclose your health information to provide you with treatment and services
and to coordinate your continuing care. Your health information may be used by doctors and nurses, as well
as by lab technicians, dieticians, physical therapists or other persons involved in your care, both within and
outside of our Facility. For example, we may disclose certain information to our pharmacist to fill a prescription
ordered by your doctor, or to our suppliers for procuring supplies or other items necessary for your care.

2. Payment. We may use and disclose your health information so that we can bill and receive payment for the
treatment and services you receive. For billing and payment purposes, we may disclose your health information
to an insurance or managed care company, Medicare, Medicaid or another third-party payer. For example, we
may contact Medicare or your health plan to confirm your coverage or to request approval for a proposed
treatment or service.

3. Health Care Operations. We may use and disclose your health information as necessary for our internal
operations, such as for general administrative activities and to monitor the quality of care you receive with us.
For example, we may use your health information to evaluate and improve the quality of care you received, for
education and training purposes, and for planning for services.

4. Facility Directory. We may use and disclose certain limited information about you in our Directory while
you are a resident or patient of the Facility. This information may include your name, your location in the
Facility, your general condition and your religious affiliation. You will be provided the opportunity to agree
or object to (and prohibit) the use and disclosure of some or all of your information in the Facility Directory.

5. Persons Involved in Your Care or Payment for Your Care. We may disclose your health information, only
as appropriate and relevant, to persons involved in your care or the payment for your care. This includes family
members, other relatives, close personal friends or other persons you identify. When possible, you will be
provided the opportunity to agree or object to (and prohibit) such use and disclosure of your health information.

6. Notification. We may use or disclose your health information to notify your family, your “personal
representative”, or another person responsible for your care, of your physical location or of changes in the
status of your health. When possible, you will be provided the opportunity to agree or object to (and prohibit)
such use or disclosure, unless it is required in a disaster relief or similar emergency.

7. As Required By Law. We may disclose your health information when required by law to do so. Such
requirements include reporting incidents of abuse and complying with court orders and law enforcement activities.

8. Public Health Activities. We may disclose your health information for public health activities, such as
authorized interventions to avoid the spread of a communicable disease.

9. Reporting Abuse, Neglect or Domestic Violence. If we believe that you have been a victim of abuse,
neglect or domestic violence, we may disclose your health information to notify a government authority,
if authorized by law or if you agree to the report.

10. Health Oversight Activities. We may disclose your health information to state or federal health oversight
agencies for activities authorized by law. For example, these activities may include audits, investigations,
inspections and licensure actions.

11. Judicial and Administrative Proceedings. We may disclose your health information in response to a
court or administrative order. We also may disclose information in response to a subpoena, discovery request,
or other lawful process.

12. Law Enforcement. We may disclose your health information for certain law enforcement purposes, such as:
Submitting reports or providing information required by law; Reporting suspicion or evidence of criminal
conduct (occurring on the premises or in response to an emergency); At the request of a law enforcement
official for locating or identifying an individual. Under certain circumstances, you may object to (and
prohibit) the use or disclosure of your health information for law enforcement purposes.

13. Decedent-Related Purposes. We may release your health information for decedent-related purposes,
including to a coroner, medical examiner, funeral director and, if you are an organ donor, to an organization
involved in the donation of organs and tissue.

14. Research and Contributing to Generalizable Knowledge. Your health information may be used or disclosed
for research purposes or to contribute to generalizable knowledge, but only if: (1) The privacy aspects of the
research have been reviewed and approved by a special Privacy Board or Institutional Review Board and the
Board can and does legally waive requirements for your authorization; (2) The researcher represents that he
or she is only reviewing the information in preparation for a research proposal; (3) The research is occurring
after your death; or (4) You give written authorization for the use or disclosure.

15. Averting a Serious Threat to Health or Safety. When necessary to prevent a serious threat to your health
or safety, or the health or safety of the public or another person, we may use or disclose your health information
to individuals able to minimize or prevent the threatened harm (e.g., law enforcement officials).

16. Specialized Government Functions. We may use or disclose your health information for specialized
government functions, as deemed necessary by appropriate command authorities or federal officials. Such
functions include: (1) Military and Veterans Affairs; (2) National Security and Intelligence Activities; (3)
Protective Services for the President and Others; (4) Correctional Institution or Other Law Enforcement
Custodial Situations.

17. Workers’ Compensation. We may use or disclose your health information to comply with laws relating
to workers’ compensation or similar programs.

18. Business Associates. We may disclose your health information to our business associates under a valid
“Business Associate Agreement”, which stipulates the appropriate exchange and subsequent use of your
health information.

19. Marketing Activities. We may use your health information in an effort to market the facility and/or
its services to you – either in a face-to-face meeting with you or by providing you with a promotional gift.

20. Fundraising Activities. We may use a subset of your health information to contact you in an effort to
raise funds for the Facility, including: (1) Demographic information, such as your name, address, and phone
number; and (2) The dates of the health care services you received. This information may also be disclosed
to business associates assisting in the fundraising initiative.

21. Personal Representatives. If you have an authorized “Personal Representative”, such as a conservator
of person or a health care power of attorney, this individual shall be treated the same as you with respect
to your health information. This includes grants of full access to your health information, as well as
decision-making authority on its use and disclosure. “Personal Representative” status may be denied,
however, if we determine such denial is in your best interest.

22. Limited Data Sets. We may use or disclose a subset of your health information in a “limited data set”,
for the purpose of research, public health, or health care operations. Such use or disclosure will exclude
certain “direct identifiers”, such as your name or medical record number, and will be carried out in
accordance with statutory regulations.

23. Incident to a Permitted or Required Use or Disclosure. We may use or disclose your health information
in a manner or for a purpose that is “incidental” to a use or disclosure otherwise permitted or required by
applicable privacy statutes. For example, we may post your name outside of your room or require that you
wear an identification bracelet that includes your name, the name of your doctor, and your room number.
We will limit all such uses or disclosures to the minimum information necessary to achieve the intended
purpose. We will also apply reasonable and appropriate safeguards to avoid unintended, unnecessary,
and non-permitted uses or disclosures of your protected health information.

24. Treatment Alternatives and Health-Related Benefits and Services. We may use or disclose your health
information to inform you about treatment alternatives and health-related benefits and services that may be
of interest to you.

 

IV. YOUR WRITTEN AUTHORIZATION IS REQUIRED FOR ALL USES OR DISCLOSURES OF YOUR HEALTH INFORMATION NOT OTHERWISE DESCRIBED IN SECTION III ABOVE

1. We will obtain your written authorization (an “Authorization”) prior to making any use or disclosure not
otherwise described in Section III above.

2. You may revoke a written Authorization previously given by you at any time but you must do so in writing.
If you revoke your Authorization, we will no longer use or disclose your health information for the purposes
specified in that Authorization except where we have already taken actions in reliance on your original
Authorization.

V. YOUR RIGHTS REGARDING YOUR HEALTH INFORMATION

You have the following rights regarding your health information:

1. Right to Request Restrictions. You have the right to request that we restrict the way we use or disclose
your health information for treatment, payment or health care operations, to persons involved in your care
or payment for your care, and for notification purposes. However, we are not required to agree to such
restriction. We will honor all restrictions that we agree to, except in the event of an emergency, in which
case we will only disclose the restricted information to the extent necessary for your treatment.

2. Right to Request Confidential Communications. You have the right to request that we communicate with
you concerning your health matters in an alternative manner or at an alternative location. For example, you
can request that we contact you only at a certain phone number. We will accommodate your reasonable requests.

3. Right of Access to Personal Health Information. You have the right to inspect and, upon written request,
obtain a copy of your health information. You may be charged a cost-based fee for copies of your health
information, not to exceed 65 cents per page, plus any applicable postage, plus a reasonable fee for x-ray
films. You may also request, and be charged a cost-based fee for, a summary or explanation of this information.
If you cannot afford these fees, we may request that you provide us evidence (e.g., an affidavit) attesting to that
fact. Your request for access may be denied under certain legal circumstances. Depending on the reason for
the denial, you may request review by a third party.

4. Right to Request Amendment. You have the right to request that we amend your health information.
Your request must be made in writing and must state the reason for the requested amendment.
We will respond to your request in a timely manner, and as prescribed by law. We may deny your
request for certain reasons permitted by law.

If we deny your request, you have the right to: (1) File a statement with us disagreeing with the denial, or
alternatively, request that we provide your request and the subsequent denial with any future disclosures of
the health information in question; and (2) File a complaint either with us or with the Department of Health
and Human Services.

5. Right to an Accounting of Disclosures. You have the right to request an “accounting” of certain disclosures
of your health information. This is a listing of disclosures made by us or by others on our behalf, but does not
include disclosures for treatment, payment and health care operations or certain other exceptions. For each
disclosure/group of disclosures the accounting shall include the date(s) of the disclosure(s); the name of the
person or entity that received the information and, if known, their address; a brief description of the information
disclosed; and a brief explanation of the reason(s) for the disclosure(s).

You must submit your request for accounting in writing, including the time period for which you would like
the accounting. We will respond to your request in a timely manner, and as prescribed by law. The first
accounting provided within a given 12-month period will be free; we may charge a cost-based fee for
additional accountings provided during that period, not to exceed 65 cents per page, plus any applicable postage.

6. Right to Obtain a Paper Copy of this Notice. You have the right to obtain a paper copy of the Facility’s Notice
of Privacy Practices upon request. A copy of this notice is provided upon admission.

 

VI. COMPLAINTS

If you believe that your privacy rights have been violated, you may file a complaint with Cobalt
Health Care’s Privacy Officer or his or her designee. These individuals can be reached through Cobalt
Health Care’s Business Office, at the address and phone number listed at the beginning of this Notice.
You may also file a complaint with the Secretary of Health and Human Services at the following address:
U.S. Department of Health and Human Services – Office of Civil Rights, 200 Independence Avenue, S.W.,
Room 509 F, HHH Building, Washington D.C. 20201.
We will not retaliate against you in any way for filing a complaint against this Facility.