Patient Privacy Information
At UMass Memorial Health, your privacy is a priority. We follow strict federal and state guidelines to maintain the confidentiality of your medical (protected health) information. We also follow state guidelines regarding how long we must store your medical records and the requirements for proper disposal.
Protected Health Information
Protected health information (PHI) is any information about your past, present or future health care, or payment for that care that could be used to identify you. Members of our workforce and our business associates may only access the minimum amount of protected health information that they need to complete their assigned tasks.
Use and Disclosure of PHI
When you visit a UMass Memorial Health facility, we use and disclose your protected health information to treat you, to obtain payment for services and to conduct normal business known as health care operations. We may also share information with a contracted business associate who must meet our privacy and security requirements. Examples of how we use and disclose your information include:
- Treatment – We document each visit and/or admission. Documentation may include your test results, diagnoses and medications, and your response to medications or other therapies. This allows your doctors, nurses and other clinical staff to provide the best care to meet your needs.
- Payment – We document the services and supplies you receive at each visit or admission so that you, your insurance company or another third party can pay us. We may tell your health plan about upcoming treatment or services that require its prior approval.
- Health Care Operations – Medical information is used to improve the services we provide, to train staff and students, and for business management, performance improvement and customer service.
We may also use information to:
- Recommend treatment alternatives
- Tell you about health benefits and services
- Communicate with other UMass Memorial Health OHCA members or business associates for treatment, payment or health care operations
- Communicate with family or friends involved in your care
- Include you on the hospital inpatient list for callers or visitors if you are admitted*
- Respond to media inquiries should they be made*
- Let clergy know if you are admitted*
- Contact you about support for the UMass Memorial Health Foundation (fundraising)*
Services followed by an asterisk (*) are optional. Tell the admitting clerk or fundraiser (if contacted) that you do not wish to participate.
There are limited times when we are permitted or required to disclose medical information without your signed permission. These situations include the following:
- For public health activities such as tracking diseases or medical devices
- To protect victims of abuse or neglect
- For federal and state health oversight activities such as fraud investigations
- For judicial or administrative proceedings
- If required by law or for law enforcement
- To coroners, medical examiners and funeral directors
- For organ donation
- To avert serious threat to public health or safety
- For specialized government functions such as national security and intelligence
- To workers’ compensation if you are injured at work
- To a correctional institution if you are an inmate
- For research that is approved by our research review committee when written consent is not required by law. This may also include our internal preparation for research studies or telling you about research studies in which you might be interested. You are able to choose whether or not you want to hear more details about any research study.
Other uses and disclosures not described in this notice may be made with your signed authorization. Some of the times we may need your signed permission to use and disclosure your information include sale of your information, marketing purposes, and most sharing of psychotherapy notes and other medical information identified under our state laws. You may cancel your authorization, in writing, at any time.
UMass Memorial Health is required by law to maintain the privacy and security of your medical information, provide this notice of our duties and privacy practices, and abide by the terms of the notice currently in effect. We reserve the right to change privacy practices and make the new practices effective for all the information we maintain. Revised notices will be posted in our facilities, available from your health care provider, and on our web site. We will notify you promptly if a breach occurs that may have compromised the privacy or security of your information.
You have the right to:
- Inspect and request either a paper or electronic copy of your medical records (fees will apply)*
- Request a correction to your medical information (reason required)*
- Request that we use a specific telephone number or address to communicate with you
- Request that we limit how we use or disclose your medical information (we are not required to agree to your request)
- Request that we limit certain disclosures of your medical information to your health plan if an item or service is paid in full out-of-pocket*
- Receive a list (an accounting) of how your medical information was disclosed (excludes disclosures for treatment, payment, health care operations and some required disclosures; fees may apply)*
- Obtain a paper copy of this notice even if you receive it electronically
- Register a complaint — see “To Contact Us” section of this notice
- Opt out of our hospital inpatient list or fundraising requests
*Request must be in writing
If you have questions about this notice, contact the privacy officer or visit www.ummhealth.org. If you would like to exercise your rights or if you feel your privacy rights have been violated, contact the privacy officer:
Community Healthlink 72 Jaques Avenue, Worcester, MA 01610 Tel: 508-860-1163
UMass Memorial Health - Clinton Hospital 201 Highland Street, Clinton, MA 01510 Tel: 978-368-3714 (Confidential Reporting Line)
UMass Memorial Health - HealthAlliance Hospital – Leominster Campus 60 Hospital Road, Leominster, MA 01453 Tel: 978-466-4333 (Privacy and Compliance Hotline)
UMass Memorial Health - Marlborough Hospital 157 Union Street, Marlborough, MA 01752 Tel: 508-486-5820 (Confidential Reporting Line)
UMass Memorial Medical Center Hahnemann Campus, 281 Lincoln Street, Worcester, MA 01605 Tel: 508-334-5551 (Privacy Line)
All complaints will be investigated and you will not suffer retaliation for filing a complaint. You may file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights by sending a letter or visiting www.hhs.gov/ocr/privacy/hipaa/complaints/
Members of Our Organized Health Care Arrangement (OHCA)
All UMass Memorial Health facilities and services including:
- Central New England HealthAlliance
- Clinton Hospital
- Marlborough Hospital
- UMass Memorial Medical Center
- UMass Memorial Medical Group
- UMass Memorial Accountable Care Organization, Inc.
- Community Healthlink
- Private, hospital-based physicians
- Other private physicians while working at our facilities
Each OHCA member is individually responsible for abiding by the privacy practices, and for resolving its own privacy complaints or violations.
If You are accessing, using or browsing this Site on behalf of an individual other than Yourself, which may be either a natural person or an entity other than Yourself:
- You represent, warrant and covenant that You are at least age 18;
- You represent, warrant and covenant that You are authorized to engage in the activities that You conduct within the Site on behalf of that person or entity other than Yourself, which by way of illustration but not limitation includes the submission and receipt of any and all Personal Information on behalf of that person or entity other than Yourself;
- You agree that We can rely on Your representation that You are authorized to engage in the activities that You conduct within the Site on behalf of that natural person or entity other than Yourself; and
What Personal Information does Healthgrades collect?
Healthgrades collects several types of Personal Information: personally identifying information that cannot be traced back to You; personally identifying information that can be traced back to You; and personally identifying information that can be traced back to You and that includes or is linked or associated with health-related information.
You can access and browse the Site at any time without providing Personal Information that can be traced back to You.
When You visit the Site, Healthgrades may also automatically collect with Cookies, and similar technology, Personal Information about Your use of the Site. This Personal Information cannot be traced back to You. Cookies are small pieces of information that are stored by Your web browser software on Your computer's hard drive or temporarily in Your computer's memory. Healthgrades also automatically collects the location of Your computer on the Internet, known as Your internet protocol address ("IP Address"), when You visit the Site.
What about the collection of Personal Information from children?
You must be 18 years of age or older to use the Site. If Healthgrades learns that it has received any Personal Information from anyone who is not at least age 18, We will delete that information from Healthgrades' database.
Why does Healthgrades need Your Personal Information?
What should You know about Cookies?
To learn more about Cookies, please visit http://allaboutcookies.org/. Although most web browsers are initially set up to accept Cookies, if You prefer, You may decline the placement of a Cookie on Your hard drive by using the appropriate feature(s) of Your web browser software (if available) to delete the Cookie. But You should understand that certain areas within this Site may not function properly if the web browser will not accept Cookies.
Does Healthgrades disclose Your Personal Information to third parties?
- With respect to obtaining certain products and/or services from this Site, Healthgrades may disclose to a third party Your Personal Information that We gather from You during an initial voluntary User registration process for the Site ("Registration Information"); as a result, You do not have to enter Your Registration Information more than once. Healthgrades may also disclose Your Registration Information to certain third parties in connection with various programs and tools created and administered by third parties that are included in the Site as an additional service to users. The use of Your Registration Information by these Third Party Programs is described below in the "What about information You enter into Third Party Programs included in the Site?" section.
- We may provide Your Registration Information to Our marketing partners with whom You have explicitly authorized Us to share this information, and whose offers You have elected to receive via electronic delivery, telemarketing and direct mail. Additionally, We may employ other third parties to perform services or functions on Our behalf in order to improve Our Site, merchandising, marketing and promotional efforts, communications or other services, or to facilitate e-commerce transactions, including processing orders placed by credit card. Those third parties may include authorized contractors, consultants and other companies working with Us (collectively, "Agents"). These Agents only have access to Your Personal Information as needed to perform their functions, and they may not use any of Your Personal Information for any other purpose than providing or improving Healthgrades' services and offerings.
- Healthgrades also reserves the right to share or transfer Your Registration Information or other Personal Information as We determine in Our sole discretion to be necessary or appropriate in the following circumstances: to comply with a legal requirement; to enforce Our terms and conditions; to protect Our operations or those of any affiliate of Healthgrades; to protect Our rights, privacy, safety or property, or that of any affiliate of Healthgrades, You or others; to disclose any activities or information about You to law enforcement or other government officials, including public or government authorities outside Your country of residence; in connection with an investigation of fraud, for the administration of justice, intellectual property infringements or other activity that is illegal or may expose Us or You to legal liability; in cooperation with various law enforcement inquiries; to allow Us to pursue available remedies or limit Our damages; and/or in emergency situations.
- Healthgrades discloses Personal Information to third parties or advertisers in aggregate form, that is, in a manner that cannot be traced back to You. For example, Healthgrades might tell an advertiser how many males between 20 and 30 years in age have visited the Site over a period of time.
How does Healthgrades use and disclose Your Protected Health Information?
Healthgrades' use and disclosure of Your Protected Health Information is governed by HIPAA.
When You use the Appointment Services to request an appointment with a selected Healthcare Provider, all Protected Health Information that You submit with the Appointment Materials or created from Your use of the Appointment Services is used and disclosed by Healthgrades as a Business Associate (as defined by HIPAA) according to the terms of a Business Associate Agreement between Us and that Healthcare Provider. This means that Healthgrades may only use and disclose Your Protected Health Information on behalf of, or to provide services to, the Healthcare Provider for the appointment scheduling services available through the Appointment Services according to the terms of the Business Associate Agreement. There are three exceptions to this use and disclosure rule. Healthgrades may use and disclose Your Protected Health Information (i) for its internal management and administration; (ii) to carry out its legal responsibilities; and (iii) to perform certain data aggregation services for the Healthcare Provider and other Healthcare Providers; provided that, any disclosures for Our internal management and administration or to carry out Our legal responsibilities are either required by law or made after Healthgrades obtains reasonable assurances from the person to whom the Protected Health Information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to that person.
Some of the appointment scheduling services available through the Appointment Services for a particular Healthcare Provider may be provided by subcontractors of Healthgrades. The Subcontractor must comply with the same terms and conditions for the Protected Health Information that apply to Healthgrades as a Business Associate of the Healthcare Provider.
What does Healthgrades do to keep Your Personal Information and Protected Health Information Secure?
On this Site and within Healthgrades, We seek to use appropriate administrative, technical and physical security measures to reasonably safeguard Your Personal Information and Protected Health Information under Our control from unauthorized use, release or access. For example, Healthgrades grants access to any stored Personal Information and Protected Health Information only to authorized personnel. Moreover, when You register on-line or accesses Your account information through this Site, Healthgrades offers You the ability to use a secure server. The secure server encrypts all information that You input before it is sent to Healthgrades.
Please be advised, however, that although Healthgrades has endeavored to create a secure and reliable Site for its users, the confidentiality and security of any communication or material transmitted to or from Healthgrades via this Site or e-mail cannot be guaranteed to be 100% secure at any time. When disclosing any Personal Information or Protected Health Information, You should remain mindful of the fact that it is potentially accessible to the public, and consequently, can be collected and used by others without Your consent. Accordingly, You should consider carefully if You want to submit sensitive information that You would not want disclosed to the public and should recognize that Your use of the Internet and this Site is solely at Your risk. You, alone, are ultimately responsible for maintaining the secrecy for all Your Personal Information including Your Protected Health Information. Healthgrades has no responsibility or liability to anyone for the security of Your Protected Health Information or any of Your Personal Information transmitted via the Internet. Healthgrades urges all of its users to be careful and responsible whenever they are on-line.
If You have any reason to believe that Your interaction with Healthgrades through this Site is no longer secure, please immediately notify Us of this problem as described in the "Further questions or comments?" section below.
What should You know about external web sites?
Can You opt-out of Healthgrades' use and disclosure of Your Personal Information?
- from receiving future marketing-related e-mails from Healthgrades by clicking on the "opt-out" link in any e-mail sent to You by Healthgrades.
Please note that if You opt-out as described above, Healthgrades will not be able to remove Your Personal Information from the databases of Our affiliates or unaffiliated third parties with whom We have already shared Your Personal Information as of the date of Your opt-out request. Please also note that if You do opt-out of receiving marketing-related messages from Us, Healthgrades may still send administrative messages to You. You cannot opt-out from receiving administrative messages from Healthgrades.
Do You have the ability to access, change or remove Your Personal Information?
At any time, You may contact Healthgrades via e-mail to request:
- A summary of any of Your Personal Information retained by Healthgrades;
- A change to the Your Personal Information maintained by Healthgrades; or
- Removal of Your Personal Information from Healthgrades' database.
You should send Your request to email@example.com. In the event Healthgrades receives such a request, Healthgrades may require You to confirm or verify any change to Your Personal Information.
Can You opt-out of Healthgrades' use and disclosure of Your Protected Health Information or access, change or remove Your Protected Health Information?
When You use the Appointment Services, You may receive various administrative e-mails automatically sent by Healthgrades. These administrative messages do not contain marketing-related information. You cannot opt-out from receiving any administrative e-mail sent by Healthgrades.
Healthgrades treats as Protected Health Information all personally identifying information that You submit with the Appointment Materials to request an appointment with a selected Healthcare Provider and that Healthgrades or a Subcontractor creates from Your use of the Appointment Services. As described in the "How does Healthgrades use and disclose Your Protected Health Information? section above, all Protected Health Information is used and disclosed by Healthgrades according to the terms of its Business Associate Agreement with Your selected Healthcare Provider. To comply with HIPAA, Your Healthcare Provider must provide You with rights in certain circumstances with respect to Your Protected Health Information, regardless of whether Your requested appointment is scheduled or Your scheduled appointment is fulfilled. Very generally described, these rights are a right to restrict the uses and disclosures of, a right of access to, a right to amend and a right to receive an accounting of the disclosures of Your Protected Health Information. These limited rights will be described in detail in the Healthcare Provider's notice of privacy practices. If You wish to restrict the uses and disclosures of Your Protected Health Information, amend, or receive an accounting of the disclosures of Your Protected Health Information, then, You must do so through Your Healthcare Provider. Upon termination of Our Business Associate Agreement with a particular Healthcare Provider, Healthgrades generally must return or destroy all Protected Health Information received on behalf of or created for that particular Healthcare Provider and then maintained in any form by Healthgrades or a Subcontractor. If You have requested or scheduled an appointment with that Healthcare Provider, any Protected Health Information that You submitted with the Appointment Materials for appointment or otherwise maintained by Healthgrades or a Subcontractor in connection with that appointment will be returned to the Healthcare Provider or destroyed by Healthgrades. This means that until the Business Associate Agreement is terminated with that Healthcare Provider, Healthgrades or a Subcontractor can use and disclosure Your Protected Health Information as described in the "How does Healthgrades use and disclose Your Protected Health Information?" section above following the termination of:
- any Appointment ID Number, which You received upon completion of the OAS scheduling process for the Healthcare Provider;
- Your account with the Healthcare Provider; the Healthgrades' Limited License and User Agreement; and/or
What about information You enter into Third Party Programs included in Healthgrades' Site?
Further questions or comments?
Date Last Updated: June 12, 2015