Tower Health Notice of Privacy Practices

Tower Health (“Tower”, “we” or “us”) understands that information about you and your health is personal. We are providing you with this Notice of Privacy Practices (this “Notice”) as part of providing you with quality care and complying with legal requirements. This Notice applies to all of the records of your care generated by Tower entities. This Notice is provided to you at the time we begin treating you. You may also receive this Notice in your capacity as the representative or guardian of another, incapacitated individual.

This Notice will describe the ways in which we may use and disclose information about your healthcare, and your rights and certain obligations we have regarding the use and disclosure of that information.

Who will follow this Notice?

The terms of this Notice apply to the following entities owned and operated by, and/or affiliated with, Tower, participating in an organized healthcare arrangement: Phoenixville Hospital, Pottstown Hospital, Reading Hospital (including Reading Hospital Rehabilitation at Wyomissing), Tower Health at Home, Tower Health Urgent Care, TowerDirect, St. Christopher’s Hospital for Children, and related covered entities, Tower Health Medical Group and their respective outpatient departments and facilities; and the physicians, licensed professionals, employees, contractors, volunteers, and trainees seeing and treating patients at each of these care settings. These entities may share protected health information (“Protected Health Information” or “PHI”), as defined under the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act of 2009, and any implementing regulations promulgated thereunder from time to time by HHS including but not limited to the Breach Notification Rule, the Privacy Rule, and the Security Rule, set forth at 45 C.F.R. Parts 160, 162 and 164 (collectively “HIPAA”), with each other as necessary to carry out treatment, payment, or healthcare operations relating to the organized healthcare arrangement unless otherwise limited by law, rule, or regulation. 

This Notice does not apply when visiting an office practice that is not affiliated with Tower. 

Legal Requirements

We are required under HIPAA to:

• make sure that PHI remains private;
• provide you with this Notice;
• notify you if there is a breach of unsecured patient records; and
• follow the terms of the Notice as currently in effect.

If any other law provides greater limits on the use and/or disclosure of PHI than HIPAA, we will abide by those laws.

In addition, we want you to be aware that certain PHI receives greater protection under federal, state, or local law. Examples include:

• psychotherapy notes written and kept by a therapist, except for purposes related to treatment, payment, healthcare operations, or as allowed or required by law;
• mental health records documented by a mental health provider;
• records related to the identity, diagnosis, prognosis, or treatment of any individual in a federally assisted substance use disorder (“SUD”) program; and
• HIV/AIDS testing, diagnosis, or treatment information.

The privacy regulations at 42 C.F.R. Part 2 (“Part 2”) are applicable to SUD program records. If you receive SUD treatment as a patient of our Part 2 program, the more stringent requirements of Part 2 apply to the records created and maintained by such Part 2 program. There is a separate section of this Notice that discusses specific rules relating to SUD records.

The following categories describe different ways that we use and disclose PHI. For each use or disclosure, we explain what we mean and may give examples. Not every use or disclosure in a category is listed. However, all the ways we are permitted to use and disclose PHI will fall within one of the categories.

For Treatment

We may use your PHI to provide you with medical treatment or services. We may disclose your PHI to doctors, nurses, technologists, therapists, medical students, or other Tower-affiliated personnel involved your care. For example, a doctor treating you for a broken leg may need to know if you have diabetes because diabetes may slow the healing process. In addition, the doctor may need to tell the dietician so that we can arrange appropriate meals.

Different departments of Tower may share your PHI to coordinate the different services you need, such as prescriptions, lab tests, and x-rays. We may also disclose your PHI to people outside Tower who may be involved in your medical care after you leave a Tower-affiliated hospital, such as family members, clergy, or others we use to provide services that are part of your care.

For Payment

We may use and disclose your PHI so that the treatment and services you receive may be billed to you and payment may be collected from you, an insurance company, or another party.

For example, we may need to give your health plan information about surgery you received at a Tower-affiliated hospital so your health plan will pay us or reimburse you for the surgery.

We may also tell your health plan about the treatment you are going to receive to obtain prior approval or to determine whether your plan will cover the treatment.

For Healthcare Operations

We may use and disclose your PHI for healthcare operations. These uses and disclosures are necessary to run Tower entities and make sure that all our patients receive quality care.

For example, we may use PHI to review our treatment and services and to evaluate the performance of our staff in caring for you:

• We may also combine several patients’ PHI to decide what additional services Tower should offer, what services are not needed, and whether certain new treatments are effective.
• We may also disclose PHI to doctors, nurses, technologists, therapists, medical students, and other Tower personnel for review and learning purposes.
• We may also combine PHI we have with PHI from other hospitals to compare how we are doing and how we can make improvements in our care and services. We may remove information that identifies you from this set of PHI, so others may use it to study healthcare and healthcare delivery without learning who the specific patients are.

For Health Information Exchanges

Tower entities participate with health information exchanges (HIEs), which make it possible for Tower to share your PHI electronically through a securely connected network. Tower may share or disclose your PHI to secure HIEs, including HIEs contracted with the Commonwealth of Pennsylvania, and HIEs in other states.

Other healthcare providers, including physicians, hospitals, and other healthcare facilities connected to the same HIE network as Tower can access your PHI for treatment, payment, and other authorized purposes, to the extent permitted by law.

You have the right to “opt out” of, or decline to participate in, Tower sharing your health information through HIEs. At the time of registration, you will be given the option to opt out by signing a form.

Appointment Reminders

We may use and disclose your PHI to remind you of appointments for treatment or medical care at a Tower-affiliated hospital or practice.

Treatment Alternatives

We may use and disclose PHI to tell you about or recommend treatment options or alternatives that may be of interest to you.

Health-Related Benefits and Services

We may use and disclose PHI to tell you about health-related benefits or services that may be of interest to you.

Fundraising Activities

We may use your PHI to contact you about fundraising activities for Tower and affiliated entities. You have the right to opt out of receiving fundraising communications by notifying the Privacy Officer in writing at the address included on the last page of this Notice or via email at optout@towerhealth.org.

Marketing Activities

We may use your PHI for marketing activities without your written authorization if the communications are:

• face-to-face or consist of a promotional gift of nominal value provided by a Tower entity;
• about a drug or biological or refill reminders for medication that you are currently taking/being prescribed;
• general health promotions, such as community events and health screenings;
• communications about case management and helping you find a physician, rather than the promotion of a specific product or service;
• communications about government and government-sponsored programs.

Written authorization is required prior to using or disclosing your PHI for marketing activities that are supported by payments from third parties.

Hospital Directory

Unless you tell us that you object, we may include certain limited information about you in the hospital directory while you are a patient at a Tower-affiliated hospital. This directory of information assists family, friends, and clergy who would like to visit you in the hospital and generally know how you are doing. This information in the directory may include your name, location in the hospital, general condition (e.g., good, fair, poor, critical), and religious affiliation. It may be released to clergy or other people who ask for you by name.

Individuals Involved in Your Care or Payment for Your Care

We may release your PHI to a friend or family member who is involved in your care. We may also tell your family or friends about your condition and that you are in the hospital. Additionally, we may disclose your PHI to an entity assisting in a disaster relief effort so that your family can be notified about your condition, status and location.

Research

Under certain circumstances, we may use and disclose your PHI for research purposes.

For example, a research project may involve comparing the health and recovery of all patients who received one medication to those who received another for the same condition. All research projects; however, are subject to a special approval process. This process evaluates a proposed research project and its use of health information, trying to balance the research needs with patients’ needs for the privacy of their PHI. Before we use or disclose PHI for research, the project will have been approved through this research approval process.

We may, however, disclose your PHI to people preparing to conduct a research project to help them look for patients with specific medical needs, so long as the health information they review does not leave Tower.

We will almost always ask for your specific permission if the researcher will have access to your name, address, or other information that reveals who you are or who will be involved in your care at Tower.

As Required by Law

We will disclose your PHI when required to do so by federal, state or local law.

To Avert a Serious Threat to Health or Safety

We may use and disclose your PHI when necessary to prevent a serious threat to your health and safety, or to the health and safety of the public or another person. Any disclosure, however, would only be to someone who is able to help prevent the threat.

Business Associates

We contract with certain outside persons or organizations to perform certain services on our behalf, such as auditing, accreditation, legal services, etc. At times it may be necessary for us to provide your PHI to one or more of these outside persons or organizations. In such cases, we require these business associates, and any of their subcontractors, to enter into written agreements to require the business associate to appropriately safeguard the privacy of PHI.

Organ and Tissue Donation

If you are an organ donor, we may release your PHI to organizations that handle organ procurement or organ, eye, or tissue transplantation, or to an organ donation bank in order to facilitate organ or tissue donation and transplantation.

Military and Veterans

If you are a member of the armed forces, we may release your PHI as required by military command authorities. We may also release health information about foreign military personnel to the appropriate foreign military authority.

Workers’ Compensation

We may release your PHI for workers’ compensation or similar programs. These programs provide benefits for work-related injuries or illnesses.

Public Health Risks

We may disclose your PHI for public health activities only if you agree, or when required or authorized by law. These activities generally include:

• preventing or controlling disease, injury, or disability;
• reporting births and deaths;
• reporting child abuse or neglect;
• reporting reactions to medications or problems with products;
• notifying you of recalls of products you may be using;
• notifying you if you may have been exposed to a disease, or may be at risk for contracting or spreading a disease or condition; or
• notifying the appropriate government authority if we believe you are the victim of abuse, neglect, or domestic violence.

Health Oversight Activities

We may disclose your PHI to a health oversight agency for activities authorized by law. These oversight activities include audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the healthcare system, government programs, and compliance with civil rights laws.

Lawsuits and Disputes

If you are involved in a lawsuit or a dispute, we may disclose your PHI in response to a court or administrative order. We may also disclose your PHI in response to a subpoena, discovery request, or other lawful processes by someone else involved in the dispute, but only if efforts have been made to tell you about the request or to obtain an order protecting the PHI requested. Similarly, we may release PHI in connection with pre-sentencing conditional releases if your treatment with us was assigned by a judge under a pre sentence conditional release program in connection with the court’s duty to monitor your progress.

Law Enforcement

We may release your PHI if asked to do so by a law enforcement official:

• in response to a court order, subpoena, warrant, summons, or similar process;
• to identify or locate a suspect, fugitive, material witness, or missing person;
• regarding the victim of a crime if, under certain limited circumstances, we are unable to obtain the person’s agreement;
• concerning a death we believe may be the result of criminal conduct;
• in connection with criminal conduct that occurs on Tower property; or
• in emergency circumstances to report a crime, the location or victims of the crime, or the identity, description, or location of the person who committed the crime.

Coroners, Medical Examiners, and Funeral Directors

We may release PHI to a coroner or medical examiner. This may be necessary to identify a deceased person or determine the cause of death. We may also release PHI to funeral directors as necessary to carry out their duties.

National Security and Intelligence Activities

We may release your PHI to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law.

Protective Services for the President and Others

We may disclose your PHI to authorized federal officials so they may provide protection to the President, other authorized persons, or foreign heads of state, or in order to conduct special investigations.

Inmates

If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may release your PHI to the correctional institution or law enforcement official. This release would be necessary for the institution to provide you with healthcare and to protect your health and safety or the health and safety of others.

Minors

We may disclose the PHI of minor children to their parents or guardians unless such disclosure is otherwise prohibited by law. In certain cases, minors must consent in writing to the disclosure of PHI. In those situations, PHI will not be released without prior written consent.

Your Rights Regarding Health Information About You

You have the following rights regarding your PHI.

1. Right to Inspect and Copy

You have the right to inspect and copy PHI that may be used to make decisions about your care. Usually, this includes medical and billing records but does not include psychotherapy notes.

To inspect and copy PHI that may be used to make decisions about you, you must submit your request in writing to the Health Information Management Department at Tower at the address included on the last page of this Notice. If you request a copy of PHI, we may charge a fee for the costs of copying, mailing, or other supplies associated with your request.

We may deny your request to inspect and copy in certain very limited circumstances. If you are denied access to PHI, you may request that the denial be reviewed. Another licensed healthcare professional chosen by Tower will review your request and the denial. The person conducting the review will not be the person who denied your request. We will comply with the outcome of the review.

Limited portions of your PHI are available electronically through a Tower service called MyTowerHealth. Visit https://www.mytowerhealth.org/mytowerhealth for more information.

2. Right to Request Amendment

If you feel that PHI we maintain is incorrect or incomplete, you may ask us to amend the PHI. You have the right to request an amendment for as long as the information is kept by or for Tower. To request an amendment, your request must be made in writing and submitted to the Director of Health Information Management at Tower at the address included on the last page of this Notice. In addition, you must provide a reason that supports your request. We have the right to deny your request for an amendment if it is not in writing or does not include a reason to support the request.

Additionally, we may deny your request if you ask us to amend PHI that:

• was not created by us, unless the person or entity that created the PHI is no longer available to make the amendment; or
• is not part of the PHI which you would be permitted to inspect and copy, or is accurate and complete.

3. Right to an Accounting of Disclosures

You have the right to request an “accounting of disclosures.” This is a list of the disclosures we make of your PHI. To request this list or accounting of disclosures, you must submit your request in writing to the Privacy Officer at the affiliated hospital. Your request must state a time period which may not be longer than six years and may not include dates before April 14, 2003. Your request should indicate in what form you want the list on paper or electronic copy.

The first list you request within a 12-month period will be free. For additional lists, we may charge you for the costs of providing the list. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time before any costs are incurred.

4. Right to Breach Notification

We are required to notify you in writing of any breach of your unsecured PHI without unreasonable delay, but in any event, no later than 60 days after we discover the breach.

5. Right to Request Restrictions

You have the right to request a restriction or limitation on your PHI we use or disclose for treatment, payment, or healthcare operations.

You also have the right to request a limit on your PHI we share with someone who is involved in your care or the payment for your care, such as a family member or friend. For example, you could ask that we not disclose information to your spouse or not use or disclose information about a surgery that you had. We are not required to agree to your request unless you are requesting a restriction for services you have paid for in full out-of-pocket.

To request restrictions, you must make your request in writing to the Director of Health Information Management at Tower at the address included on the last page of this Notice.

In your request, you must tell us:

• what PHI you want to limit;
• whether you want to limit our use, disclosure, or both; and
• to whom you want the limits to apply.

6. Out-of-Pocket Payments

If you paid out-of-pocket (in other words, you requested that we not bill your health plan) in full for a specific item or service, you have the right to ask that your PHI with respect to that item or service not be disclosed to a health plan for purposes of payment or healthcare operations. The two following criteria must be met for us to honor that request (unless we are otherwise prohibited from doing so):

• the purpose of the disclosure is for payment or healthcare operations and is not otherwise required by law; and
• pertains solely to healthcare items or services for which you or another person other than the health plan paid the health plan in full.

7. Right to Request Confidential Communications

You have the right to request that we communicate with you about medical matters in a certain way or at a certain location. For example, you can ask us to contact you only at work or only by mail.

To request confidential communications, you must make your request in writing to the applicable Privacy Officer. Your request must specify how or where you wish to be contacted. We will not ask you for the reason for your request and will accommodate all reasonable requests.

8. Right to a Paper Copy of This Notice

You have the right to a paper or electronic copy of this Notice. Even if you agreed to receive this Notice electronically, you are still entitled to a paper copy of this Notice. You may obtain a copy of this Notice at our website: www.towerhealth.org. To obtain a paper copy of this Notice, contact the appropriate Privacy Officer at the address included on the last page of this Notice.

Changes to This Notice

We reserve the right to change this Notice and make the revised or changed Notice effective for PHI we already have as well as any PHI we receive in the future.

We will make easily available a copy of the current Notice. The Notice will contain the effective date on the top of the first page.

Additionally, each time you register at or are admitted to a Tower-affiliated hospital for treatment or healthcare services as an outpatient or inpatient, we will offer you a copy of the current Notice in effect.

Complaints

You may file a complaint with us or with the Secretary of the United States Department of Health and Human Services if you believe your privacy rights have been violated.

To file a complaint with us, contact the Privacy Officer at the address listed in the “Addresses” section that follows. All complaints must be made in writing and should be submitted within 180 days of when you knew or should have known of the suspected violation. There will be no retaliation against you for filing a complaint.

To file a complaint with the Secretary of the United States Department of Health and Human Services, please mail it to: Secretary of the U.S. Department of Health and Human Services, 200 Independence Ave, S.W., Washington, D.C. For additional information, you may call 202-619-0257 (toll-free 877-696-6775) or visit the Office for Civil Rights website: www.hhs.gov/ocr/hipaa.

If you are a patient being treated for SUD, your treatment is covered by Part 2 and you may also file a complaint with the Substance Abuse and Mental Health Services Administration (“SAMHSA”). You may mail the complaint to: Substance Abuse and Mental Health Services Administration, 5600 Fishers Lane, Rockville, MD 20857. You may call SAMHSA toll free at (877) 726-4727 or visit the SAMHSA website (https://www.samhsa.gov/) for additional information.

Other Uses of Health Information

Other uses and disclosures of PHI not covered by this Notice or the laws that apply to us will be made only with your written permission. In the following circumstances, we will always require authorization from you:

• uses and disclosures of psychotherapy notes;
• any marketing communication that is paid for by a third party about a product or service to encourage you to purchase or use the product or service.
• except for limited transactions permitted by HIPAA, a sale of PHI for which we directly or indirectly receive remuneration or payment; or
• other uses or disclosures of PHI that are not described in this Notice.

If you provide us with permission to use or disclose your PHI, you may revoke that permission, in writing, at any time. You may revoke your written consent by presenting your request in writing to Director of Health Information Management, PO Box 16052, Reading PA 19612. If you revoke your permission, we will no longer use or disclose health information about you for the reasons covered by your written authorization. We are unable to take back any disclosures we have already made with your permission and that we are required to retain in our records of the care that we provided to you.

For requests involving your records, such as amendments, copies, accounting of disclosures, please contact the Tower Director of Health Information Management at the address included on the last page of this Notice.

To request confidential communications, copies of this Notice, or to file a complaint, please contact the appropriate Privacy Officer at the address included on the last page of this Notice.

Specific Rules Concerning Substance Use Disorder (SUD) Medical Information

Use of SUD Medical Information that Does Not Require Prior Written Consent

Certain uses and disclosures of SUD information can occur without your written consent. This section details situations in which SUD information can be shared without your written consent.

• If you are in SUD treatment, Part 2 applies and we may disclose PHI to medical personnel to meet a bona fide medical emergency when your consent cannot be obtained. We are also authorized to disclose SUD information governed by Part 2 to the Food and Drug Administration (“FDA”) if the FDA believes that an individual’s health may be threatened by an error in the manufacture, labeling, or sale of a product under FDA jurisdiction. For example, if you are taking a medication that the FDA believes could be harmful, we can provide SUD information to the FDA.
• SUD information may be used within Tower when needed for a purpose that arises out of diagnosis, treatment or referral of patients with SUD.
• Tower can use SUD information to provide services on behalf of the SUD program including sharing SUD information with individuals and organizations that assist us with the business activities of the SUD program, as described earlier in this Notice. Tower has agreements with these individuals and organizations that provide that the SUD information we share with them is protected by law, including Part 2, and only used and shared to provide services on our behalf.
• Tower may use or share your SUD information to defend itself in a legal action or other proceeding you may bring against Tower.
• Tower may use SUD information in communicating with law enforcement agents or officials directly related to your commission of a crime or threat to commit a crime on the premises of a Tower SUD program or against Tower SUD program personnel.
• We may acknowledge that you are a patient of Tower if otherwise permitted by Tower policy. However, you may not be identified as receiving services from a SUD program, or as having or having had SUD, unless you authorized the sharing in writing consistent with this Notice or the sharing is otherwise permitted by applicable law.
• Tower may use your medical information for treatment, payment, and healthcare operations when Tower acted in reliance on the consent before it was revoked. For example, Tower relies on being able to use and share medical information:
  • to provide appropriate treatment (SUD services and other clinical treatment), to receive payment for the services and treatment Tower provides, and to carry out healthcare operations;
  • if it is not practical or feasible for Tower to stop sharing information because of technological limitations (such as health information exchange data sharing limitations); and/or
  • if your information was shared before the revocation was received and processed by Tower.
• Tower SUD information can generally be used and shared for research in the same way as your other medical information. However, Part 2 contains additional protections that apply to SUD information when used or shared for research.
• SUD information or testimony relaying SUD information generally cannot be used or shared in any civil, administrative, criminal or legislative proceedings against you without your specific written consent or a court order. Tower may use or share your SUD information if a Court has issued an order permitting the use or sharing of your SUD information after you (or Tower, if applicable) have been given notice and an opportunity to be heard, as required by Part 2, and another legal document such as a subpoena requires Tower to share the information. These rules also apply to records protected by Part 2 received by any program at Tower, from a non-Tower provider.
• Tower may use and share SUD program medical information without your consent when permitted or required under federal, state, and local law if the sharing is limited to the relevant requirements of such law, and not otherwise prohibited. Examples include:
  • reporting suspected child abuse or neglect in accordance with state law;
  • sharing to prevent harm to you or third party;
  • audits and evaluations mandated by statute or regulation;
  • management audits, financial audits and program evaluations performed on behalf of a federal, state or local governmental agency that provides financial assistance to a SUD program (this includes activities by a federal, state, or local governmental agency, or a third-party payer or health plan to improve care and outcomes for patients with SUD treated by Part 2 programs, ensure effective use of resources, and review payment policies to enhance care or coverage for patients with SUD); and/or
  • vital statistics regarding cause of death under laws requiring the collection of death or other vital statistics or permitting inquiry into the cause of death.

Use and Sharing of SUD Medical Information that Requires Consent

Generally, other than the purposes described in this Notice, Tower cannot share SUD information without your written consent. If you provide written consent to Tower to share your SUD information, you can revoke, or take back, your written consent at any time. You may revoke your written consent by presenting your request in writing to Director of health Information Management, PO Box 16052, Reading PA 19612.

Some uses and sharing of SUD information for treatment, payment, and operations purposes described elsewhere in this Notice require your written consent. You will be asked to sign one form authorizing future uses or sharing of your medical information by Tower for treatment, payment, and healthcare operations purposes which does not expire. It is valid unless you revoke it in writing.

Special Rules About Fundraising

A Tower SUD program may only use or share your information to fundraise if you are first provided with a clear and conspicuous opportunity to elect not to receive the fundraising communications. You can opt out of fundraising communications at any time by contacting the Privacy Officer in writing at the address included on the last page of this Notice or via email at optout@towerhealth.org. If you do not opt out, Tower can use limited information to contact you about its general fundraising activities.

Special Rules About Accountings

In addition to the rights to an accounting described in this Notice, under Party 2, you have the right to request an account of disclosures made through our electronic medical record for treatment, payment, and healthcare operations for up to three (3) years prior to the date you ask.

Further Sharing

After Tower shares SUD information with other providers or individuals or entities that help Tower with its business activities as allowed under Part 2 and described in this Notice, the people or entities who receive SUD information may share it again with others in accordance with Part 2 unless other laws further limit the use and sharing by the recipient.  For example, the recipient’s authority to use or share SUD information in civil, criminal, administrative or legislative proceedings against you will remain limited.

Director of Health Information Management
Tower Health
Attn: Director of Health Information Management
PO Box 16052, Reading, PA 19612

Addresses