This Notice of Privacy Practices (Notice) describes your rights with respect to the use and disclosure of your medical information, how we may use and disclose your medical information, and our obligations regarding the use and disclosure of your medical information. This Notice is required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Joslin Diabetes Center (Joslin) may record, transmit, or maintain - on paper, orally or electronically - personal information about you, your medical history or treatment as part of providing you with healthcare services or in connection with your participation in a Joslin health fair or screening.
We are legally required to protect the privacy of information that identifies you or could be used to identify you as it relates to your past, present or future physical or mental health condition(s) or the provision of past, present, or future healthcare services (including payment for those services). This information is called “protected health information” or PHI for short.
We are legally required to follow the privacy practices that are described in this Notice. We reserve the right to change our privacy policies and the terms of this Notice at any time. Before any important policy change goes into effect, we will change this Notice.
We will post a copy of this Notice in all our registration areas for public viewing and on our website at www.joslin.org. You may also request a copy of this Notice at any time in the clinic registration areas or by contacting Joslin’s Compliance Office at (617) 309-1971 or compliance [at] joslin.harvard.edu.
YOUR RIGHTS REGARDING YOUR PHI
Although your medical information is the property of Joslin, you have certain rights regarding your PHI, including the right to:
- Inspect and Copy. With certain limited exceptions, you have the right to inspect or receive a copy of your medical information or both. We may charge a reasonable, cost-based fee for these services. All requests must be submitted in writing to the address below. Your request should be specific and must be signed by you or an authorized representative. We may deny your request in certain limited circumstances. If you are denied access to your medical information, you will be given the reason(s) and we will tell you what your rights are.
- Request an Amendment. If you feel that medical information we have about you is incorrect or incomplete, you may ask us to amend such information. We may deny your request if you ask us to amend information that (a) was not created by Joslin; (b) is not part of the medical information kept by or for Joslin; (c) is not medical information you are permitted to inspect or copy; or (d) is accurate and complete in the record.
- Request an Accounting of Disclosures. You may request a list of the disclosures we have made of PHI that were for purposes other than treatment, payment, healthcare operations and certain other purposes, or disclosures made with your written authorization within the last six (6) years. You may be charged a fee in connection with this request.
- Restrict or Limit Use or Disclosure. You may ask us to restrict or limit the use or disclosure of your PHI, including the disclosure of information to a family member or friend (or other individuals) who is involved in your care or the payment for your care. Your request must state: (1) what information you want to limit; (2) whether you want to limit Joslin’s use, disclosure or both; and (3) to whom the limits apply, for example, disclosures to your spouse. We are not required to agree to your request, unless it relates to an item or service you paid for in full and out of pocket. In this case, you may request that we not share health information pertaining only to that product or service with your health plan for the purposes of carrying out payment or healthcare operations. We will comply with such requests unless the information is needed to provide you emergency treatment, or except as required by law.
- Confidential Communications. Generally, we will use the address, telephone number and, in some cases, the email address you provide to contact you. You may ask us to communicate with you about medical matters in a certain way or at a certain location. For example, you can ask that we contact you only at work. We will accommodate all reasonable requests. Your request must specify how or where you wish to be contacted.
- Notification in the Event of a Breach. Consistent with federal and state laws, we will notify you in the event your unsecured PHI is used or disclosed by an unauthorized individual, or is lost or stolen.
USE AND DISCLOSURE OF YOUR PHI BY JOSLIN
To carry out its responsibilities as a healthcare provider, Joslin may use or disclose your PHI without your authorization for the following reasons:
- Treatment. Joslin may disclose PHI to physicians, nurses, technicians, hospitals, medical students or other personnel who treat you at Joslin or other locations.
- Payment. We may use or disclose PHI to bill or collect payment for the treatment and services you receive at Joslin or other healthcare providers. We may also use or disclose PHI to establish your eligibility for insurance benefits.
- Healthcare Operations. We may use or disclose PHI to carry out “healthcare operations” at Joslin, including activities related to improving quality of care, staff training, medical education, and business management.
- Appointment Reminders, Information about Healthcare Related Benefits and Treatment Alternatives. We may use or disclose PHI to contact you as a reminder that you have an appointment for a treatment or medical care at Joslin or to inform you of treatment alternatives or other healthcare services or benefits that we offer.
- Fundraising Activities. We may contact you regarding our fundraising activities. Revenue from philanthropic sources plays a key role in the successful operation of Joslin. The money raised will support our research efforts in preventing and finding a cure for diabetes, and in the meantime will allow us to provide the best patient care possible. If you do not wish to be contacted for our fundraising efforts, please notify us in writing at the address or email address provided below. You may opt out of receiving communications regarding our fundraising activities at any time.
- Research. Joslin specializes in the research and treatment of diabetes. All research studies conducted at Joslin must be approved through a special review process to protect patient safety, welfare and confidentiality. Your medical information may be important to further research efforts and the development of new knowledge. Subject to the confidentiality provisions of state and federal law, we may use or disclose your PHI for qualified research purposes. On occasion, researchers may contact Joslin patients about participating in research studies. Enrollment in those studies can occur only after you have been informed about the study, had an opportunity to ask questions and indicated your willingness to participate by signing a consent form.
- As Required By Law. We will use or disclose PHI when required to do so by federal or state law, including in response to a court or administrative order, subpoena, discovery request, warrant, summons or other lawful process. Joslin may also disclose PHI to law enforcement personnel or similar persons to avoid a serious threat to the health or safety of a person or the public.
Joslin also may use or disclose your PHI without your authorization under the following circumstances:
- emergency situations when your authorization cannot be reasonably obtained, including for disaster relief purposes;
- to business associates (outside vendors or consultants that perform services on behalf of Joslin and are contractually required to appropriately safeguard your information);
- to other healthcare facilities where Joslin physicians and healthcare professionals have privileges or to physicians from other healthcare facilities who see patients at Joslin;
- with your agreement, to a family member, relative, close personal friend, or any other person you identify;
- to facilitate organ or tissue donation if you are an organ donor;
- in connection with workers’ compensation claims;
- to report abuse, neglect, or domestic violence as required by state or federal law;
- for public health and health oversight activities, such as preventing or controlling disease or investigations; or
- to coroners, medical examiners, or funeral directors as necessary to carry out their duties.
Certain actions — such as most uses or disclosures of psychotherapy notes, the use or disclosure of PHI for marketing purposes, or the sale of PHI — may be made only with your written permission (authorization). In addition, Massachusetts provides special privacy protections for particularly sensitive conditions or illnesses such as HIV/AIDS, mental health, and substance abuse. Joslin will disclose such information only in a manner that is consistent with these laws.
Uses or disclosures of PHI not addressed in this Notice will be made only with your written permission.
You may revoke your permission to use or disclose PHI at any time by writing to the Compliance Office at the address or email address below. Once you revoke your permission, we will stop using or disclosing such information for the reasons covered by your written authorization. However, we cannot take back any disclosures made with your permission. We will retain our records of the care provided to you as required by law.
If you believe your privacy rights have been violated, you may file a complaint by writing to the address below or by calling the Joslin Diabetes Center Compliance Helpline at (617) 309-1971. You may also file a complaint in writing with the Secretary of the U.S. Department of Health and Human Services in Washington, D.C. or through the regional office at J.F.K. Federal Building – Room 1874, Boston, MA 02203. The complaint must be filed within 180 days of the alleged violation. There will be no retaliation for filing a complaint.
If you have questions, would like to submit a written request, or need further assistance regarding this policy, please contact Joslin’s Compliance Office at:
Joslin Diabetes Center
One Joslin Place
Boston, Massachusetts 02215
Phone: (617) 309-1971
Email: compliance [at] joslin.harvard.edu
This Notice of Privacy Practices is effective January 1, 2020.