University Health Services Notice of Privacy Practices

Effective September 2022

Please Review Carefully

The University of Oregon is committed to upholding all legal and professional obligations to protect the confidentiality of your health records. This notice applies to the University Health Services (UHS), and describes how medical information about you may be used and/or disclosed and how you can get access to this information.

Note: The UO is a hybrid entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This means that some of UO’s departments are required to comply with HIPAA and some are not. University Health Services is required to comply with the applicable provisions of HIPAA, the Family Education Rights and Privacy Act (FERPA), and UO policy. While other departments may not be required to comply with HIPAA, the confidentiality protections afforded by FERPA still apply to education records maintained by those departments. (For more information regarding UO student’s protections and rights under FERPA, visit registrar.uoregon.edu/records-privacy.)  

Your Rights

You have certain rights regarding your medical information as listed below. In each of these cases, if you want to exercise your rights, you must do so in writing to the University of Oregon officials/office listed below. Specifically, you have the right to: 

• Get a copy of your paper or electronic health record. We will provide a copy or a summary of your health record, within less than 30 days of your request.  We may charge a reasonable, cost-based fee.
• Right to request us to correct your health information that you think is incorrect or incomplete. We will respond to you within 60 days of receiving a written request. If we deny or partially deny your request, we will provide you with a written explanation.
• Request confidential communication. You can ask us to contact you in a specific way, for example, home or office phone, or to send mail to a different address. This request should be in writing. We will accommodate reasonable requests.
• Ask us to limit the information we share. You can request a restriction on the use or sharing of your health information; we are not required to agree to your request, and we may say “no” if it would interfere with your care or a law requires us to share that information.
• Get a list of those with whom we’ve shared your information. You can ask for a list (accounting) of the times we’ve shared your health record for six years prior to the date you ask. This accounting will include disclosures to public health, law enforcement, and research.
• Request a copy of this privacy notice at any time.
• Have authorized person(s) act on your behalf. An authorized person may include your parent, if you are under the age of 18 and not enrolled at an institution of postsecondary education; or a legal guardian if you are not mentally or physically capable of making decisions about your health care and have officially designated someone to act as your legal guardian for that purpose. We will make sure that this person has the requisite legal authority and can act for you before we take any action.
• To file a complaint if you believe your privacy rights have been violated. You can file a complaint if you feel that we have violated your rights by contacting the University Health Services Privacy; or you may file a complaint with the U.S. Department of Health and Human Services. Additionally, UO students may file a complaint with the U.S. Department of Education. Contact information is listed below. We will not retaliate against you for filing a complaint.

Your Choices

In the following situations, we will use and share your health information only with your permission which you may revoke at any time in writing: 

• Share information with your family, close friends or others involved in your care.
• Contact you for marketing or fundraising purposes; we will never sell your information.
• Conduct health research involving identifiable information.
• Respond to organ and tissue donation requests.
• Address workers’ compensation claims.
• Share your health information to bill and get payment from health plans or other entities.

Our Responsibilities

• We are required by law to maintain the privacy and security of your education records and health information.
• We will let you know promptly if a breach of security occurs that compromises the privacy or security of your information.
• We must follow the duties and privacy practices described in this notice and provide you a copy of it.
• We will not use or share your information other than as described here unless you tell us we can in writing. If you tell us we can, you may change your mind at any time. Let us know in writing if you change your mind.

Uses and Disclosures That Do Not Require Consent Include:

• For treatment. We can share your health record with other professionals who are treating you.
• For health care operations. We may use your information when there is a legitimate need to know in the course of carrying out one’s duties, while maintaining the minimum necessary standards, for example Quality Assurance Reviews. 
• For health and safety emergencies. We can disclose your information for public health purposes or to respond to health emergencies for example preventing disease, helping with product recalls, reporting adverse reactions to medications, reporting suspected abuse, neglect, or domestic violence, and preventing or reducing a serious threat to anyone’s health or safety.
• For medical examiner or funeral director services. We can disclose your information to a coroner or medical examiner for the purpose of determining cause of death or identity or other duties authorized by law, and to funeral directors as necessary to carry out their duties.
• For regulatory compliance. We will share information about you if state or federal laws require it, including with the Department of Health and Human Services if it wants to see that we are complying with federal privacy law.
• For responding to lawsuits or legal actions. We can share health information about you in response to a court or administrative order, or in response to a subpoena. It is important to note that if legal action is anticipated or if the University is served with a subpoena, you may have additional protections as described in the Confidentiality of Client/Patient Health Care and Survivors’ Services Information policy (a hardcopy of this policy is available upon request and/or you may visit the university website for this policy: policies.uoregon.edu/III.05.02).

Acknowledgment and Consent

In order to receive medical and/or mental health care at University Health Services, you will be asked to acknowledge and consent to the University of Oregon releasing your health information as necessary to the following persons in the following circumstance:

1. To public health authorities that are legally authorized to receive reports for the purpose of preventing or controlling public health emergencies, disease, injury or disability. (“Public health authorities” include agencies or authorities of the United States Government, a State, a Territory, a political subdivision of a State or Territory, as well as a person acting under a grant of authority from, or under a contract with a public health authority.)
2. To persons, including university employees (for example the university registrar, residence life, and dean of students staff), classmates, close contacts, or, in rare circumstances, other members of the public who are at risk of contracting or spreading a disease or condition, as necessary to carry out public health interventions or investigations
3. To health care practitioners and their staff for the purpose of providing you treatment or care.
4. To HIPAA covered entities and their staff participating in the electronic medical exchange network.
5. To insurance Companies that are obligated to pay for health care services and pharmaceutical drugs provided to you. 
6. To other third parties that process payment for health care services and pharmaceutical drugs provided to you.
7. As otherwise required or permitted by state or federal law.

During your check in process, you will be provided a copy of this Notice of Privacy Practices and asked to provide your acknowledgement and consent. This consent will remain in place until revoked by you in writing.

Additional protection for certain types of information. There are extra legal protections for health information about sexually transmitted diseases, drug and alcohol abuse treatment records, mental health records, and HIV/AIDS information. When required by law, we will not share this type of information without your written permission. In certain circumstances, a minor (under 18 years of age) patient’s health information may receive additional protections. 

For more information, visit hhs.gov/ocr/privacy/hipaa/understanding/consumers/noticepp.html

Changes to the Terms of this Notice

We can change the terms of this notice, and the changes will apply to all information we have about you. The new notice will be available upon request, in our office, and on our website: health.uoregon.edu/forms.

Questions or Concerns

If you have questions regarding your privacy, or wish to file a complaint, please contact the designated Privacy Officer:

Debra McLaughlin, MPA, CHC
Compliance Officer
University of Oregon Health Center
1232 University of Oregon
Eugene OR 97403
Phone: 541-346-4452
Fax: 541-346-8215

Or the UO Registrar:
Julia Pomerenk
Assistant Vice President for Enrollment Management
Office of the Registrar
5257 University of Oregon
Eugene OR 97403
Phone: 541-346-3124
Fax: 541-346-6682

You can also, file a complaint with:
U.S. Department of Health and Human Services 
Office for Civil Rights
200 Independence Ave SW
Washington DC 20201
1-877-696-6775 or www.hhs.gov/ocr/privacy/hipaa/complaints

—or—

U.S. Department of Education
Student Privacy Policy Office
400 Maryland Ave SW
Washington DC 20202-8520
https://studentprivacy.ed.gov/file-a-complaint

You may also use our anonymous hotline to make a report at uoregon.ethicspoint.com.