Notice of Privacy Practices

University of Oregon Notice of Privacy Practices

Effective September 2025

Please Review Carefully

The University of Oregon is committed to upholding all legal and professional obligations to protect the confidentiality of your health records. This notice describes how medical information about you may be used and disclosed and how you can get access to this information.

Who is Subject to this Notice

This notice applies to all of UO’s health care providers including University Health Services including mental health services, Student Health Insurance Program, Early Childhood CARES, HEDCO Clinic, and Athletics Medicine. These providers, as well as their employees, students/trainees, volunteers, and other consultants who are providing health services, must comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Family Education Rights and Privacy Act (FERPA; if a student record), and UO policies, as applicable. While other departments may not be required to comply with HIPAA, the confidentiality protections afforded by FERPA still apply to education records maintained by those departments. For more information regarding UO students’ protections and rights under FERPA, visit: registrar.uoregon.edu/records-privacy; for more information on HIPAA’s privacy rule, visit: www.hhs.gov/hipaa/for-professionals/privacy/index.html.

Your Rights

You have certain rights regarding your medical information as listed below. In each of these cases, if you want to exercise your rights, you must do so in writing to the University of Oregon officials/office listed below. Specifically, you have the right to: 

• Get an electronic or paper copy of your health record. We will provide a copy or a summary of your health record, within less than 30 days of your request.  We may charge a reasonable, cost-based fee.
• Ask that we correct health information about you that you think is incorrect or incomplete. We will respond to you within 60 days of receiving a written request. If we deny or partially deny your request, we will provide you with a written explanation.
• Request confidential communication. You can ask us to contact you in a specific way, for example, home or office phone, or to send mail to a different address. This request should be in writing. We will accommodate reasonable requests.
• Ask us to limit the information we share. You can request a restriction on the use or sharing of your health information; we are not required to agree to your request, and we may say “no” if it would interfere with your care or a law requires us to share that information.
• Get a list of those with whom we’ve shared your information. You can ask for a list (accounting) of the times we’ve shared your health record for six years prior to the date you ask. This accounting will include disclosures to public health, law enforcement, and research.
• Request a copy of this privacy notice at any time.
• Have authorized person(s) act on your behalf. An authorized person may include your parent, if you are under the age of 18 and not enrolled at an institution of postsecondary education; or a legal guardian if you are not mentally or physically capable of making decisions about your health care and have officially designated someone to act as your legal guardian for that purpose. We will make sure that this person has the requisite legal authority and can act for you before we take any action.
• File a complaint if you believe your privacy rights have been violated. You can file a complaint if you feel that we have violated your rights by contacting the UO’s HIPAA Privacy Officer; or you may file a complaint with the U.S. Department of Health and Human Services or the U.S. Department of Education. Contact information is listed below. We will not retaliate against you for filing a complaint.

Our Uses and Disclosures

Your health information will only be shared for the following limited purposes, unless you specifically authorize further disclosure:

• For treatment. We can share your health information with other healthcare professionals who are involved in your care.
• For health care operations. We can use and share your health information for the purpose of improving our business operations. These uses may include quality review, training, client satisfaction, and cost control.
• For health and safety emergencies. We can disclose your information for public health purposes or to respond to health emergencies for example preventing disease, helping with product recalls, reporting adverse reactions to medications, reporting suspected abuse, neglect, or domestic violence, and preventing or reducing a serious threat to anyone’s health or safety.
• With business associates. In certain circumstances, we may disclose your health information to a business associate or UO employee performing services on behalf of the covered entity (e.g. transcription company or audit). We will have a written contract in place requiring the service provider to protect the privacy of the health information.
• For medical examiner or funeral director services. We can disclose your information to a coroner or medical examiner for the purpose of determining cause of death or identity or other duties authorized by law, and to funeral directors as necessary to carry out their duties.
• For regulatory compliance. We will share information about you if state or federal laws require it, including with the Department of Health and Human Services if it wants to see that we are complying with federal privacy law.
• For responding to lawsuits or legal actions. We can share health information about you in response to a court or administrative order, in response to a subpoena, or as otherwise required by state or federal law. It is important to note that if legal action is anticipated or if the University is served with a subpoena, you may have additional protections as described in the Confidentiality of Client/Patient Health Care and Survivors’ Services Information policy (a hardcopy of this policy is available upon request and/or you may visit the university website for this policy: policies.uoregon.edu/III.05.02).

Additional protection for certain types of information. There are extra legal protections for health information about sexually transmitted diseases, drug and alcohol abuse treatment records, mental health records, and HIV/AIDS information. When required by law, we will not share this type of information without your written permission. In certain circumstances, a minor (under 18 years of age) patient’s health information may receive additional protections.

Your Authorization

Other uses and disclosures of your health information, not covered by this Notice or permitted by law, will be made only with your written authorization. For example, you may authorize us to share your health information with family, close friends or others involved with your care, for research purposes involving identifiable information, to bill your health insurance for services provided, or with your employer including for worker’s compensation claims. You may revoke your authorization, in writing, at any time, although we are unable to take back any disclosures we already have made based on your authorization.

During your health services intake process, you will be provided a copy of this Notice of Privacy Practices and any other consent to treat and asked to provide your acknowledgement and consent. This consent will remain in place until revoked by you in writing. If you revoke your authorization, then we will no longer use or disclose your health information for the reasons covered by your authorization, except to the extent that we already have relied on your authorization.

Our Responsibilities

We are required by law to protect the privacy of your health information and to notify you of any breaches of your unsecured health information. We are also required by law to give you a copy of and follow the terms of the Notice, which sets forth our legal duties and privacy practices with regard to your health information.

Changes to the Terms of this Notice

We reserve the right to change this notice. We can change the terms of this notice, and the changes will apply to all information we have about you. The new notice will be available upon request, in our offices, and on our website.

Questions or Concerns

If you have questions regarding your privacy, or wish to file a complaint, please contact the deputy Privacy Officer for the unit in which you received care:

• University Health Services: Debra McLaughlin, dmclaugh@uoregon.edu, 541-346-4452, 1590 E. 13th Ave., Eugene OR 97403
• Early Childhood CARES: Donna Boykin, dboykin@uoregon.edu,  541-346-3518, 1500 W. 12th Ave., Eugene OR 97402
• HEDCO Clinic: Jody Ferguson, jodyferg@uoregon.edu, 541-346-0922, 1655 Alder St. Suite 170, Eugene OR 97403
• UO Athletics: Maggie Doe, mfdoe@uoregon.edu, 541-346-2257, 2727 Leo Harris Pkwy, Eugene OR 97401

General privacy concerns may be directed to the university’s HIPAA Privacy Officer at 1260 University of Oregon, Eugene, OR, 97403, hipaacompliance@uoregon.edu, 541-346-8011.

UO students and employees may also use our anonymous hotline to make a report at uoregon.ethicspoint.com.

External complaints may be submitted to: