1. THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.  PLEASE REVIEW IT CAREFULLY.Medical information, as used in the paragraph above, may not completely describe the type of information Saint Joseph Villa may use and disclose. Information about your past, present, or future health or condition, the provision of health care or other services to you, or payment for services rendered, if such information does or could be used to identify you, is considered Protected Health Information (“PHI”) under the Federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) and federal regulations issued thereunder (collectively, the HIPAA Privacy Rule). Included in your PHI, for example, are your treatment or service records, your name and address, and your insurance or other health benefit information. This notice describes potential uses and disclosures of your PHI, as well as your rights with respect to your PHI.
2. Our Duty to Safeguard Your Protected Health Information.
   Under the HIPAA Privacy Rule, Saint Joseph Villa is required to extend certain protections to your PHI, and to give you this notice about our privacy practices that explains how, when and why we may use or disclose your PHI.  Except in specified circumstances, we must use or disclose only the minimum PHI to accomplish the purpose of the use or disclosure.We are required to follow the privacy practices described in this notice, though we reserve the right to change our privacy practices and the terms of this Notice at any time.  If we do so, we will post a new notice at the facility.  You may request a copy of any new notice by contacting Saint Joseph Villa Privacy Official, Sarah Schempp, Corporate Compliance Official, 267-447-7994
3. How We May Use and Disclose Your Protected Health Information.
   We use and disclose PHI for a variety of reasons.  For some uses and disclosures, we must have your written authorization, for others, no authorization is required.  However, the law provides that we are permitted to make some uses/disclosures without your written authorization.  The following offers more description and examples of our potential uses/disclosures of your PHI.
   1. Uses and Disclosures Relating to Treatment, Payment, or Health Care Operations.
      1. For services:  We may disclose your PHI to staff members, volunteers, and other service delivery personnel who are involved in providing your services. We may also disclose your PHI to other affiliated facilities and service providers in order to ensure the provision of additional or modified services to you. This may include using or disclosing your protected health information to voice activated devices (for example, medicine dispensing devices) with proper controls in place to keep it secured in accordance with applicable law.
      2. To obtain payment:  We may use/disclose your PHI in order to bill and collect payment for your services.  For example, we may release portions of your PHI to Medicaid, a private insurance plan, or a state office to get paid for services that we delivered to you.
      3. For service operations:  We may use/disclose your PHI in the course of operating our facilities.  For example, we may use your PHI in evaluating the quality of services provided, or disclose your PHI to our accountant or attorney for audit purposes. Release of your PHI to the county, state, and/or the Medicaid agency might also be necessary to determine your eligibility for publicly funded services.
   2. Uses and Disclosures Requiring Authorization:  For uses and disclosures beyond treatment, payment and operations purposes we are required to have your written authorization, unless the use or disclosure falls within one of the exceptions described below.  Should an authorization be required, you or your responsible person will be asked to sign the facility’s standard authorization form. Once signed, authorizations can be revoked in writing at any time to stop future uses/disclosures, except to the extent that we have already undertaken an action in reliance upon your authorization.
   3. Uses and Disclosures Not Requiring Authorization:  The law provides that we may use/disclose your PHI without a written authorization in the following circumstances:
      1. When required by law:  We may disclose PHI when a law requires that we report information about a suspected abuse, neglect or domestic violence, or relating to suspected criminal activity, or in response to a court order.  We must also disclose PHI to authorities who monitor compliance with these privacy requirements.
      2. For public health activities:  We may disclose PHI when we are required to collect information about disease or injury, or to report vital statistics to the public health authority.
      3. For health oversight activities:  We may disclose PHI to an accrediting organization or another agency responsible for monitoring the health care system for such purposes as reporting or investigation of unusual incidents.
      4. Related to decedents:  We may disclose PHI relating to an individual’s death to coroners, medical examiners or funeral directors, and to organ procurement organizations relating to organ, eye or tissue donations or transplants.
      5. To avert threat to health or safety:  In order to avoid a serious threat to health or safety, we may disclose PHI as necessary to law enforcement or other persons who can reasonably prevent or lessen the threat of harm.
      6. For specific government functions:  We may disclose PHI of military personnel and veterans in certain situations, to correctional facilities in certain situations, to government programs relating to eligibility and enrollment, and for national security reasons, such as protection of the President. This may include incidental disclosures of your protected health information to voice activated devices in your residence. We will make best efforts to implement proper controls to maintain privacy and security.
   4. Uses and Disclosures Requiring That You Have an Opportunity to Object:  In the following situations, we may disclose your PHI if we inform you about the disclosure in advance and you do not object.  However, if there is an emergency situation and you cannot be given your opportunity to object, disclosure may be made if it is consistent with any prior expressed wishes and disclosure is determined to be in your best interests.  You must be informed and given an opportunity to object to further disclosure as soon as you are able to do so.
      1. Resident Directories:  Your name, location, general condition, and religious affiliation may be put into our resident directory for use by clergy and callers or visitors who ask for you by name.
      2. To families, friends, or others involved in your care:  We may share with these people information directly related to their involvement in your care, or payment for your care.  We may also share PHI with these people to notify them about your location, general condition, or death.
      3. Fundraising Activities:  Unless you object, we may use certain personal health information to contact you in an effort to raise money for the facility and its operations.  We may disclose personal health information to a foundation related to the facility so that the foundation may contact you in raising money for the facility.  In doing so, we would only release contact information, such as your name, address and phone number and the dates you received treatment or services at the facility.  Such fundraising communications shall provide, in a clear and conspicuous manner, the opportunity for you to opt out of receiving future fundraising communications.
      4. Marketing Communications:  Discussions between Saint Joseph Villa and you concerning possible products and services offered by outside entities are considered “marketing communications.”  For example, if an outside vendor requests that we recommend their product or service to you, or provide you with a pamphlet or other written brochures, a “marketing discussion” has occurred.  Generally, speaking, before we can engage in these conversations with you, or provide you with the materials, we will need to receive your authorization.  The only current exceptions to this process are for communications made:
         1. (a) to provide refill reminders or otherwise communicate about a drug or biologic that is currently being prescribed for you, and so long as any payment received by us from the outside supplier in exchange for making this communication is reasonably related to our cost of making the communication; or
         2. (b) for the following treatment and health care operations purposes, except where we receive payment in exchange for making the communication (i) For treatment of an individual by a health care provider, including case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual;(ii) To describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about: the entities participating in a health care provider network or health plan network; replacement of, or enhancements to, a health plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits; or (iii) For case management or care coordination, contacting of individuals with information about treatment alternatives, and related functions to the extent these activities do not fall within the definition of treatment.
      5. Your Rights Regarding Your Protected Health Information. You have the following rights relating to your protected health information:
         1. To request restrictions on uses/disclosures:  You have the right to ask that we limit how we use or disclose your PHI.  We will consider your request, but are not legally bound to agree to the restriction.  To the extent that we do agree to any restrictions on our use/disclosure of your PHI, we will put the agreement in writing and abide by it except in emergency situations.  We cannot agree to limit uses/disclosures that are required by law. To request a restriction, please contact our Medical Records Department.
         2. To choose how we contact you:  You have the right to ask that we send you information at an alternative address or by an alternative means.  We must agree to your request as long as it is reasonably easy for us to do so. To request such a change, please contact our Medical Records Department.
         3. To inspect and copy your PHI:  Unless your access is restricted for clear and documented treatment reasons, or under applicable laws and regulations, you have a right to see your protected health information if you put your request in writing.  We will respond to your request within 30 days.  If we deny your access, we will give written reasons for the denial and explain any right to have the denial reviewed.  If you want copies of your PHI, a charge for copying may be imposed, but may be waived, depending on your circumstances.  You have a right to choose what portions of your information you want copied and to have prior information on the cost of copying. In order to request access to your PHI, please contact our Medical Records Department.
         4. To request amendment of your PHI:  If you believe that there is a mistake or missing information in our record of your PHI, you may request, in writing, that we correct or add to the record.  We will respond within 60 days of receiving your request.  We may deny the request if we determine that the PHI is: (i) correct and complete; (ii) not created by us and/or not part of our records, or; (iii) not permitted to be disclosed.  Any denial will state the reasons for denial and explain your rights to have the request and denial, along with any statement in response that you provide, appended to your PHI.  If we approve the request for amendment, we will change the PHI and so inform you, and tell others that need to know about the change in the PHI. To request an amendment, please contact our Medical Records Department for an amendment request form, and return a completed form to that department.
         5. To find out what disclosures have been made:  You have a right to get a list of when, to whom, for what purpose, and what content of your PHI has been released other than instances of disclosure for which you gave consent (i.e. for treatment, payment, operations, to you, your family, or the facility directory).  The list also will not include any disclosures made for national security purposes, to law enforcement officials or correctional facilities, or before April 2003.  We will respond to your written request for such a list within 60 days of receiving it.  Your request can relate to disclosures going as far back as six years.  There will be no charge for up to one such list each year.  There may be a charge for more frequent requests. To request a listing of disclosures, please contact our Medical Records Department for a disclosure request form, and return the completed form to that department.
         6. To receive this notice:  You have a right to receive a paper copy of this Notice and/or an electronic copy by e-mail upon request.  If you request an electronic copy via e-mail, you must sign a consent form to allow us to communicate with you in that manner.
      6. Duty to Notify You of Breach
         1. Duty to Notify:  We are required to notify you in the event that your unsecured protected health information (PHI) is breached.  A “breach” is defined as the unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of the PHI, but does not include unintentional acquisition, access or use of such information, inadvertent disclosure of such information within a facility, and disclosure to a person not reasonably able to retain it.  “Unsecured protected health information” refers to PHI that is not secured through the use of a valid encryption process approved by the Secretary of Health and Human Services or the destruction of the media on which the PHI is recorded or stored.  Such encryption or destruction methods are not mandated on covered entities such as ours.  We will evaluate the propriety of securing PHI for our residents, and act using our own discretion.  However, should any of your “unsecured” PHI held by us be “breached,” then we will notify you in the manner discussed below.

Timing and Method of Notification:  We will notify you no later than 60 days after discovery of such breach via first-class mail or e-mail, if specified by you as your preference.  If the breach involves the

• information of more than 500 individuals, we will also provide notice to prominent media outlets.  We will also notify the Secretary of Health and Human Services of the breach (immediately if the breach involves the information of more than 500 individuals, or in an annual notification for all other breaches).
• Contents of Notification:  Our notification to you will include:
  • A brief description of what happened, including the date of breach and date of discovery (if known)
  • A description of the types of PHI that were involved in the breach
  • Any steps you should take to protect yourself from potential harm resulting from the breach
  • A brief description of what we are doing to investigate the breach, mitigate harm to the resident, and protect against further breaches; and
  • Contact procedures for you to ask questions or learn additional information, which must include a toll-free telephone number, an e-mail address, Web site, or postal address.
• How to Make a Complaint About a Violation of our Privacy Practices:
  If you think we may have violated your privacy rights, or you disagree with a decision we made about access to your PHI, you may file a complaint with the person listed in Section VII below.  You also may file a written complaint with the Office of Civil Rights of the Federal Department of Health and Human Services.  We will take no retaliatory action against you if you make such complaints.
• Contact Person for Information, or to Submit a Complaint:
  If you have questions about this notice or any complaints about our privacy practices, please contact:  Saint Joseph Villa Privacy Official, Sarah Schempp, Corporate Compliance Official  at 110 W. Wissahickon Avenue Flourtown, PA 19031, phone:267-447-7994, email:schempps@stjosephvilla.org

Effective Date: This notice is effective September 28, 2017.