Notice of Privacy Practices
This notice describes how medical information about you may be used and disclosed and how you can access this information. Please review it carefully.
Heritage Area Agency on Aging is required by law to maintain the privacy of your health information and to provide you with notice of its legal duties and privacy practices with respect to your health information. If you have any questions about this Notice, please contact our Privacy Officer at 319-398-5559 or 1-800-332-5934.
Use and Disclosure of Health Information
Heritage collects health information from you and stores it in a record or on a computer. This record is the property of Heritage, but the information in the record belongs to you. Heritage may use your health information for purposes of providing you treatment, obtaining payment for your care and conducting health care operations. Heritage has established policies to guard against unnecessary disclosure of your health information. This Notice applies to all protected health information that we generate and to substance use treatment-related records under 42 U.S.C. 290dd-2 and 42 C.F.R. Part 2 (Part 2) that we receive or maintain. We also follow the confidentiality protections of Part 2 for such records.
The law permits or requires us to use or disclose your PHI for various reasons, which we explain in this Notice. We have included some examples, but we have not listed every permissible use or disclosure. When using or disclosing PHI or requesting your PHI from another source, we will make reasonable efforts to limit our use, disclosure, or request about your PHI to the minimum we need to accomplish our intended purposes. PHI that the law permits or requires us to disclose may be further shared by recipients and is no longer protected by law or the safeguards and restrictions in place when it is in our possession.
Heritage may use or disclose your health information for the following purposes:
Treatment
Heritage may use your health information to coordinate care within Heritage and with others involved in your care such as your attending physician, service providers, and other health care professionals who have agreed to assist Heritage in coordinating care. Heritage may also disclose your health information to individuals outside of Heritage involved in your care including family members, clergy who you have designated, pharmacists, suppliers of medical equipment, dieticians or other health care professionals.
Conduct Health Care Operations
Heritage may use and disclose health information for its own operations in order to facilitate the function of Heritage and as necessary to provide quality services to all of Heritage's clients. Health care operations include such activities as evaluating the quality of health care services, compliance with federal and state regulations, case management and care coordination, professional review and performance evaluation, business planning and development and general administrative activities of Heritage. For example, Heritage may use your health information to evaluate its staff performance, combine your health information with other Heritage clients in evaluating how to more effectively serve all of its clients, disclose your health information to Heritage staff and contracted personnel for training purposes, use your health information to contact you as a reminder regarding a visit to you, or contact you as part of general fundraising and community information mailings unless you tell us you do not want to be contacted.
Obtain Payment
Heritage may include your health information on invoices to collect payment from third parties for the care you receive from Heritage. For example, Heritage may be required by the federal or state government to provide information regarding your health care status so that the federal or state government will reimburse you or Heritage. Heritage may also need to obtain prior approval from your insurer or state or federal government and may need to explain your need for services that would be provided to you.
Fundraising Activities
Heritage may use information about you including your name, address, phone number, and the dates you received services in order to contact you or your family to raise money for Heritage. If you do not want Heritage to contact you or your family, notify the Privacy Officer and indicate that you do not wish to be contacted.
Other Use and Disclosure of Health Information
Legally Required
Heritage will disclose your health information when it is required to do so by any federal, state or local law.
Risks To Public Health
Heritage may disclose your health information for public activities and purposes in order to prevent or control disease, injury, disability, report abuse or neglect, report domestic violence, report to the Food and Drug Administration problems with products and reactions to medications and to report disease or infection exposure.
Health Oversight Activities
Heritage may disclose your health information to a health oversight agency for activities including audits, civil administrative or criminal investigations, inspections, licensure or disciplinary action. Heritage may not disclose your health information if you are the subject of the investigation and your health information is not directly related to your receipt of healthcare or public benefits.
Judicial and Administrative Proceedings
Heritage may disclose your health information in the course of any judicial or administrative proceeding in response to an order of a court or administrative tribunal as expressly authorized by such order or in response to a subpoena, discovery request or other lawful process but only when Heritage makes reasonable efforts to either notify you about the request or to obtain an order protecting your health information. Note that Heritage is prohibited from sharing, and will not share, an individual’s PHI for investigations or legal actions concerning reproductive health care access and services where that care is lawful as provided. For example, the law prohibits us from using or disclosing your reproductive health care-related PHI in many instances to:
respond to investigation requests, court orders, or subpoenas seeking information about or imposing liability on any person for seeking, obtaining, providing, or facilitating lawfully provided reproductive health care; or
identify any person that is subject to a criminal, civil, or administrative investigation or legal action, including any in law enforcement investigations, criminal prosecutions, family law proceedings, or state licensure proceedings, for seeking, obtaining, providing, or facilitating lawfully provided reproductive health care.
Some examples of seeking, obtaining, providing, or facilitating reproductive health care include: using reproductive health care; performing, furnishing, or paying for reproductive health care; providing information about reproductive health care; arranging, insuring, administering, providing coverage for, approving, or counseling about reproductive health care; or attempting any of these activities.
Law Enforcement Purposes
Heritage may disclose your health information to a law enforcement official for purposes, such as identifying or locating a suspect, fugitive, material witness or missing person, complying with a court order or subpoena or other law enforcement purpose.
Deceased Person Information
Heritage may disclose your health information to coroners, medical examiners and funeral directors.
Health and Safety
In the event of a serious health threat to health or safety, Heritage may, consistent with applicable law and ethical standards of conduct, disclose your health information if Heritage in good faith believes that such disclosure is necessary to prevent or lessen a serious and imminent threat to your health or safety or to the health and safety of the public.
Specialized Governmental Functions
Heritage may disclose your health information for military, national security, prisoner and government to benefit purposes.
Workers ' Compensation
Heritage may disclose your health information as necessary to comply with workers' compensation laws.
Reproductive Health Care PHI Uses and Disclosures Requiring an Attestation
By law, if we collect, receive, or maintain PHI that is potentially related to your reproductive health care, in some cases we must obtain an attestation from PHI recipients that they will not use or share that PHI for a purpose prohibited by law. For example, these situations may involve:
Health oversight activities. For example, we may share your reproductive health care-related PHI in some situations for health oversight agency audits or inspections, civil or criminal investigations or proceedings, or licensure actions.
Judicial and administrative proceedings. For example, we may share your reproductive health care-related PHI in some situations in response to a court or administrative order, subpoena, or discovery request.
Law enforcement purposes. For example, we may share your reproductive health care-related PHI in some situations for law enforcement purposes, including in response to a court-ordered warrant or a law enforcement official's request for information about a victim of a crime.
Coroners or medical examiners. For example, we may share your reproductive health care-related PHI in some situations to a coroner or medical examiner to identify a deceased person, determine cause of death, or other duties as authorized by law.
Authorization to Use or Disclose Health Information
For purposes not described above, including uses and disclosures of PHI for marketing purposes, disclosures that would constitute a sale of PHI and most sharing of psychotherapy notes, Heritage will ask for your authorization before using or disclosing PHI. If you authorize Heritage to use or disclose your health information, you may revoke that authorization in writing at any time. A revocation of authorization will be effective on the date it is received and will not affect previous disclosures.
Breach Notification
Heritage is required to provide you with notification if it discovers a breach of your unsecured protected health information that may have compromised the privacy or security of your information. You will be notified without unreasonable delay and no later than 60 days after discovery of the breach. Such notification will include information about what happened and what can be done to mitigate any harm.
In the event of a breach for those enrolled in the Victims of Crime Act (VOCA) program, you will be notified within 24 hours of Heritage becoming aware of the breach.
Your Rights with Respect to Your Health Information
You have the following rights regarding your health information that Heritage maintains:
Right To Request Restrictions
You may request restrictions on certain uses and disclosures of your health information. You have the right to request that Heritage limit disclosure of your health information to someone who is involved in your care or payment for your care. Heritage is not required to agree to this request. If you have paid for services out-of-pocket, in full, you may request that Heritage not disclose PHI related solely to those services to a health plan. Heritage must accommodate this request, except where Heritage is required by law to make a disclosure. If you wish to make a request for restriction, contact the Privacy Officer, Heritage Area Agency on Aging, 6301 Kirkwood Blvd. SW, Cedar Rapids, IA 52404.
Right To Inspect and Copy Your Health Information
You have the right to inspect and copy your health information. A request to inspect and copy records containing your health information may be made to the Privacy Officer identified below. If you request a copy of your health information, Heritage may charge a reasonable fee for copying.
Right To Receive Confidential Communications
You have the right to request that Heritage communicate with you in a certain way. For example, you may ask that Heritage only conduct communications pertaining to your health information with you privately with no other family members present. If you wish to receive only confidential communications, contact the Privacy Officer identified below. Heritage will not request that you provide any reason for your request and will attempt to honor your reasonable request for confidential communications.
Right To Amend Health Information
You or your representative has the right to request that Heritage amend your records if you believe that your health information is incorrect or incomplete. That request may be made as long as the information is maintained by Heritage. A request for amendment should be made in writing to the Privacy Officer identified below. Heritage may deny the request if it is not in writing or does not include a reason for the amendment. The request may also be denied if your health information records were not created by Heritage, if the records you are requesting are not part of Heritage's record, if the health information you wish to amend is not part of the health information you or your representative are permitted to inspect and copy or if, in the opinion of Heritage, the records containing your health information are accurate and complete.
Right to Accounting of Disclosures
You have a right to receive an accounting of disclosures of your health information made by Heritage in the six years prior to the date of your request. The request for an accounting must be made in writing to the Privacy Officer identified below. Heritage will provide the first accounting during any 12-month period without charge. Subsequent accounting requests may be subject to a reasonable cost-based fee.
Right to Copy of Notice
You have a right to a paper copy of this Notice of Privacy Practices.
Duties of Heritage
Heritage is required to abide by the terms of this Notice as it may be amended from time to time. Heritage reserves the right to change the terms of this Notice and to make the new Notice provisions effective for all health information that it maintains. If Heritage changes this Notice, Heritage will provide a copy of the revised Notice to you or your representative. You or your representative has the right to express complaints to Heritage or to the Secretary of the Department of Health and Human Services if you believe that your privacy rights have been violated.
For further information, please contact:
Privacy Officer
Heritage Area Agency on Aging
6301 Kirkwood Blvd. SW
Cedar Rapids, IA 52404
(319) 398-5559
Heritage encourages you to express any concerns that you may have regarding the privacy of your information. If you are not satisfied with the manner in which Heritage handles a complaint, you may submit a formal complaint to:
Department of Health and Human Services
Office of Civil Rights
Hubert H. Humphrey Building
200 Independence Avenue S.W. Room 509F
Washington, DC 20201.
You will not be retaliated against in any way for filing a complaint.
Effective Date
This Notice is effective September 23, 2013, revised 10/01/2024.