HIPAA, Accessibility, and Privacy Policy

Questions? Call 240-964-7000

Contact Us

Notice of Privacy Practices

Updated August 15, 2022

View the notice (PDF)

If you have any questions about this notice, please contact our Privacy Officer. Our Registration or Admissions staff will provide you with the contact information.

Full Notice

THIS NOTICE DESCRIBES HOW YOUR HEALTH INFORMATION SUBJECT TO THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) AND SIMILAR LAWS MAY BE USED AND DISCLOSED (SHARED) AND HOW YOU CAN GET ACCESS TO (SEE AND COPY) THIS INFORMATION. PLEASE REVIEW THIS NOTICE CAREFULLY.

Background

UPMC creates and maintains a record of health information about the care and services you receive at UPMC. This includes health information that UPMC receives from other doctors and medical facilities that are not part of UPMC, but that UPMC keeps to provide care to you. UPMC may share and use your health information as described in this Notice, including for purposes of treating you, obtaining payment for services provided to you, health care operations, as well as purposes authorized by you, permitted by law, or otherwise described in this Notice. You can learn more about UPMC at www.upmc.com.

What Is a Notice of Privacy Practices (Notice)?

The Notice tells you about the ways UPMC may use and share your health information, as well as the legal duties we have about your health information. The Notice also tells you about your rights under federal (United States) and state laws.

What is Covered Under UPMC’s Notice of Privacy Practices?

A list of entities that are bound by this Notice can be found within the privacy information section of www.upmc.com. This includes hospitals, doctors, rehabilitation services, skilled nursing services, home health services, pharmacy services, laboratory services, and other related health care providers. This als o includes departments, units, and staff within these entities, health care professionals permitted by us to provide services to you, and students, residents, trainees, volunteers, and others involved in providing your care whether or not these individuals are employed by UPMC. In this Notice, the words “we,” “us,” and “our” mean UPMC and all the people and places that follow this Notice.

This Notice does not apply to the UPMC Health Plan or UPMC as an employer. These UPMC entities are separate covered entities for the purpose of the Health Insurance Portability and Accountability Act (HIPAA) and have their own Notice. Additionally, if your doctor is not a member of a physician practice that is owned by UPMC, he or she may have different policies about how to handle your information and will have a separate Notice.

This Notice only applies to those parts of UPMC’s websites and mobile device applications where you can access your electronic health record or interact with a clinician regarding your specific care, such as UPMC’s patient portal (MyUPMC). However, these websites and applications may contain additional terms associated with your use. You should review those terms as well as the website terms contained on the UPMC website that you visit.

This Notice does not apply to health information that is not subject to HIPAA or similar state health information privacy laws, or information used or shared in a manner that cannot identify you.

Our Duty to Protect Your Health Information

We are required by law to:

  • Make sure that your health information is used in accordance with this Notice (as currently in effect).
  • Make available to you this Notice that describes the ways we use and share your health information as well as your rights under the law.

How We May Use and Share Your Health Information

We may use and share your health information in certain ways, such as when we receive your written permission, to help treat you, or as permitted or required by the law. The following list describes different ways that we may use and share your health information, along with examples for each.
A. Ways We Are Allowed to Use and Share Your Health Information Without Your Consent or as the UPMC Consent for Treatment, Payment, and Health Care Operations Provides:

  1. Treatment. We may use your health information to provide you medical treatment or related services including coordination of care and case management. We may also share your health information with others that provide treatment to you. For example, when you receive care at a non-UPMC hospital, UPMC may share information with that hospital so that they may provide care to you. We may also share your health information with others who may provide follow-up care to you, such as your primary care physician, physical therapist, long term care facility and home healthcare agencies. At all times, we will comply with any laws that apply.
  2. Payment. To receive payment for the services we provide to you, we may use and share your health information with your insurance company or a third party who is paying for your care. We also may share your health information with other health care service or product providers who need to pre-approve or provide follow-up care to you, such as your physicians, other providers, EMS providers ,nursing homes and home care agencies so they can bill you, your insurance company, or a third party. For example, some health plans require your health information to pre-approve you for surgery and require preapproval before they pay us.
  3. Health Care Operations. We may use and share your health information for business and other operational purposes. For example, we may use your health information to evaluate the quality of the treatment that we provided. We may share your health information with our researchers, so they can develop plans to conduct research. We may share information with our students, trainees, and staff for review and training purposes. We may share your health information for case management and care coordination purposes. However, we will not sell your name or any identifiable health information to others without your authorization.
  4. Health Information Exchanges. We may share your health information using various Health Information Exchanges that UPMC participates in both on a regional and a national basis. If you choose not to participate in these exchanges, your health information will no longer be provided through the exchange. However, your decision does not affect the information that was exchanged prior to the time you chose not to participate. You can learn more about the health information exchanges UPMC participates in at www.upmc.com
  5. Business Associates. We may share your health information with others called “business associates,” who perform services on our behalf. The Business Associate must agree in writing to protect the confidentiality of your health information. For example, we may share your health information with a billing company that bills for the services that we provided.
  6. Appointment Reminders. We may use and share your health information to remind you of your appointment for treatment or medical care. For example, we may call, text, or e-mail you to remind you of a scheduled appointment. We may also use and share your health information to confirm the time, place, and attendance of your appointment for treatment with third-party transportation services and any other related services (including but not limited to third parties involved in your treatment).
  7. Treatment Options and Other Health-Related Benefits and Services. We may use and share your health information to tell you about possible treatment options and other health-related benefits and services. For example, if you suffer from a chronic illness or condition, we may use your health information to assess your eligibility and propose newly available treatments.
  8. Fundraising Activities. We may use and share information with a UPMC-related foundation (or Business Associate) so that they can ask that you make a donation. However, the information that UPMC can share is limited to your name, address, phone number, and other contact information, the dates that health care was provided to you, general department, and facility information where services were provided, the name of your treating physician and general outcome information. For example, you may receive a letter from a UPMC foundation asking for a donation to support enhanced patient care, treatment, education, or research at UPMC. Any fund-raising materials will explain how you can tell us, a Business Associate, or a foundation that you do not want to be contacted in the future.
  9. Marketing Activities, Cookies, and Online Services.
    1. We may use or share your health information to promote our own products and services. We may also use or share your health information for marketing purposes when we discuss products or services with you face to face or to provide you with an inexpensive promotional gift related to the product or service. For example, you may receive samples of products or drugs during a visit to a UPMC hospital or facility.
    2. When you visit and use some UPMC websites (including the MyUPMC patient portal or online care sites) or mobile device applications, we may collect and share information about your use of these websites and applications through cookies and other similar technologies. This information can include technical information about your device or browser (such as, for example, your internet protocol (IP) address, operating system, device information, browser type and language, and referring URLs) as well as information about your activities or use of the websites and mobile device applications (such as, for example, access times, pages viewed, links clicked and similar information). You should review the terms contained on the UPMC website or application that you use, including UPMC’s Website/Email Terms of Use, for detailed information on the types of cookies and other technologies we use, what information we collect, the reasons why we use these technologies, as well as the terms associated with that website or application.
    3. UPMC and you may agree to use a third-party website, application, or electronic messaging service (for example, with chat, video, or audio capabilities) for you to receive remote health care services from UPMC. These third-party services may have separate terms and conditions and privacy policies that you must agree to instead of or in addition to UPMC’s Website/Email Terms of Use. However, when you use the third-party service, the health information that you choose to share may be covered by this Notice.
  10. Research. We may use and share your health information for research 1) if our researcher obtains permission from a UPMC sanctioned committee (including Institutional Review Boards) that decides the request meets certain standards required by law; or 2) if you provide us with your written permission to do so. You may choose to participate in a research study that requires you to obtain related health care services. In this case, we may share your health information 1) to the researchers involved in the study who ordered the hospital or other health care services; and 2) to your insurance company in order to receive payment for those services that your insurance agrees to pay for. We may use and share your health information with a UPMC researcher if certain parts of your health information that would identify you are removed before we share it with the UPMC researcher. This will only be done if the researcher agrees in writing not to share the information, not to attempt to contact you, and to obey other requirements that the law provides. We may also share your health information with a Business Associate who will remove information that identifies you so that the remaining information can be used for research.
  11. Special Situations. In the following situations, the law either permits or requires us to use or share your health information with others. However, laws governing sensitive information (including behavioral health information, drug and alcohol treatment information, and HIV status) may limit these disclosures.
    1. As Required by Law. We may share your health information when required or permitted by federal, state, or local law. For example, if we believe that you have been a victim of abuse, neglect, or domestic violence, we may share your health information with an authorized government agency. If we share your health information for this purpose, we will tell you unless we believe that telling you would put you or someone else at risk of harm.
    2. To Prevent a Serious Threat to Health or Safety. We may use and share your health information with persons to prevent or lessen the threat of serious harm to the health and safety of you, the public, or another person. State laws may require such disclosure when an individual or group has been specifically identified as the target or potential victim
    3. Organ and Tissue Donation. To assist in the process of eye, organ, or tissue transplants in the event of your death, we may share your health information with organizations that obtain, store, or transplant eyes, organs, or tissue.
    4. Special Government Purposes. We may use and share your health information with certain government agencies, such as
      • Military and Veterans. We may share your health information with military authorities as the law permits if you are a member of the armed forces (of either the United States or a foreign government).
      • National Security and Intelligence. We may share your health information with authorized federal officials for intelligence, counterintelligence and other national security activities authorized by law.
      • Protective Services for the President and Others. We may share your health information with authorized federal officials to protect the President of the United States, other authorized persons, or foreign heads of state. We may also share your health information for purposes of conducting special investigations as authorized by law.
    5. Workers’ Compensation. We may share your health information for Workers’ Compensation or similar programs that provide benefits for work-related injuries or illness.
    6. Public Health. As permitted or required by law, including the National Emergencies Act, we may share your health information with public health authorities for public health purposes to prevent or control disease, injury, or disability. This includes, but is not limited to, reporting disease, injury, and important events such as birth or death, and conducting public health monitoring, investigations, or activities. For example, we may share your health information to 1) report abuse or neglect; 2) collect and report on the quality, safety, and effectiveness of products and activities regulated by the Food and Drug Administration (FDA) (such as drugs and medical equipment, and could include product recalls, repairs, and monitoring); or 3) help contain the spread of a disease.
    7. Health Oversight. We may share your health information with a health oversight agency for purposes including 1) monitoring the health care system; 2) determining benefit eligibility for Medicare, Medicaid, and other government benefit programs; and 3) monitoring compliance with government regulations and laws.
    8. Coroners, Medical Examiners, and Funeral Directors. We may share your health information with a coroner or medical examiner in order to identify a deceased person, determine the cause of death, or for other reasons allowed by law. We also may share your health information with funeral directors, as necessary, so they can carry out their duties.
    9. Inmates. If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may share your health information with the correctional institution or law enforcement official. For example, we may share your protected health information 1) for the institution to provide you with health care; 2) to protect your health and safety or the health and safety of others; or 3) for the safety and security of the correctional institution and its staff.

    B. Other Ways We Are Allowed to Use and Provide Your Health Information to Others

    1. Hospital Directory. We may include limited information about you in the hospital directory while you are a patient at a UPMC hospital or other facility. The information may include your name, location in the building, general condition, such as “stable,” “serious,” “critical,” and your religious affiliation. Except for your religious affiliation, the directory information may be released to people who ask for you by name. We may give your religious affiliation to a member of the clergy, such as a priest or rabbi, even if they do not ask for you by name. This helps your family, friends, and clergy who visit you to know how you are doing. You have the right to ask that all or part of your information not be given out. If you do so, we will not be able to tell your family or friends your room number or that you are in the hospital or facility.
    2. People Involved in Your Care or Payment for Your Care. We may share your health information with a friend, family member, or another person identified by you who is involved in your medical care or the payment of your medical care. We may share your health information with others if you are present or available before we share your health information with them and you do not object to our sharing your health information with them, or we reasonably believe that you would not object to this. If you are not present and certain circumstances indicate to us that it would be in your best interests to do so, we will share information with a friend or family member, to the extent necessary. This could include sharing information with your family or friend so that they could pick up a prescription or a medical supply. We may tell your family or friends that you are in a UPMC hospital and your general condition. We may share medical information about you with an organization assisting in a disaster relief effort. We may also share information through UPMC online portals with people you designate
    3. Permissible Disclosures to Law Enforcement. We may share your health information with a law enforcement official or authorized individual:
      1. In response to a court order, subpoena, warrant, summons, or similar process;
      2. To identify or locate a suspect, fugitive, material witness, or missing person;
      3. About the victim of a crime if, under certain limited circumstances, we are unable to obtain the person’s agreement;
      4. About a death we believe may be the result of criminal conduct;
      5. About criminal conduct at the hospital; or in emergency circumstances to report a crime; the location of the crime or victims; or the identity, description or location of the person who committed the crime.
    4. Exception to the Above. If you are a patient in a psychiatric/mental/behavioral health facility or drug and alcohol facility, additional authorization may be required to release your information outside of UPMC. Subject to laws that allow certain minors to consent to medical treatment, this permission must come from your parents or legal guardians.

    C. Where Written Permission is Required
    Except as stated in Sections A and B, your written permission is required before we can use or share your health information with anyone outside of UPMC. If you give us permission to use or share your health information, you may cancel that permission, in writing, at any time. However, this does not apply to health information that we have already shared with your permission.

    Your Rights Concerning Your Health Information

    The law gives you the following rights about your health information:

    1. Right to Ask to See and Request a Copy. You have the right to ask to see and request a copy of the health information maintained in your “designated records set” (as defined by HIPAA) – which includes medical and billing records about you and other records we use to make decisions about your care. This includes your right to request electronic access to your medical records or request to receive a copy of your electronic medical records in electronic form. UPMC provides patient portals as one option for patients to electronically access their health information free of charge. You can either visit UPMC.com or call your doctor’s office or the place where you were treated to find out how to make a request. You may also request that the information be provided to a designated third party. You may have to pay fees as permitted by law for other requests to inspect, electronically access or receive a copy of your information, including where you designated a third-party recipient. If we are concerned that your request may cause harm, we may tell you that you cannot see or have a copy of some or all your health information. If we tell you this, in certain circumstances you may ask that someone else at UPMC review this decision. A licensed health care professional chosen by UPMC will review those that can be reviewed. This person will not be the same person who refused your request.
    2. Right to Ask for a Correction. If you feel that health information we have about you is incorrect or incomplete, you may ask us to correct the information. You have the right to ask for a correction for as long as the information is kept by or for UPMC. You must put your request in writing and give it to your doctor or the place where you received care. If you do not ask in writing or give your reasons in writing, we may tell you that we will not make the change. We also have the right to refuse your request if 1) we determine that the information is correct and complete; 2) the information is not part of the health information created or kept by or for UPMC;3) the person or place who created the information is no longer available to make the correction and we believe the information to be correct; or 4) the information is not part of the information that you are permitted by law to see and/or copy.
    3. Right to Ask for an “Accounting of Disclosures.” You have the right to ask us for an “accounting of disclosures.” This is a list of those people and organizations who have received or have accessed your health information. This right does not include information made available for treatment, payment, or health care operations, or made available when you have provided us with permission to do so. You must put your request in writing and give it to your doctor or the place where you received care. You can call your doctor’s office or the place where you received care to find out how to ask for the list. You must include in your written request how far back in time you want us to go, which may not be longer than six years.
    4. Right to Ask for Limits on Use and Sharing.
      1. Generally. You have the right to ask us to limit the health information we use or share with others about you for treatment, payment, or health care operations. You also have the right to ask us to limit health information that we share with someone who is involved in your care or payment for your care, like a family member or friend. You can call your doctor’s office or the place where you received your care to get instructions on how to submit such a request. In your request, you must tell us 1) what information you want to limit; 2) whether you want to limit our use, disclosure, or both; and 3) the person or institution the limits apply to (for example, your spouse). For example, you could ask that we not use or share information about a surgery you had. You must put your request in writing and give it to your doctor or the place where you received your care. We are not required to agree to your request. If we do agree to your request, we still may provide information, as necessary, to give you emergency treatment.
      2. Services Paid for by You. Where you have paid for your services out of pocket in full, at your request, we will not share health information about those services with a health plan for purposes of payment or health care operations. “Health plan” means an organization that pays for your medical care.
    5. Right to Ask for Confidential Communications. You have the right to ask that we contact you about your health information in a certain way or at a certain location that you believe provides you with greater privacy. For example, you can ask that we contact you at work or by mail. Your request must state how or where you wish to be contacted. You must make your request in writing to your doctor or the place where you received care. You do not need to provide a reason for your request. We will try to comply with all reasonable requests.
    6. Right to Ask for a Paper Copy of This Notice. You may ask us to give you a copy of this Notice at any time. Even if you have agreed to receive this Notice electronically (for example, through the computer), you still have the right to a paper copy of this Notice. You can also get a copy of this Notice at our website. To obtain a paper copy of this Notice, contact your doctor’s office or the registration department of the place where you received care.

    Violation of Privacy Rights

    If a breach of your health information occurs at UPMC or one of its Business Associates, you will be provided with written notification as required by the Health Insurance Portability and Accountability Act (HIPAA) and its regulations.

    If you believe your privacy has been violated by us, you may file a confidential complaint directly with us. You can do this by contacting the UPMC Privacy Officer at the hospital or facility where you received care or by calling the UPMC Compliance Help Line at 1-877-983-8442, or the UPMC Office of Patient and Consumer Privacy at 412-647-5757.

    You also may file a complaint with the Secretary of the U.S. Department of Health and Human Services. To file a complaint with the Secretary of Health and Human Services, you must 1) name the UPMC place or person that you believe violated your privacy rights and describe how that place or person violated your privacy rights; and 2) file the complaint within 180 days of when you knew or should have known that the violation occurred. All complaints to the Secretary of the U.S. Department of Health and Human Services must be in writing and addressed to:

    U.S. Department of Health and Human Services
    200 Independence Ave. S.W.
    Washington, DC 20201

    You will not be penalized for filing a complaint.

    Changes to This Notice

    We reserve (have) the right to change this Notice. We reserve (have) the right to make the revised or changed Notice effective for health information we already have about you and for any future health information. We will post a copy of the revised Notice in the places where we provide medical services and on our website. The Notice will contain the effective date on the first page, in the top left-hand corner. We will provide to you, if you ask us, a copy of the Notice that is currently in effect each time you register at UPMC as an inpatient or outpatient for treatment or health care services.

    If You Have Questions About This Notice

    If you have any questions about this Notice, please contact your doctor or the place where you received care. You also may contact UPMC’s Notice of Privacy inquiry line at 412-647-6286 or the UPMC Office of Patient and Consumer Privacy at 412-647-5757.