Our Commitment to Your Privacy

At HMC, we work hard to ensure the privacy of patients and maintain the confidentiality of their information and medical records. Like all accredited healthcare institutions, we follow a federal law called the Health Insurance Portability and Accountability Act (HIPAA), which is designed to protect the privacy and confidentiality of patient information.

Our Privacy Policies
We insist that our staff observe patient confidentiality thus respecting your right to privacy about your medical records and experience at our hospital.

This summary briefly describes how we, the Hopedale Medical Complex, may use and disclose your Protected Health Information (PHI) to carry out your treatment, payment activities, health care operations, and for other purposes that are permitted or required by law, and your rights to access and control your PHI. For a more complete description of how we may use and disclose your PHI, feel free to refer to the attached Notice of Privacy Practices.

This Notice of Private Practices became effective on April 14, 2003 and was amended on October 31, 2009.

Our Responsibilities
We are required by law to maintain the privacy of your PHI. In accordance with the HIPAA Privacy Regulations, we have the right to use and disclose your PHI for treatment, payment activities, and health care operations as explained in the Notice of Privacy Practices. We are most likely to use and/or disclose your PHI for these functions.

Additionally, we may use or disclose your PHI as permitted and required by law. For example, we may use or disclose your PHI for public health activities, legal proceedings, or law enforcement purposes.

Amended to include HIPAA-HITECH as of November 1, 2009, which is as follows:

Overview of HIPAA
HIPAA requires covered entities to keep confidential protected health information, PHI. A covered entity is a health care provider that transmits any information in an electronic form. Hopedale Hospital and its related doctors’ offices are ‘covered entities.'


Protected Health Information
Is individually identifiable health information held or transmitted by a covered entity or its business associate. This includes demographic data related to:

The individual’s past, present, or future physical or mental health or condition, the provision of healthcare to the individual, or the past, present, or future payment for the provision of healthcare services to the individual, and that identifies the individual, or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers, such as name, address, birth date, and Social Security number.

HITECH Notification Requirements
Under HITECH, HMC is required to notify a patient whose protected health information, PHI, has been breached. The notification must occur by first class mail within 60 days of the event. A breach occurs when there has been an unauthorized use or disclosure under HIPAA that compromises the privacy or security of PHI if it poses a significant risk for financial, reputational, or other harm to the individual.

The notice must:

Contain a brief description of what happened, including the date of the breach and the date of discovery;
The steps the individual should take to protect themselves from potential harm resulting from the breach;
A brief description of what the covered entity is doing to investigate the breach, mitigate losses, and to protect against further breaches.

No model notice form has been proposed.

Not every impermissible use or disclosure constitutes a reportable breach. The determination of whether an impermissible breach is reportable hinges on whether there is a significant risk of harm to the individual as a result of impermissible activity. For example, if PHI on a patient was inappropriately shared with a billing clerk and she understood her confidentiality obligations, the patient would not need to be notified by HMC of the breach. If HMC disclosed that a patient received services at our hospital, without more specifics, inadvertently to someone outside our organization, this also may not be cause for a breach under HITECH because it may not have been a significant risk of financial or reputational harm. The key in determining potential harm is whether sufficient information was released what would allow identity theft or would harm the person.

Business Associates
Effective February 2010, HMC’s Business Associate Agreements have been amended to provide that all of the HIPAA security administrative safeguards, physical safeguards, technical safeguards and security policies, procedures, and documentation requirements apply directly to the business associate.


Cash Patient/Clients
HITECH states that if a patient pays in full for their services out of pocket they can demand that the information regarding the service not be disclosed to the

patient’s third party payer since no claim is being made against the third party payer.


Your Rights
You have the following rights to your PHI:

You have the right to request that we restrict the PHI we use or disclose about you for treatment, payment, or healthcare operations.

If you believe that a disclosure of all or part of your PHI may endanger you, you may request that we communicate with you regarding your information in an alternative manner or at an alternative location.

Generally, you have the right to inspect and copy your PHI that is contained in a designated record set.
If you believe that your PHI is incorrect or incomplete, you may request that we amend your information.

You have a right to an accounting of certain disclosures of your PHI that are for reasons other than treatment, payment, or health care operations.

You may complain to us if you believe we have violated your privacy rights. You also may file a complaint with:
Secretary of the U.S. Department of Health and Human Services
200 Independence Avenue, SW, Washington, DC 20201.
Phone: (202) 619-0257 or Toll Free: (877) 696-6775

Please refer to the following information to inquire about the use of your PHI, to excuse your rights about your PHI, or to register a complaint submit your complaint in writing to:

Hopedale Medical Complex
Attn: Medical Records- Privacy Officer
P.O. Box 267
Hopedale, IL 61747
(309) 449-4286

Covered Entities
Our service locations are as follows:


Consent to Share Information with Family And Caregivers
There may be situations in which you want your medical provider to share information with family members, loved ones, or caregivers. If so, let your healthcare team know. They will assist you in the proper procedure for giving your consent to share specific information with specific people.


Website Privacy
Our commitment to the privacy of patient information extends to the use of our website. Any data we collect about you will be used only to help us develop customized programs and services suited to your needs and interests. We will not share your personal data with any party outside HMC.

Personal privacy is an important initiative to Hopedale Medical Complex. We hold the following privacy principles as being critical to our Internet privacy policy: Hopedale Medical Complex does not sell, trade, or otherwise convey the name, street address, telephone number, email address, or other personal identifiers supplied by visitors of our websites to outside parties.

Hopedale Medical Complex compiles non-personal information from our website visitors to provide regularly updated statistics. Such information allows us to better assess which resources best meet our visitors’ needs.

Hopedale Medical Complex provides an appropriate level of security in our computer systems, databases, and communication networks to protect website visitors’ information contained in our systems.

Please be advised that electronic mail and other internet communications channels are not necessarily secure against interception. While we take precautions, such as encrypting communications where appropriate, if your communication is very sensitive, or includes information like your diagnosis or medical history, you might want to send it by postal mail instead.