HIPAA Privacy Notice


Effective Date: August 2013

This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.


The purpose of this notice (“Notice”) is to inform you of how your health information may be handled in accordance with the Health Insurance Portability and Accountability Act of 1996 (also known by its acronym, “HIPAA”). This law protects information about you or your medical condition that identifies you as a patient (also referred to as “protected health information” or “PHI”). This Notice describes the privacy practices that will be followed by University of Maryland Shore Regional Health and its affiliates listed below (collectively, “UM Shore Regional”), and others who are permitted to use or disclose your protected health information, as well as UM Shore Regional’s legal obligations regarding the use or disclosure of your protected health information and your rights with respect to UM Shore Regional’s use and disclosure of such information.

Understanding Your Health Record & Health Information

Each time you visit a hospital, physician, or other health care provider, a record of your visit is created. Typically, this record contains your symptoms, examination and test results, diagnoses, treatment, and a plan for future care or treatment. This information, often referred to as your health or medical record, serves as a:

  • basis for planning your care and treatment;
  • means of communication among the many health professionals who contribute to your care;
  • legal document describing the care you received;
  • means by which you or a third-party payer can verify that services billed were actually provided;
  • tool in educating health professionals;
  • source of data for medical research;
  • source of information for public health officials charged with improving the health of the nation;
  • source of data for facility planning and marketing; and/or
  • tool with which we can assess and continually work to improve the care we render and the outcomes we achieve

Understanding what is in your record and how your health information is used helps you to:

  • ensure its accuracy;
  • better understand who, what, when, where, and why others may access your health information; and
  • make more informed decisions when authorizing disclosure to others.

This Notice applies to the following health care organizations:

  • Shore Regional Health, Inc. d/b/a University of Maryland Shore Regional Health
  • Shore Health System, Inc.
  • Shore Clinical Foundation, Inc.
  • Chester River Hospital Center, Inc.
  • Chester River Home Care & Hospice, LLC
  • Chester River Manor, Inc.
  • Care Health Services, Inc.
  • Innovative Health, LLC
  • Memorial Hospital Foundation, Inc.
  • Dorchester General Hospital Foundation, Inc.
  • Chester River Health Foundation, Inc.

UM Shore Regional, the members of its Medical Staff, and other health care providers affiliated with the UM Shore Regional typically work together in a clinically integrated setting to provide you with health care. In such settings, HIPAA permits the use of a single Notice to describe how the UM Shore Regional, Medical Staff members, and other health care providers who participate in our organized health care arrangements may use or disclose your health information. This Notice applies only to care provided to you through programs and facilities of UM Shore Regional.

Our Responsibilities. This organization is required to:

  • maintain the privacy of your protected health information;
  • provide you with a notice as to our legal duties and privacy practices with respect to information we collect and maintain about you;
  • notify you following a breach of your unsecured protected health information; and
  • abide by the terms of this Notice.

We reserve the right to change this Notice and to make the revised Notice effective for all PHI currently in our possession as well as any PHI we receive in the future. We will post a copy of the current Notice in the facilities of each member of the UM Shore Regional and on our website. The Notice will contain on the first page, in the top right-hand corner, the effective date. In addition, each time you register at or are admitted to a participating entity for treatment or health care services you will be offered a copy of the current Notice. Unless and until changes to the Notice are made, UM Shore Regional is required by law to comply with this Notice of Privacy Practices. You will be able to tell when changes have been made to the Notice of Privacy Practices by referring to the upper right hand corner of the Notice, which will include the revision date of that Notice.

How We Use And Disclose Your PHI

Use And Disclosure Of PHI For Treatment, Payment And Health Care Operations.

We are permitted by law to use or disclose your PHI for treatment, payment and our health care operations. Some examples of the ways in which we may use and disclose PHI for these purposes are described below. These examples are not meant to be exhaustive, but to describe the types of uses and disclosures that may be made by UM Shore Regional.

Use and Disclosure of PHI for Treatment

Protected health information obtained or created by a physician, nurse or other member of your health care team will be recorded in your medical record and used and disclosed to determine the course of treatment and coordinate your care. Your physician may document a course of treatment in your record along with his or her expectations about your response to the treatment. Members of your health care team may then record the actions they carried out in relation to your care along with their observations of your response to treatment. In that way, the treatment team can collaborate and understand how you are responding to treatment. We may also provide your physician or a subsequent health care provider with copies of various reports that should assist in providing, coordinating and managing your care in other settings.

Use and Disclosure of PHI for Payment

A bill may be sent to you or a third-party payer or we may share information with a person who helps pay for your care. The information on or accompanying the bill may include information that identifies you, as well as your diagnosis, procedures, and supplies used.

Use and Disclosure of PHI in support of our Health Care Operations

In order to improve our health care operations, we may use and share PHI in connection with many quality improvement activities. For example, members of the medical and clinical staff, members of the quality improvement team, and participants in our organized health care arrangements may use protected health information to assess the care and outcomes in your case and others like it. This information would then be used in an effort to continually improve the quality and effectiveness of the health care and services we provide.

We may also use and disclose your PHI for:

  • Training purposes, to provide training and education to work force members and medical school and other professional students involved at our facilities;
  • Appointment and refill reminders, to contact you as a reminder that you have an appointment. This may be done via an automated calling system.
  • Health-related benefits and services to manage and coordinate your care and inform you about alternative treatments or other health-related benefits and services such as disease management programs, wellness programs, or other community-based activities in which we participate, including communications about entities affiliated with UM Shore Regional.
  • Philanthropic activities, to contact you as part of a fund-raising effort for the benefit of UM Shore Regional. We may disclose certain demographic information (e.g. your name, address, contact information, age, gender, and date of birth), dates of service, information about the department in which you received services, the identity of your treating physician, information about your treatment outcome, and your health insurance status to a foundation that is affiliated with us or to a third party business associate so that either party may contact you on our behalf. You have the right to opt-out of receiving fundraising communications by providing notice to us as described in each fundraising communication.
  • Marketing communications promoting health products or services if the communication is made face to face with you or the only financial gain consists of a promotional gift of nominal value provided by UM Shore Regional.

Uses and Disclosures of Protected Health Information Requiring an Opportunity for You to Agree or Object.

We may use or disclose your PHI without your authorization in limited circumstances when you are informed in advance of the use and disclosure and you have the opportunity to agree, object, or limit the use or disclosure. Unless you advise us of your objection to these uses, we will assume that the use of your PHI, as described in this section of the Notice, is acceptable to you. The types of uses or disclosures that require us to provide you with an opportunity to agree or object are set forth below.

Directory: Unless you notify us that you object, we may list your name, location in the facility, general condition, and religious affiliation in our directory.   Your location and condition may also be released to people who ask for you by name. Your religious affiliation may be given to a member of the clergy, such as a priest or rabbi. This information is provided so your family, friends and clergy can visit you at our facilities and generally know how you are doing. If you do not want us to list this information in our directory and provide it to clergy or others, you must tell us that you object.

Notification: We may use or disclose protected health information to notify, identify, or locate a family member, personal representative, or another person responsible for your care, to inform them of your health status or condition, or death (unless doing so is inconsistent with any prior expressed preference that is known to us). We may disclose your protected health information to a public or private entity authorized by law to assist in disaster relief efforts. If you are able and available to agree or object, we will give you the opportunity to object prior to making this notification. If you are unable or unavailable to agree or object, our health professionals will use their best judgment in communications with your family and others.

Communications with Family: Health professionals, using their professional judgment, may disclose to a family member, other relative, close personal friend or any other person you identify, protected health information relevant to that person’s involvement in your care or payment related to your care. These disclosures will be limited to the protected health information that is directly relevant to the individual’s involvement in your care or payment for your care.

Immunizations: We may provide proof of immunization to a school that is required by state or other law to have such proof with agreement to the disclosure by a parent or guardian of, or other person acting in loco parentis for, an unemancipated minor.

Other Permitted and Required Uses and Disclosures That May Be Made Without Your Authorization, or Without an Opportunity for You to Object.

In certain circumstances, we may use or disclose your protected health information without your authorization or objection. Some of the types of uses or disclosures that may be made without your permission are listed below, but not every use or disclosure of this type is listed.

Required by Law. We may disclose your protected health information to the extent state, federal, or local law requires us to do so.

Research Activities. In the absence of an authorization, we may disclose PHI to researchers, if:

  • the research has been approved through a special review process designed to protect patient safety, welfare and confidentiality. This process might be used, for example, to conduct records research, when researchers are unable to use de-identified information and it is not practicable to obtain research participants' authorization; or
  • we have received representations from the researcher, either in writing or orally, that the use or disclosure of the PHI is solely to prepare a research protocol or for similar purposes preparatory to research, that the researcher will not remove any PHI from UM Shore Regional, and that PHI for which access is sought is necessary for the research purpose. This provision might be used, for example, to design a research study or to assess the feasibility of conducting a study; or
  • we have received representations from the researcher, either in writing or orally, that the use or disclosure being sought is solely for research on the PHI of decedents, that the PHI being sought is necessary for the research, and, at the request of UM Shore Regional, documentation of the death of the individual about whom information is being sought.

Coroners, Medical Examiners and Funeral Directors: We may release PHI to a coroner or medical examiner for the purpose of identifying a deceased person, determining the cause of death, or for the coroner or medical examiner to perform other duties authorized by law. We may also disclose protected health information about patients of UM Shore Regional to funeral directors, as necessary to carry out their duties.

Organ Procurement Organizations. Consistent with applicable law, we may disclose protected health information to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of organs and tissues for the purpose of facilitating organ and tissue donation and transplant.

Food and Drug Administration (FDA) Reporting. We may disclose your protected health information to non-governmental entities subject to FDA regulation regarding the quality, safety, and effectiveness of FDA-regulated products and activities. For example, reporting reactions to medications or problems with medical devices, and providing notice of drug or medical device recalls.

Workers Compensation. We may disclose your protected health information to the extent authorized by and to the extent necessary to comply with laws relating to workers compensation or other similar programs established by law that provide benefits for work-related injuries or illnesses.

Public Health. We may disclose your protected health information to public health authorities for public health purposes. Some examples include: (i) preventing or controlling disease, injury, or disability; (ii) reporting and prevention of abuse, neglect, or domestic violence; or (iii) providing notice to a person who may be at risk for contracting or spreading a disease or condition and reporting disease or infection exposure.

Correctional Institution. Under certain circumstances, we may disclose your PHI to a correctional institution or a law enforcement official having lawful custody of an inmate or other individual.

Law Enforcement. We may disclose your PHI under limited circumstances for law enforcement purposes such as:

  • identifying or locating a suspect, fugitive, material witness or missing person;
  • responding to a court order, subpoena, warrant, summons or similar process;
  • responding to a request for information about the victim of a crime;
  • responding to a request for information about a death we suspect may be the result of criminal conduct;
  • responding to a request for information about criminal conduct on the premises of UM Shore Regional; or
  • in emergency circumstances to report a crime.

Health Oversight Activities. Federal law makes provision for your protected health information to be released to an appropriate health oversight agency or public health authority for oversight activities authorized by law.

Judicial and Administrative Proceedings. We may disclose your protected health information in the course of any administrative or judicial proceeding, in response to a court or administrative order. In response to a subpoena, discovery request, or other process by someone else involved in the dispute, we may produce PHI when we receive assurances that efforts have been made to notify you and allow you to object to the request or to obtain an order protecting the information requested. We will limit the disclosure to the amount and type of information expressly required or authorized by the request.

Public Safety. We may disclose your health information to appropriate persons in order to prevent or lessen a serious and imminent threat to the health or safety of a particular person or the general public.

National Security and Intelligence Activities. We may disclose protected health information about you to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law, or other specialized government functions, for example, to protect the President, certain other governmental persons or foreign heads of state.

Uses and Disclosures of Protected Health Information Based Upon Your Written Authorization.

We may make other uses and disclosures of your PHI not covered by this Notice. Unless otherwise permitted or required by law, these uses and disclosures will be made only with your written authorization. Such uses and disclosure requiring patient authorization include the following:

Marketing. We must obtain your authorization prior to using or disclosing your PHI to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service, except as otherwise described in this Notice or as permitted by law.

Sale of PHI. We must obtain your authorization prior to engaging in any activities that constitute a sale of PHI not permitted under HIPAA.

Psychotherapy. Most uses and disclosure of your psychotherapy notes will require your written authorization, except as otherwise described in this Notice or as permitted by law.

If you give authorization for UM Shore Regional to use or disclose your PHI, you may revoke that authorization in writing at any time. If you revoke your authorization, we will no longer use or disclose PHI as had been permitted by your written authorization. However, we are unable to take back any disclosures we have already made in accordance with your authorization.

Business Associates.

We may also disclose your PHI to third party “business associates” that perform various activities (e.g., billing, insurance, accounting and medical transcription services) for or on behalf of UM Shore Regional. Other examples include physician services in the emergency department and radiology, performance of certain laboratory tests, as well as a copy service we use to make duplicate copies of your health record. Our business associates may use, disclose, create, receive, transmit or maintain PHI during the course of providing services to us. Like UM Shore Regional, business associates are required under HIPAA to protect your PHI. Nevertheless, we will also have a written agreement in place with business associates governing their use and/or disclosure and the measures it must take to protect the privacy of your PHI.

Preemption of Maryland Law.

The federal health care Privacy Regulations generally do not “preempt” (or take precedence over) state privacy or other applicable laws that provide individuals greater privacy protections. As a result, to the extent state law applies, or other federal laws that are more stringent than HIPAA, we may be required to operate under that applicable privacy standard.

Your Rights

Although your health record is the physical property of the UM Shore Regional, the health care practitioner or facility that compiled it, the PHI contained within your health record belongs to you. You have the following rights with respect to your protected health information.

The Right To Request Restrictions Of Our Use And Disclosure.

You have the right to request that we restrict the use or disclosure of protected health information about you for treatment, payment or health care operations. You also have the right to request a limit on the protected health information we disclose about you to someone who is involved in your care or the payment for your care, like a family member or friend. For example, you could ask that we not use or disclose information about a medication prescribed to you to a family member. However, UM Shore Regional is not required to agree to the restrictions that you may request. If we agree, we will comply with your request unless the information is needed to provide you emergency treatment, or as otherwise permitted by law. We will notify you if we do not agree to a requested restriction.

Notwithstanding the above, you may request, and unless otherwise required by law, UM Shore Regional must honor your request, to restrict disclosure of PHI to a health plan (e.g., insurance company) for payment or health care operations if you or someone other than the health plan paid in full for the related items or services (i.e., out-of-pocket). Your request only applies to UM Shore Regional. If you want subsequent providers to abide by the same restriction, you must request the restriction from them and pay out-of-pocket for items or services provided by them. UM Shore Regional is not responsible for notifying subsequent healthcare providers of your request for restrictions on disclosures to health plans for items or services you pay to us out-of-pocket. This practice also applies for the health care organizations listed on page 2 of this Notice of Privacy Practices. To restrict disclosure of PHI to a health plan for items or services paid out-of-pocket to any of the health care organizations listed on page 2 of this Notice of Privacy Practices, you must make that request to the health care organization who provided those services listed on page 2 of this Notice of Privacy Practices.

To request restrictions, you must make your request in writing to our Hospital Privacy Officer, whose contact information can be found at the end of this notice. In your request, you must tell us:

  • what information you want to limit,
  • whether you want to limit our use, disclosure or both, and
  • to whom you want the limits to apply – for example, disclosures to your spouse.

The Right To Request Alternative Means Of Communication.

You have the right to request that we communicate with you about medical matters by alternate means or at an alternate location. For example, you may ask that we only contact you at your office or only by mail. If your request is reasonable, we will accommodate it. To request alternative means or locations for confidential communications, you must make your request in writing to our Hospital Privacy Officer, whose contact information can be found at the end of this Notice. Your request must specify how and/or where you wish to be contacted.

The Right To Inspect And Copy Your Health Record.

You have the right to inspect and obtain a copy of your PHI that may be used to make decisions about your care. This information includes medical records, but does not include psychotherapy notes, information compiled in reasonable anticipation of, or use in, a civil, criminal, or administrative action or proceeding, or protected health information that is subject to a law prohibiting your access to such information.

To inspect and obtain a copy of protected health information, you must submit your request in writing to the Health Information Management Department, Attn: Correspondence and you may specify that you want your PHI in an electronic format. UM Shore Regional will provide you with a copy in a readable electronic format that UM Shore Regional is readily able to produce. If you request a copy of the information, we may charge you a reasonable fee for the costs of labor for copying, mailing, or other supply costs associated with your request.

We may deny your request to inspect and obtain a copy in certain limited circumstances. If you are denied access to protected health information, you may be able to request a review of that decision. Depending on the circumstances, the decision to deny access may or may not be reviewable. If you make such a request, we will notify you as to whether the decision is reviewable. If reviewable, a different licensed health care professional chosen by UM Shore Regional will review your request and the denial. The person conducting the review will not be the person who denied your request. We will comply with the outcome of that review.

The Right To Amend Your Health Record.

You have a right to request that UM Shore Regional amend your health information that is used to make decisions about you if you believe that it is incorrect or incomplete. You have the right to request an amendment for so long as UM Shore Regional keeps the information.

To request an amendment, your request must be made in writing and submitted to the Health Information Management Department: Attn: Correspondence. In addition, we will require you to provide us with a reason for your request.

We may deny your request for amendment if it is not in writing. We may also deny your request if it does not include a reason to support the request. In addition, we may deny your request, in whole or in part, if you ask us to amend information that:

  • was not created by us, unless the person or entity that created the information is no longer available to make the amendment;
  • is not part of the protected health information used by UM Shore Regional to make decisions about you;
  • is not part of the information which you would be permitted to inspect and obtain a copy; or
  • is accurate and complete.

If your request to amend your medical information is denied, you may file a statement of disagreement with us. You also have a right to a copy of our rebuttal statement, if we choose to prepare one.

The Right To An Accounting Of Disclosures.

You have a right to receive an accounting of the disclosures of your protected health information made by UM Shore Regional. However, UM Shore Regional does not have to account for the disclosures made:

  • for the purpose of treatment or payment or in support of health care operations unless HIPAA provides otherwise;
  • to you or with your authorization;
  • incident to a use or disclosure otherwise permitted by this Notice;
  • so that we could include you in our directory listing, or notify or communicate with your family members or others involved in your care as provided elsewhere in this Notice;
  • in support of national security and intelligence activities;
  • as part of a limited data set; or
  • to correctional institutions or law enforcement officials as permitted by this Notice.

To request an accounting of disclosures, you must submit your request in writing to our Hospital Privacy Officer, whose contact information can be found at the end of this notice. Your request must include a time period of no longer than six years for which you are requesting an accounting of disclosures. We will provide an accounting for the period you request unless the period or right to receive the accounting is or may be limited under HIPAA. The first accounting you request within a 12-month period will be free. For additional requests, we may charge you for the costs of providing the accounting.

The Right to Notice of a Breach

You have the right to receive notice of any breach (i.e., the unauthorized use or disclosure) of your unsecured PHI, as defined under HIPAA.

The Right To A Paper Copy Of This Notice.

You have a right to a paper copy of this Notice of Privacy Practices. Paper copies are available at any patient registration area of UM Shore Regional.

An electronic copy of this notice is posted on the Internet at http://www.shorehealth.org/.

Complaints. If you believe your privacy rights have been violated, you can file a complaint with the Hospital Privacy Officer at:

Privacy Officer
University of Maryland Shore Regional Health
219 S. Washington Street
Easton, Maryland 21601

Complaints may also be made to:

Office of the Secretary, Department of Health and Human Services
200 Independence Ave. SW
Washington, D.C. 20201

There will be no retaliation for filing a complaint.

For More Information. If you have questions and would like additional information, you may contact the Privacy Officer at the address and telephone number listed above.

Addendum to notice of privacy practices

We have chosen to participate in the Chesapeake Regional Information System for our Patients, Inc. (CRISP), a statewide health information exchange. As a participant in CRISP, we may share and exchange information that we obtain or create about you for treatment and public health purposes, as permitted by applicable law. This exchange of health information can provide faster access to critical information about your medical condition, improve the coordination of your health care, and assist health care providers and public health officials in making more informed treatment decisions.

You have the right to “opt-out” of CRISP, which will prevent health care providers from accessing some of the information available through the exchange. However, even if you opt-out, a certain amount of your health information will remain in the exchange. Specifically, health care providers who participate in CRISP may continue to access certain diagnostic information related to tests, procedures, etc. that have been ordered for you (e.g., imaging reports and lab results), and they may send this information to other health providers to whom you have been referred for evaluation or treatment though CRISP’s secure messaging services. You may opt-out of CRISP by calling 1-877-952-7477, or by submitting a completed Opt-Out Form to CRISP by mail, fax, or through their website at www.crisphealth.org.