UHS Privacy Policies

UHS has developed a number of policies regarding the use and disclosure of protected health information (PHI), and for compliance with the HIPAA Privacy Rule. Copies of the UHS privacy policies and procedures are available on this website, or by contacting the applicable Facility Compliance Officer or the UHS Compliance Office. Below is a summary of UHS privacy policies.

UHS has developed written compliance policies and procedures that are designed to establish bright-line rules that help personnel carry out their job functions in compliance with federal healthcare program requirements, and to further the mission and objectives of UHS and its facilities. Copies of the UHS compliance policies and procedures are available on this website, or by contacting the applicable Facility Compliance Officer or the UHS Compliance Office. Below is a summary of UHS compliance policies.

1.0 – Facility Privacy Officer
Requires that Facilities designate a Privacy Officer responsible for developing, implementing and maintaining the Facility's privacy policies and procedures regarding the use and disclosure of protected health information (PHI) and for compliance with the HIPAA Privacy Rule. Provides a description and overview of the Facility Privacy Officer's role and responsibilities. Read the complete policy.

2.0 – Breach Notification
Establishes procedures for the notification of individuals, prominent media, and the Secretary of the U.S. Department of Health and Human Services, as appropriate, following the discovery of a breach of unsecured protected health information (PHI) by a Facility or its Business Associate(s), and to identify when the unauthorized acquisition, access, use or disclosure of unsecured PHI is a breach for notification purposes. Read the complete policy.

3.0 – Use and Disclosure Requiring Authorization
Identifies when Facilities may use and disclose PHI of patients pursuant to an Authorization. Read the complete policy.

4.0 – Notice of Privacy Practices
Outlines the policy and process for each Facility to distribute the Notices of Privacy Practices ("Notices") and obtain patient acknowledgment. Read the complete policy.

5.0 – Use And Disclosure For Treatment, Payment And Health Care Operations
Identifies the uses and disclosure of PHI for treatment, payment and health care operations. Read the complete policy.

6.0 – Minimum Necessary Policy
Establishes a policy and procedure for compliance with the "minimum necessary" requirements of HIPAA, in order to limit unnecessary or inappropriate access, use and disclosure of PHI. Read the complete policy.

7.0 – Limited Data Sets And Data Use Agreements
Describes limited data sets and data use agreements, explains their use, and outlines the contents and requirements for limited data sets and data use agreements. Read the complete policy.

8.0 – De-Identification Of Protected Health Information (PHI)
Provides a specific policy and procedures for the de-identification of PHI and the uses and disclosures of de-identified health information, in accordance with HIPAA. Read the complete policy.

9.0 – Disclosures For Armed Services, National Security And Other Specialized Government Functions
Identifies when Facilities may use and disclose PHI for Armed Services, national security and other specialized government functions. Read the complete policy.

10.0 – Disclosures To Clergy
Identifies when PHI may be disclosed to members of the clergy ("Clergy"). Read the complete policy.

11.0 – Disclosure Of Alcohol And Substance/Drug Abuse Records
Describes permissible disclosures of Alcohol and Substance/Drug Abuse Records. Read the complete policy.

12.0 – Patient Directory Policy
Describes the PHI that may be used to create patient directories at Facilities and who will have access to which particular information contained in the patient directories. Information on patients in behavioral health Facilities, in behavioral health or psychiatric departments, or in alcohol or substance/drug abuse programs will not be included in a patient directory. Read the complete policy.

13.0 – Photographs, Videotapes And Other Recordings Of Patients
Describes when photographs, videotapes and other recordings are allowed to be taken of patients and the purposes and manner in which these may be used or disclosed. Read the complete policy.

14.0 – Use And Disclosure For Research And Reviews Preparatory To Research
Assures that when research is conducted or reviews preparatory to research are performed involving the use or disclosure of PHI this is done in accordance with applicable HIPAA requirements. Read the complete policy.

15.0 – Use And Disclosure Of PHI For Marketing
Identifies when Facilities may use and disclose PHI for marketing purposes. Read the complete policy.

16.0 – Disclosures For Law Enforcement Purposes
Identifies and establishes guidelines for when Facilities may use and disclose PHI for law enforcement purposes without a patient authorization or providing an opportunity for the patient to object. Read the complete policy.

17.0 – Disclosures To Correctional Institutions Or Law Enforcement With Lawful Custody
Identifies when Facilities may use and disclose PHI of patients in a correctional institution and in the custody of law enforcement. Read the complete policy.

18.0 – Patient Rights Under The HIPAA Privacy Rule
Provides an overview of patient rights under the HIPAA Privacy Rule. Read the complete policy.

19.0 – Patient Requests To Access PHI
Identifies and establishes guidelines for when a patient (or authorized personal representative, as applicable) has the right to access his or her PHI that is maintained as medical records and billing records used, in whole or in part, by or for a Facility to make decisions about patients, known as the "designated record set." Read the complete policy.

20.0 – Patient's Request To Amend PHI
Identifies and establishes guidelines for when a patient has the right to amend his or her PHI that is maintained as medical records and billing records used, in whole or in part, by or for a Facility to
make decisions about patients, known as the "designated record set." Read the complete policy.

21.0 – Patient's Rights To Request Use Or Disclosure Restrictions And Alternative Communications
Establishes guidelines for handling: (1) patient requests for a restriction on the use or disclosure of PHI; and (2) patient requests to receive communications of PHI by alternative means. Read the complete policy.

22.0 – Responding To Patient Complaints And Other Privacy-Related Complaints
Identifies and establishes the process for patients to submit complaints if they believe their privacy has been violated or concerning the Facility's privacy policies and procedures, including breach notification issues, and how they are notified about the complaint process. Read the complete policy.

23.0 – Accounting Of Disclosures
Identifies and establishes procedures for providing, upon request of a patient or authorized personal representative, as applicable, an accounting of disclosures of PHI made by a Facility. Read the complete policy.

24.0 – Overview Of The Uses and Disclosures of PHI
Provides an overview of permissible uses and disclosures of PHI and to cross reference applicable UHS privacy policies addressing uses and disclosures in these situations. Read the complete policy.

25.0 – Uses And Disclosures Requiring An Opportunity To Agree/Object
Identifies and establishes guidelines for when Facilities may use and disclose PHI that require an opportunity for the individual to agree or object. Read the complete policy.

26.0 – Uses And Disclosures Not Requiring Authorization Or Opportunity For Patient To Agree/Object
Identifies and establishes guidelines for when Facilities may use and disclose PHI without a patient authorization or providing an opportunity for the patient to agree or object. Read the complete policy.

27.0 – Business Associates and Business Associate Agreements
Establishes a policy on disclosing PHI to business associates of the Facility. Read the complete policy.

28.0 – Personal Representatives
Provides information to Facilities on requirements relating to personal representatives, who must be treated as the patient for the purposes of using or disclosing PHI under HIPAA. Read the complete policy.

29.0 – Facility Sanctions Policy
Establishes a sanctions policy under which Facilities will apply appropriate counseling and sanctions against members of their workforce who fail to comply with policies and procedures. Read the complete policy.

30.0 – HIPAA Privacy Training Policy
Describes the HIPAA privacy training requirements for all Facility workforce members. Read the complete policy.

30.0 – Online Privacy Policy
Establishes a policy under which users of the UHS website(s) understand the company’s policy as it relates to collection and/or retention of user data, security and disclosure of information. Read the complete policy.