Geisinger Notice of Privacy Practices
Geisinger* Notice of Privacy Practices ("Notice")
Effective date: Dec. 1, 2021
This Notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.
If you have any questions about this Notice, you may ask a member of the staff where you receive health care services. You may also contact our Privacy Office at:
System Privacy Office
100 N. Academy Ave.
Danville, PA 17822
This Notice applies to all Geisinger HIPAA covered entities except Marworth, Geisinger Health Plan, Geisinger Indemnity Insurance Company (doing business as Geisinger Health Options) and Geisinger Quality Options, Inc. (doing business as Geisinger Choice). To request the Notice for Marworth, Geisinger Health Plan, Geisinger Indemnity Insurance Company and Geisinger Quality Options, Inc., contact our Privacy Office.
You may always obtain our most current Notice online at geisinger.org/about-geisinger/corporate/corporate-policies/hipaa. You may also obtain a copy by calling or writing our Privacy Office.
Our Uses and Disclosures
We may use and share your information as we:
- Treat you
- Run our organization
- Bill for services provided to you
- Help with public health and safety issues
- Do research
- Comply with the law
- Respond to organ and tissue donation requests
- Work with a medical examiner or funeral director
- Address workers’ compensation, law enforcement, and other government requests
- Respond to lawsuits and legal actions
See “Our Uses and Disclosures” below for more information.
You have the right to:
- Get a copy of your paper or electronic medical record
- Correct your paper or electronic medical record
- Request confidential communication
- Ask us to limit the information we share
- Get a list of those with whom we’ve shared your information
- Get a copy of this privacy notice
- Choose someone to act for you
- File a complaint if you believe your privacy rights have been violated
See “Your Rights” below for more information.
You have some choices in the way that we use and share information as we:
- Reach out to you via telephone, text, or email
- Provide disaster relief
- Include you in a hospital directory
- Provide mental health care
- Market our services
- Raise funds
See “Your Choices” below for more information.
Our Uses and Disclosures
How do we use and share your health information?
Under HIPAA, the information Geisinger collects about you as a patient is generally considered protected health information (PHI). Geisinger may only use and disclose your PHI pursuant to an authorization, or as otherwise permitted or required by law. We typically use or share your PHI in the following ways.
We will share your PHI with other professionals who are treating you.
This includes disclosure of your PHI to doctors, hospitals, pharmacies and other third parties who are involved in your care. For example, we will disclose your PHI to another physician to whom you have been referred, to the physician who referred you to us or to a home health agency that will be caring for you. We will use your PHI during continuum of care rounds which may include, without limitation, physicians, nurses, care managers, social workers, pharmacists, physical therapists, spiritual care workers and nutrition staff who are involved in your care. We may call your name in our waiting room when your doctor or other provider is ready to see you.
We will share your PHI so that we may bill for health care services and receive payments for the services you receive. This includes activities such as communicating your PHI to an insurance company.
Health care operations
We will use and disclose your PHI as necessary for health care operations such as to run our business, improve your care, and contact you when necessary.
For instance, our providers may serve the region by participating in medical education programs. We may disclose your PHI to the students and faculty of such programs. We may use your information to evaluate the performance of our staff and for training and education purposes.
How else can we use or share your PHI?
We are allowed or required to share your information in other ways – usually in ways that contribute to the public good, such as public health and research. We are required to meet many conditions in the law before we can share your information for these purposes. Some examples are provided below.
For more information, U.S. Health and Human Services maintains a website for patients regarding HIPAA at hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html.
Some of the services we provide are performed through contractual relationships with outside parties or business associates. These services may include (but are not limited to) financial, auditing and legal. We make efforts to only provide business associates with the minimum necessary amount of PHI to carry out their contractual duties. All business associate contracts restrict the ability of the business associate to further use or disclose your PHI so that it is appropriately safeguarded.
Individuals involved in your care
We may disclose your PHI to those people we reasonably believe are involved in your care, such as family members and friends.
To avert a serious threat to health or safety
We may use or disclose your PHI for reasons which include preventing a serious threat to your health and safety or the health and safety of others.
Cadaveric organ, eye and tissue donation
We may share the PHI of organ donors to organizations that assist with such donations.
Specialized government functions
We may use or disclose your PHI for specialized government functions such as military, national security and presidential protective services.
We may disclose your PHI to handle your workers' compensation claims in compliance with applicable laws, rules and regulations.
Public health and safety
We may disclose your PHI for certain situations such as:
- Preventing disease
- Helping with product recalls
- Reporting adverse reactions to medicine
- Reporting suspected abuse, neglect, or domestic violence
- Preventing or reducing a serious threat to anyone’s health or safety
Health oversight activities
We may disclose your PHI to agencies of the government for activities authorized by law. These activities include monitoring health care systems and participation in government programs.
Lawsuits and disputes
We may disclose PHI about you in response to a court or administrative order, or in response to a subpoena.
We may disclose your PHI if asked to do so by a law enforcement official for reasons including (but not limited to) identifying or locating a suspect, a witness or a missing person, or investigating criminal activity.
Coroners, medical examiners and funeral directors
We may disclose PHI with a coroner, medical examiner, or funeral director when an individual dies.
Individuals in custody
If you are an inmate of a correctional institution or in the custody of a law enforcement official, we may disclose your PHI to the respective correctional institution or law enforcement official in accord with applicable laws, rules, regulations and our policies.
We may use or disclose your PHI for health research.
As otherwise permitted or required by law or legal process
We will disclose your PHI when we are required to do so by local, state or federal law or process of law including with the Department of Health and Human Services if the agency wants monitor Geisinger’s compliance with federal privacy law.
We may also disclose your PHI when we are otherwise permitted to do so under the law or pursuant to legal process.
Additional rights under Pennsylvania Law
Pennsylvania law may further limit how we use or share your PHI including HIV-related records, records of alcohol or substance use disorder, inpatient mental health records and involuntary outpatient mental health treatment records. If Pennsylvania law applies to your PHI, we will use and disclose your PHI in compliance with these more restrictive laws.
Additional rights under New Jersey Law
New Jersey law may further limit our uses and disclosures in the case of your PHI. This includes AIDS/HIV-related information, venereal disease information, genetic information, tuberculosis information, mental health information, certain drug and alcohol treatment information and certain information related to the emancipated treatment of a minor (e.g., where the minor seeks emancipated treatment for pregnancy or treatment related to minor's child or a sexually transmitted disease). If New Jersey law applies to your PHI, we will use and disclose your PHI in compliance with these more restrictive laws and will obtain your specific authorization before using or disclosing these types of information where we are required to do so.
We may hold reunions for various patient groups to celebrate their success in treatment. If you are or were part of such a patient group, we may use your PHI to invite you.
Receiving payment for PHI
Unless allowed by law, Geisinger will not sell your PHI, and may not receive payment directly or indirectly for your PHI without your authorization.
Shared Electronic Health Record
Geisinger provides a shared electronic health (EHR) record. Entities that participate in our shared EHR, now and in the future, will be able to use and disclose your PHI as described in their Notice of Privacy Practices if they have a treatment relationship with you. A list of entities participating in our EHR is provided below.
We believe that having a complete picture of your health status is important to providing quality medical care. This can be especially important in the case of an emergency room visit and when coordinating your care among covered entities (as defined by HIPAA).
The covered entities participating in the shared EHR (as described above) will only disclose PHI related to substance abuse disorder, your inpatient/involuntary mental health treatment records, or HIV/AIDS related treatment and testing records to covered entities outside the shared EHR as required or permitted by law or with your consent.
If you wish to share this PHI to facilitate treatment, payment and healthcare operations (each as defined by HIPAA), we ask that you review and sign a Universal Authorization (UA). The UA has recently been updated and is available at our offices or online at www.geisinger.org/about-geisinger/corporate/corporate-policies/hipaa.
If you have previously signed a UA, you do not need to take any further action to share this information as acknowledgment of this Notice of Privacy Practices serves as your consent to continue to share this information. If you do not sign the acknowledgement, we will turn off the sharing of this sensitive data until you either sign a new UA or the acknowledgement of the updated UA.
You can revoke a UA at any time by contacting our Privacy Office.
Your right to inspect and copy
You have the right to inspect and receive a copy (paper or electronic) of your PHI that may be used to make decisions about your care. You may also direct us in writing to transmit your PHI to another entity or individual.
To do so, you must complete a Patient Access Request Form. You can obtain the form and instructions online at https://www.geisinger.org/patient-care/patients-and-visitors/medical-records.
You may also obtain a copy of the form by contacting our Health Information Management Department directly using the contact information on the last page of this Notice. If you need assistance completing the form, please contact the Privacy Office. The contact information for the Privacy Office is located on the last page of this Notice.
Note that you will be charged a reasonable cost-based fee. Note also that we may deny your request to inspect and receive a copy of your PHI in very limited circumstances. If you are so denied, in some cases, you may request that such denial be reviewed. We will comply with the outcome of such review.
Certain disclosures require authorization. For example, in general, for our Pennsylvania patients, Geisinger will not disclose inpatient mental health records or involuntary outpatient mental health records unless you sign an authorization, or a specific exception applies.
If you provide us with a written authorization to disclose your PHI, you may revoke (cancel) it at any time. Your revocation (cancellation) must be in writing. We are not able to take back any uses or disclosures that we already made with your authorization.
You may also wish to grant another individual or entity the right to access, discuss, or obtain copies of your PHI. To do so, you must complete an authorization form that complies with the law. Geisinger provides several HIPAA compliant authorizations online at geisinger.org/about-geisinger/corporate/corporate-policies/hipaa.
Your right to amend
We are required to retain your PHI regarding the care and treatment that we provided to you in accordance with applicable law. You have the right to an amendment of PHI or a record about you in a designated record set for so long as your PHI is maintained in the designated record set. However, we may deny such a request in the following circumstances:
- The record was not created by Geisinger, unless you provide us with a reasonable basis to believe that the originator of PHI is no longer available to act on the requested amendment.
- The record is not part of the designated record set.
- The record would not be available for inspection under 45 CFR 164.524.
- The record is accurate and complete.
Generally, we must respond in writing to your request within sixty (60) days. However, we may extend the time for such action by no more than thirty (30) days as provided under HIPAA. If we do not agree to your request, you have the right to submit a statement of disagreement that we must add to your medical record. The contact information for the Privacy Office is located on the last page of this Notice.
Your right to an accounting of disclosures
You have the right to an accounting of disclosures. This is a list (accounting) of the times we've disclosed your PHI for six years prior to the date you ask, who we've shared it with and why. In compliance with the law, we will include all the disclosures except for those about treatment, payment, and health care operations, and certain other disclosures (such as any you have asked us to make). We will provide you with an accounting of disclosures if you request it and in accord with the law. Contact our Privacy Office to make such a request.
Your right to notification
We are required by law to maintain the privacy and security of your PHI. We will let you know promptly if a breach occurs that may have compromised the privacy or security of your information. This will be done by mail or by other means if necessary.
Your right to request restrictions
You have the right to request restrictions on the PHI we use or disclose about you for treatment, payment and health care operations. We are not required to agree to your request, and generally, we will not accept requests for such restrictions.
As required by law, if you have paid out of pocket for a health care service or item, you have the right to ask us to not tell your insurance company about such service or item for purposes other than treatment. We will not share the PHI regarding such care with your insurer for purposes of payment or health care operations.
Your right to request confidential communications
You have the right to make a reasonable request that we communicate with you regarding your PHI in a certain way or at a certain location (for example, home or office phone). Such reasonable requests may include, when appropriate, how information as to payment for services we provide to you will be handled. We may require you to make this request in writing to the manager of your care site.
Your right to a paper copy of this Notice
Generally, you have a right to obtain a paper copy of this Notice. You may ask us to give you a copy of this Notice at any time, even if you have agreed to receive this Notice electronically. You may also obtain a paper copy of this Notice at the registration desk at your next appointment.
Changes to this Notice
We may change this Notice at any time. We may make the revised or changed Notice effective for PHI we already have as well as any PHI we receive in the future. We will post a current copy of this Notice in our hospitals and clinics. On the first page of the Notice, in the top right corner, you will find the effective date of that Notice.
If we make a material change to uses and disclosures, your rights, our legal duties or other privacy practices stated in this Notice, we will promptly revise and distribute our changed Notice. Except when required by law, a material change to any term of this Notice may not be implemented prior to the effective date of the revised Notice.
If you believe your privacy rights have been violated, you may file a complaint with our privacy officer and/or the secretary of the U.S. Department of Health and Human Services. We have provided both addresses on the last page of this Notice. To file a complaint with the Privacy Office, please call 570-271-7360.
The covered entities of Geisinger value your right to privacy. You will not be retaliated against for filing a complaint.
Other uses of your PHI
Other uses and disclosures of your PHI not covered by the categories included in this Notice or applicable laws, rules or regulations will be made only with your written permission or authorization.
We are required to abide by the terms of this Notice.
Phone Calls, Texting, and E-Mail
When you provide Geisinger with your telephone number, including your cellphone or mobile number, or e-mail you are consenting to give Geisinger permission to contact you via a phone call, text or email for certain important messages related to your healthcare. These communications can include, but are not limited to, appointment reminders, change in office hours or office closings, billing and payment issues, and other healthcare related messages. Some of these message may be generated by an automated dialing system or include a prerecorded voice. Be aware that text and messaging rates may apply.
When we contact you, we will provide you with the opportunity to opt out of similar communications in the future (such as by replying “STOP” to a text message). You may also opt out of these communications at your provider’s office, online at MyGeisinger, or my contacting our Privacy Office.
At any time, you may instruct Geisinger to stop all future texts by contacting our Privacy Office.
We may contact you via mail, telephone, text or email to remind you of an upcoming appointment. We may leave you a message that includes the date, time and general information about an upcoming appointment.
If you do not wish to receive appointment reminders, notify your health care professional.
Communicating with Geisinger Using Unsecure Electronic Communications
We recommend that you use secure electronic communications, such as our patient portal MyGeisinger, when you contact us. Using unsecure electronic communications, such as regular email or text messaging, may result in certain risks such as interception by others or storage of your information on devices that are unsecured. If you choose to communicate with us via unsecure electronic communication, you are agreeing to accept these risks. Note that we may respond to you in the same manner to the email address or phone number from which you sent your text.
Email and texting are not a substitute for professional medical advice, diagnosis or treatment and should not be used in a medical emergency.
We will not share your PHI for marketing purposes or accept any payment for marketing communications without an authorization. However, we may use or share your PHI for communications that are not considered marketing. For example:
- Contact you to give you information about products or services related to your treatment
- Contact you to encourage you to maintain a healthy lifestyle and get recommended tests, participate in a disease management program, and tell you about government sponsored health programs
- Have face to face communications with you regarding products and services that are appropriate for your care
- Provide you with promotional gifts of nominal value
- Remind you to take and refill your medications, or otherwise communicate with you about a drug or biologic that is currently prescribed to you. Any payment we receive, direct or indirect, may only cover the reasonable cost to us of making the communication
- Provide you with information about treatment alternatives or other health-related benefits and services that may be of interest to you
Unless you tell us not to, we will include certain information about you in the hospital directory if you are admitted to one of our hospitals. This information may include your name, your location in the hospital, your general condition, your religious affiliation and whether you wish to have our spiritual care chaplains visit you.
This information may also be disclosed to people who ask for you by name such as your relatives, friends and the media. Your religious affiliation may be given to community clergy even if they don't ask for you by name.
You may opt of participating in the Hospital Directory at the time of admission or anytime thereafter.
Spiritual care staff
Our doctors and other health care providers work with our spiritual care chaplains as part of the treatment team at our hospitals, unless you tell us that you do not want our spiritual care chaplains to be involved. Spiritual care chaplains may call on you during your hospital stay.
You may opt out at the time of your admission or anytime thereafter.
We may use or disclose certain information for the purposes of fundraising for Geisinger Health Foundation entities. The money raised will be used to expand and improve the services and programs we provide to the community. You are free to opt out of solicitation at any time and your decision will have no impact on your treatment or payment for services. If you do not wish to participate in future fundraising activities, call 800-739-6882.
Health Information Exchanges
Geisinger participates or is required to participate in certain information sharing networks for treatment, payment or healthcare operation. Exchange of health information can provide better coordination of care, faster access, and assist in making more informed decisions regarding your care.
When we participate in any such exchange, your PHI will only be shared as permitted or required under HIPAA and other applicable federal and state privacy laws. Below is some additional information related to some of these exchanges.
Keystone Health Information Exchange (“KeyHIE Exchange)
Keystone Health Information Exchange, Inc. (“KeyHIE”) is a business associate of Geisinger, and other participating covered entities. KeyHIE maintains and operates the Keystone Health Information Exchange (“KeyHIE Exchange”), which is a certified health information organization participating in the Pennsylvania Patient & Provider Network ("P3N").
The KeyHIE Exchange enables the secure exchange of PHI to improve health care delivery and health care outcomes. P3N was established by Pennsylvania law (Act 121) and is part of a federal initiative to electronically share PHI. The Pennsylvania eHealth Partnership Authority (the "Authority") has been charged with building the Pennsylvania network.
Geisinger participates in the KeyHIE Exchange. At any time, you may instruct Geisinger to stop sharing your PHI through the KeyHIE Exchange by contacting the Privacy Office. Our phone number and address are provided on the last page of this Notice. The Authority also maintains a separate P3N Opt-Out Registry. The opt-out form is online at paehealth.org.
We may use or disclose your PHI in connection with an HIE that we may participate in, for treatment, payment and health care operations purposes, such as to ascertain whether you have health insurance and what it may cover, and to evaluate and improve the quality of medical care provided to all our patients. Other healthcare providers and health plans may also have access to your information in the HIE for similar treatment, payment and healthcare operations purposes to the extent permitted by law. You have the right to "opt out" or decline to participate in the HIEs. If you have not opted out of the HIE, your PHI will be available through the HIE to participating health care providers and health plans in accordance with this Notice of Privacy and the law.
The contact information for our Privacy Office is:
System Privacy Office
100 N. Academy Ave.
Danville, PA 17822
The address for the Health Information Management Department is:
Geisinger Health Information Management Department
Medical Reports MC 13-11
100 N. Academy Ave.
Danville, PA 17822
The address for the United States Department of Health and Human Services is:
U.S. Department of Health and Human Services
200 Independence Ave. SW
Washington, DC 20201
Important notice to patients who are not residents of the United States
CONSENT TO PROCESSING YOUR INFORMATION IN THE UNITED STATES
The covered entities of Geisinger Health only provide health care and related services in the United States. We are subject to the United States laws and regulations that govern the privacy and security of patient healthcare information, as well as consumer protection laws and regulations of the United States and its individual states, as applicable. If you are a citizen or resident of a different country, the data protection laws of your country may differ as to how your personal information is protected. We want you to understand that when you provide your personal information to us, or direct your healthcare provider to provide your information to us, your personal information will be transmitted to and processed in the United States. In doing that, you will be giving the covered entities of Geisinger Health your consent to process your information in the United States, in accordance with United States law, for our legitimate purpose in fulfilling your request or addressing your healthcare needs.
If you would like information about how Geisinger processes your personal information, please address your request to our Privacy Office at 570-271-7360 or at SystemPrivacyOffice@geisinger.edu. We will respond to your request in accordance with applicable U.S. laws.
Throughout this Notice of Privacy Practices (“Notice”), the terms “Geisinger” shall refer to the separate legal covered entities of Geisinger Health. Geisinger is comprised of Geisinger Health as parent and its subsidiaries, affiliates and members. Although Geisinger Health does not provide medical care or employ physicians, it is the corporate parent of the covered entities listed below, each of which is an individual corporate entity legally separate and distinct from Geisinger Health.
Unless a different Notice is provided and except as indicated above, this Notice will apply to all covered entities that Geisinger Health may acquire or affiliate with or that become our members in the future.
ORGANIZED HEALTH CARE ARRANGEMENT DESIGNATION
As covered entities, the below-listed separate GH corporate legal entities are participating in an Organized Health Care Arrangement (“OHCA”). These separate corporate legal entities may share PHI as necessary to carry out treatment, payment and healthcare operations relating to the OHCA and for other purposes as permitted or required by law.
- Geisinger Affiliated Covered Entities
- Geisinger Indemnity Insurance Company
- Geisinger Quality Options Inc.
- Geisinger Health Plan
AFFILIATED COVERED ENTITY DESIGNATION
The following Geisinger covered entities are under common control and designate themselves as a single covered entity known as the “Geisinger Affiliated Covered Entities” for purposes of the HIPAA privacy rule. The Geisinger Affiliated Covered Entities are:
- Geisinger Clinic (all sites)
- Geisinger Medical Center (including its Geisinger Shamokin Area Community Hospital Campus)
- Geisinger Wyoming Valley Medical Center (including Geisinger South Wilkes-Barre Campus)
- Geisinger Community Health Services
- Geisinger Bloomsburg Hospital
- Geisinger Health Plan (Added Jan. 23, 2020)
- Geisinger Jersey Shore Hospital
- Geisinger Lewistown Hospital
- GNJ Physicians Group PC
- Geisinger Pharmacy LLC
- Community Medical Center d/b/a Geisinger Community Medical Center
- Family Health Associates of Geisinger-Lewistown Hospital
- West Shore Advanced Life Support Services Inc.
- Geisinger Medical Center Muncy (December 2021)
ENTITIES PARTICIPATING IN THE GEISINGER SHARED ELECTRONIC HEALTH RECORD (EHR)
- All Geisinger Affiliated Covered Entities
- Caring Community Health Center, a Pennsylvania nonprofit corporation
- Susquehanna Valley Medical Specialties PC
- Penn State Health
Last revision date: December 1, 2020