HIPAA Privacy Notice
Effective Date: April 14, 2002
Reviewed and Revised: August 2011
If you have any questions about this notice, please contact:
NYDH Patient Services Department (212) 312-5165
NYDH Health Information Management (646) 588-2653; or
NYDH Corporate Compliance Privacy Officer (212) 312-5135
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW THIS NOTICE CAREFULLY.
New York Downtown Hospital ("NYDH") is required by law to protect the privacy of health information that may reveal your identity ("Protected Health Information" or "PHI"). We are also required to provide you with a copy of this Notice, which describes the health information privacy practices of NYDH (including its medical staff, employees, trainees, students and volunteers).
When NYDH uses or discloses PHI it is required to abide by this Notice (or amended Notice in effect at the time of the use or disclosure of PHI).
You may obtain additional copies of this Notice by accessing the NYDH website at downtownhospital.org, calling the Corporate Compliance Privacy Officer at (212) 312-5135 or asking the registrar/receptionist for one at the time of your next visit.
WHO WILL FOLLOW THIS NOTICE
We may use your medical information for treatment, payment, hospital operations, research or fundraising purposes as described in this notice. Any health care professional who treats you at any of our hospital facilities/locations including all employees, medical staff, trainees, students, or volunteers follow these privacy practices.
This notice refers to practices of our hospital and medical staff, while you are a patient in the hospital. It also refers to the emergency department, outpatient services, such as our on and off site clinics, day surgery and physical therapy. If you seek care in your physician's private practice, other policies may apply. In this Notice we will refer to the above collectively as the "Provider".
ABOUT THIS NOTICE
This Notice of our privacy practices explains how we may use and disclose PHI in the course of providing treatment and services to you. It will also describe what rights you have with respect to your PHI, and certain obligations we have regarding the use and disclosure of medical information.
Rights you have with respect to your health information include:
* To inspect and obtain a copy of your PHI.
* To request that we amend PHI in our records.
* To receive an accounting of certain disclosures we have made of your health information.
* To request that we restrict the use and disclosure of your PHI.
* To request how and when we contact you about medical matters.
* To receive a paper copy of this Notice.
We are required by the Health Information Portability and Accountability Act of 1996 (Federal regulation 45 CFR §164.520) to:
* Make sure that medical information that identifies you is kept private;
* Give you this notice of our legal duties and privacy practices with respect to your medical information; and,
* Follow the terms of the notice that are currently in effect.
WHAT INFORMATION IS PROTECTED?
The Provider is committed to protecting the privacy of information gathered about you while providing health-related services. This includes any information that may identify you in connection with your health care. Some examples of protected health information or "PHI" are:
* Information about your health condition (such as medical conditions and test results you may have);
* Information about health care services you have received or may receive in the future (such as a surgical procedure);
* Information about your health care benefits under an insurance plan (such as whether a prescription is covered);
* Geographic information (such as where you live or work);
* Demographic information (such as your race, gender, ethnicity, or marital status);
* Unique numbers that may identify you (such as your social security number, your phone number, or your driver's license number);
* Biometric identifiers, such as fingerprints;
* Full face photographs; and
* Other types of information that may identify who you are.
Go to Top
HOW WE MAY USE AND DISCLOSE YOUR PHI
The following categories describe different ways that we use and disclose medical information. For each category of uses or disclosures, we will explain what we mean and give examples. Not every use or disclosure in a category will be listed. However, all of the ways we are permitted to use and disclose information will fall within one or more of the categories.
1. Treatment, Payment and Health Care Operations:
The Provider and its medical staff, other health care professionals and professional trainees may use your PHI or share it with others to the extent that such information is necessary in order to treat your medical condition, obtain payment for that treatment, and carry out the Provider's normal health care operations. Your PHI may also be shared with affiliated Providers and other health care operations along with the Provider. Subject to certain exceptions, access, use or disclosure of your PHI will be limited to a "Limited Data Set" or, if necessary, the minimum amount of information necessary to accomplish the purpose of a particular use, disclosure or request within the scope of an individual's employment. The minimum necessary standard does not apply in certain circumstances, such as disclosure for treatment purposes or to you, the patient. Below are further examples of how your information may be used without your specific authorization.
The Provider may share your PHI with caregivers at the Provider who are involved in your care such as doctors, nurses, technicians, medical students, or other Provider personnel who are involved in taking care of you. For example, a doctor treating you for a broken leg may need to know if you have diabetes, because diabetes may slow the healing process. In addition, the doctor may need to tell the dietician if you have diabetes so that we can arrange for appropriate meals. Different departments of the Provider also may share medical information about you in order to coordinate the different things you need, such as prescriptions, lab work and x-rays. The Provider also may disclose medical information about you to people outside the Provider who may be involved in your medical care.
The Provider may use your PHI or share it with others so that it can obtain payment for health care services the Provider provides to you. For example, the Provider may share information about you with your health insurance company in order to attain reimbursement after you have been treated. The Provider might also need to inform your health insurance company about your health condition in order to obtain pre-approval for your treatment, such as admission to the Provider for a particular type of surgery. Finally, the Provider may share your PHI with other health care providers so that they can obtain payment for services they provide to you as permitted by law.
c. Health Care Operations.
The Provider may use or disclose your PHI in order to conduct its normal health care operations, which include internal administration and planning and various activities that improve the quality and cost effectiveness of the care that the Provider delivers to you. For example, the Provider may use your PHI to evaluate the quality and competence of its physicians, nurses and other health care workers. The Provider may also use your PHI to educate students and trainees in health related professions. Other examples of health care operations include legal, accounting and transcription services which may be performed through contracts with outside organizations designated as Business Associates. All such contracts will include provisions that the Business Associate also protects the privacy of your PHI. In addition, the Provider may share your PHI with other health care providers who have provided services to you in order for them to conduct certain business activities such as activities designed to improve the quality of care or reduce health care costs, to conduct clinical training programs, and to evaluate the experience and performance of its medical staff.
d. Communication Barriers.
The Provider may use and disclose your PHI if it is unable to obtain your consent because of substantial communication barriers, and believes you would want the Provider to treat you if it could communicate with you.
e. Appointment Reminders, Treatment Alternatives, Benefits, and Services.
In the course of providing you treatment, the Provider may use your PHI to contact you to provide you with appointment reminders or information about treatment alternatives or health care related benefits or services, which may be of interest to you.
f. Fundraising Activities.
To support business operations, the Provider may use demographic information about you in order to contact you to raise money to support the operations of the Provider. This may include information about your age and gender, your name, where you live or work, and the dates that you have received treatment. The Provider may also share this information with a charitable foundation that may contact you to raise money on the Provider's behalf. You will be given an opportunity to elect not to receive further fundraising communications; your revocation will be treated as a revocation to any prior authorization to receive fundraising communication. If you do no want to be contacted for these fundraising efforts, you may do so by following the procedures described in fundraising letters you receive, or you may notify the Office of Development in writing as follows:
Director of Development
New York Downtown Hospital
170 William Street
New York, NY 10038
2. Patient Directory:
We may include certain limited information about you in the Provider's directory while you are a patient at the Provider so your family, friends and clergy can visit you in the Hospital and generally know how you are doing. This information may include your name, location in our facility, your general condition (e.g., fair, stable, etc.) and your religious affiliation. The information in the directory, except for your religious affiliation, may be released to people who ask for you by name. This information, including your religious affiliation, may be given to a member of the clergy, such as a priest or rabbi, even if they don't ask for you by name. You may specifically request that we not include you in the directory when you register or by contacting the Admitting Office at (212) 312-5106 between the hours of 9 a.m. and 5 p.m.
3. Family and Friends Involved in Your Care
The Provider may disclose your PHI to a family member, personal friend or any other person identified by you provided that you are present for, or otherwise available prior to the disclosure, you have the capacity to make your own health care decisions, you have been given an opportunity to object to the disclosure and have not done so. If you are not present, you are incapacitated, or in an emergency circumstance, we may exercise our professional judgment to determine whether a disclosure is in your best interests, provided that we only disclose information that is directly relevant to the person's involvement with your health care or payment related to your health care. We may also disclose PHI to disaster relief organizations in order to notify (or assist in notifying) such family members of friends of your location, general condition, or death. In these instances, we may request a verification of identity and authority of persons requesting medical information (per Federal regulation 45 CFR §164.514(h)). Information may also be shared with a legally authorized Personal Representative, such as the parent or guardian of a minor, a health care agent, DNR surrogate, or court appointed guardian with health care decision making authority. However, portions of the medical record relating to sexual activity, sexual conduct, tests for sexually transmitted diseases, contraception, family planning, abortion or mental health services may not be accessible to the parent or guardian of a minor unless specific written authorization from the minor patient is received, except as otherwise provided in this Notice. Moreover, the Provider will not share PHI with third parties, including parents or legally appointed guardians of children or adults if the attending physician determines that access to the information requested would pose a serious risk to the mental or physical well-being of the patient or third party, or be detrimental to the relationship between the parents or guardians and the patient.
When required by law, the Provider will ask for your specific written authorization before using your PHI or sharing it with others in order to conduct research. For example, if the researcher will have access to your name, address or other information that reveals who you are, or will be involved in your care at our facility. However, under some circumstances, the Provider may use and disclose your PHI without your authorization if the Provider obtains approval through a special process to ensure, among other things, that research without your authorization poses minimal risk to your privacy and could not reasonably be performed without waiving your consent. Under no circumstances, however, would the Provider allow researchers to use your PHI publicly. The Provider also may release your PHI without your authorization to people who are preparing a future research project, so long as any information identifying you does not leave the facility. In the event of your death, the Provider may share your PHI with people who are conducting research using the information of deceased persons, as long as they agree not to remove from the facility any information that identifies you.
5. Completely De-identified or Partially De-Identified Information
The Provider may use and disclose your PHI if we have removed any information that has the potential to identify you, so that the PHI is "completely de-identified." The Provider also may use and disclose "partially de-identified" PHI about you if the person who will receive the information signs an agreement to protect the privacy of the information as required by federal and state law. Partially de-identified PHI will not contain any information that would directly identify you (such as your name, street address, social security number, phone number, fax number, electronic mail address, website address or license number).
6. Incidental Disclosures
While the Provider will take reasonable steps to safeguard the privacy of your PHI, certain disclosures of your PHI may occur during or as an unavoidable result of our otherwise permissible uses or disclosures of your PHI. For example, during the course of a treatment session, other patients in the treatment area may see or overhear discussion of your PHI. These are considered to be "incidental disclosures" and therefore are permissible by law.
7. As Permitted or Required by Law
The Provider may use your PHI and share it with others, as required by law. For example, the Provider will disclose information if required to do so pursuant to a court order. In addition the Provider may use or share PHI concerning mental health services patients as noted below:
a. Pursuant to a Court Order.
The Provider may disclose your PHI pursuant to an order of a court of record requiring disclosure upon a finding by the court that the interest of justice significantly outweighs the need for confidentiality.
b. Mental Hygiene Legal Service.
The Provider may disclose your PHI to the mental hygiene legal service if they are acting as your personal representative.
c. Involuntary Hospitalization Proceedings.
The Provider may disclose your PHI to the attorney(s) who may represent you in any involuntary hospitalization proceeding if the attorney has made a good faith attempt to provide you with a written notice that explains the proceeding and gives you the opportunity to object to the proceeding.
d. Medical Review Board of the State Commission of Correction.
The Provider may disclose your PHI to the medical review board of the New York State Commission of Correction when the board has requested such information in the event of your death
e. Endangered Individuals and Law Enforcement Agencies.
If your treating psychiatrist or psychologist has determined that you may present a serious and imminent danger to an individual the Provider may disclose your PHI to that individual and a law enforcement agency.
f. As Authorized by the Department of Mental Health.
The Provider may disclose your PHI to:
1. Persons and agencies needing information to locate missing persons or to a law enforcement agency in connection with criminal investigations, provided that such information will be limited to identifying data;
2. Appropriate persons and entities when necessary to prevent imminent serious harm to you or another person; and
3. A district attorney in connection with and necessary to conduct a criminal investigation of patient abuse.
g. Director of Community Services.
The Provider may disclose your PHI to a director of community services or his or her designee in order to provide oversight of your care.
8. Public Health Activities
The Provider may disclose your PHI to authorized public health officials (or a foreign government agency collaborating with such officials) so they may carry out their public health activities. For example, the Provider may share your PHI with government officials that are responsible for controlling disease, injury or disability. The Provider may also disclose your PHI to a person who may have been exposed to a communicable disease or be at risk for contracting or spreading the disease if the law permits it to do so.
a. Reports to Employers Regarding Work Related Illnesses or Injuries.
Excluding mental health services patients, the Provider may disclose relevant PHI to your employer if the Provider provides health care services to you at the request of your employer related to medical surveillance of the workplace or to evaluate whether you have a work related illness or injury and the employer is required by law (such as Workers Compensation rules) to obtain such information.
b. Reports to School Districts.
The Provider may disclose PHI for a psychiatric patient under the age of 21 years who has been discharged from an inpatient psychiatric unit to the patient's school district in order for the school to continue to provide or arrange for appropriate services to the patient.
c. Victims of Abuse, Neglect or Domestic Violence.
The Provider may release your PHI to a public health authority that is authorized to receive reports of abuse, neglect or domestic violence. For example, the Provider may report your information to government officials if the Provider reasonably believes that you have been a victim of abuse, neglect or domestic violence. The Provider will make every effort to obtain your permission before releasing this information, but in some cases the Provider may be required or authorized to act without your permission.
d. Health Oversight Activities.
The Provider may release your PHI to government agencies authorized to conduct audits, investigations, and inspections of the facility. These government agencies monitor the operation of the health care system, government benefit programs such as Medicare and Medicaid, and compliance with government regulatory programs and civil rights laws.
e. Product Monitoring, Repair and Recall.
The Provider may disclose your PHI to a person or company that is required by the Food and Drug Administration to: (1) report or track product defects or problems; (2) repair, replace, or recall defective or dangerous products; or (3) monitor the performance of a product after it has been approved for use by the general public.
f. Judicial and Administrative Proceedings.
Excluding certain conditions, the Provider may disclose your PHI in the course of a judicial or administrative proceeding in response to a legal order or other lawful process
g. Law Enforcement.
Excluding certain conditions, the Provider may disclose your PHI to law enforcement officials for the following reasons:
* To comply with a court order, grand jury subpoena or administrative subpoena that is legally enforceable;
* To report certain types of wounds or physical injuries if required to do so by law;
* To assist law enforcement officers with identifying or locating a suspect, fugitive, witness, or missing person, provided that only limited PHI will be disclosed;
* You are the victim of a crime and: (1) the Provider has been unable to obtain your consent because of an emergency or your incapacity; (2) law enforcement officials represent that they need this information immediately to carry out their law enforcement duties; and (3) in the Provider's professional judgment disclosure to these officers is in your best interest;
* In the event of your death, if the Provider suspects that your death resulted from criminal conduct;
* It is necessary to report a crime that occurred on our property; or
* It is necessary to report a crime discovered by the Provider when providing offsite emergency medical care.
h. National Security and Intelligence Activities or Protective Services.
Excluding certain conditions, the Provider may disclose your PHI to authorized federal officials who are conducting national security and intelligence activities or providing protective services to the President or other important officials.
i. Military and Veterans.
Excluding certain conditions, if you are in the Armed Forces, the Provider may disclose PHI to appropriate military command authorities for activities the military deems necessary to carry out its military mission. The Provider may also release PHI about foreign military personnel to the appropriate foreign military authority.
j. Inmates and Correctional Institutions.
If you are an inmate or a law enforcement officer detains you, the Provider may disclose your PHI to the prison officers or law enforcement officials if necessary to provide you with health care, or to maintain safety, security and good order at the place where you are confined. This includes sharing information that is necessary to protect the health and safety of other inmates or persons involved in supervising or transporting inmates.
k. Worker & Compensation
The Provider may disclose your PHI to the extent legally required for workers' compensation or similar programs that provide benefits for work-related injuries.
l. Coroners, Medical Examiners and Funeral Directors.
In the event of your death, the Provider may disclose your PHI to a coroner or medical examiner. This may be necessary, for example, to determine the cause of death. The Provider also may release this information to funeral directors as necessary to carry out their duties.
m. Organ Tissue Donation.
In the event of your death, the Provider may disclose your PHI to organizations that procure or store organs, eyes or other tissues so that these organizations may investigate whether you are a candidate for organ or tissue donation under applicable laws
Go to Top
YOUR RIGHTS TO ACCESS AND CONTROL YOUR PHI
We want you to know that you have the following rights to access and control your PHI. These rights are important because they will help you make sure that the PHI we have about you is accurate. They many also help you control the way we use your PHI and share it with others, or the way we communicate with you about your medical matters.
1. Right to Inspect and Obtain Copies of Your Records.
You, or your legally authorized representative, have the right to inspect and obtain a copy of any Provider records including those kept in written and/or electronic format, that are used to make decisions about your care and treatment, and any billing records, for as long as the Provider maintains this information. To inspect or obtain a copy of any of these records, you must submit a request in writing to the Health Information Management Department. If you request a copy of the information, the Provider may charge a fee for the costs of copying, mailing or other supplies the Provider uses to fulfill your request. The fee, at the time of the publication of this Notice, is $0.75 per page and must generally be paid before or at the time the Provider gives the copies to you. A waiver of the fee may be given in certain circumstances, upon the approval of the Director of Health Information Management.
The Provider will respond to your request for inspection of records within 10 days. The Provider ordinarily will respond to requests for copies within 30 days if the information is located in the Facility and within 60 days if it is located off-site. If the Provider needs additional time to respond to a request for copies, the Provider will notify you in writing within the time frame above to explain the reason for and expected duration of the delay.
Under certain very limited circumstances, the Provider may deny your request to inspect or obtain a copy of your record. If so, the Provider may provide you with a summary of the information instead; or if the Provider has reason to deny only part of your request the Provider will provide you access or copies of the other parts of the record. The Provider will provide a written notice that explains its reasons for providing only a summary or limited portion of the records requested, and a description of the process to have this determination reviewed. The notice will also include information on how to file a complaint about these issues with the Provider or with the Secretary of the U.S. Department of Health and Human Services.
Note. A parent or legal guardian of a minor may be denied access to certain portions of the minor's medical record (for example, records relating to mental health services, venereal disease, abortion, or care and treatment to which the minor is permitted to consent himself, such as HIV testing, sexually transmitted disease diagnosis and treatment, chemical dependence treatment, prenatal care, contraception and/or family planning services).
2. Right to Amend Your Medical Record.
If you believe that the health information the Provider has about you is incorrect or incomplete, you may ask the Provider to amend the information. You have the right to request an amendment for as long as the information is kept in Provider records. To request an amendment, please write a request to the Health Information Management Department or to the Privacy Officer. Your request should include the reasons why you think we should make the amendment. Ordinarily the Provider will respond to your request within 60 days. If the Provider needs additional time to respond, the Provider will notify you in writing within 60 days to explain the reason for the delay and when you can expect to have a final answer to your request.
If the Provider denies part of or your entire request, the Provider will provide a written notice that explains the reasons for doing so. You will have the right to have certain information related to your requested amendment included in your records. For example, if you disagree with the Provider's decision, you will have an opportunity to submit a statement explaining your disagreement, which the Provider will include in your records. The written denial notice also will include information on how to file a complaint with the Provider or with the Secretary of the Department of Health and Human Services.
3. Right to an Accounting of Disclosures.
You have a right to request an "Accounting of Disclosures" made within 6 years prior to your request. If your records are maintained in an Electronic Medical Record, you have the right to an Accounting of Disclosures, including routine disclosures, made within 3 years prior to your request. For disclosures made by a Business Associate, the Provider may provide the Accounting of Disclosures itself or provide contact information which will allow you to contact the Business Associate directly. An Accounting of Disclosures is a list with information about certain disclosures of your PHI that the Provider has made to others. An accounting of disclosures will NOT include:
* Disclosures the Provider made to you or to your personal representative;
* Disclosures made pursuant to your written authorization;
* Disclosures made from the Patient Directory;
* Disclosures made to your friends and family involved in your care or payment for your care;
* Disclosures that were incidental to permissible uses and disclosures of your PHI;
* Disclosures that do not directly identify you;
* Disclosures made to federal officials for national security and intelligence activities; or
* Disclosures about inmates to correctional institutions or law enforcement officers.
The accounting of disclosures may be obtained by writing to the Health Information Management Department or to the Privacy Officer. Your request must state a time period for the requested disclosures. The Provider may charge you for the cost of providing more than one accounting of disclosures in any 12-month period. The Provider will notify you of any such charge prior to fulfilling your request.
Ordinarily the Provider will respond to your request for an accounting within 60 days. If the Provider needs additional time to prepare the accounting you have requested, the Provider will notify you in writing about the reason for and expected duration of the delay. If required to do so by a government agency the Provider will withhold certain disclosures from the accounting.
4. Right to Request Additional Privacy Protections.
You have the right to request that the Provider restrict its use and disclosure of your PHI for purposes related to treatment, payment or health care operations. You may also request that the Provider limit how it discloses information about you to family or friends involved in your care or payment for your care. For example, you may request that the Provider withhold information about services you received. Requests for restrictions must be made in writing to the Health Information Management Department or to the Privacy Officer. Your request should include (1) the information you would like to limit; (2) how you would like to limit the use of the information; and (3) to whom you would like the limits to apply.
The Provider is not required to agree to your request for a restriction, unless the request for restriction is for payment purposes and you have paid for the provided services out of pocket in full, unless the disclosure is otherwise required by law. However, if the Provider does agree, the Provider will be bound by its agreement unless the information is needed to provide you with emergency treatment or comply with the law. Once the Provider has agreed to a restriction, you have the right to revoke the restriction at any time. Under some circumstances, the Provider will also have the right to revoke the restriction as long as the Provider notifies you before doing so; in other cases, the Provider will need your permission before the Provider can revoke the restriction.
5. Right to Request Confidential Communications.
You have the right to request that you receive PHI by alternative means of communication or at alternative locations. For example, you may ask that the Provider contact you at work instead of at home. Such requests must be made in writing to the Privacy Officer. The Provider will not ask you the reason for your request, and the Provider will try to accommodate all reasonable requests.
6. Right to Receive Notice of a Breach.
You have a right to be notified by the Provider by first class mail or by e-mail (if you have indicated a preference to receive information by e-mail), of any breaches of Unsecured Protected Health Information as soon as possible, but in any event, no later than 60 days following the discovery of the breach. "Unsecured Protected Health Information" is information that is not secured through the use of a technology or methodology identified by the Secretary of the U.S. Department of Health and Human Services to render the Protected Health Information unusable, unreadable, and undecipherable to unauthorized users. This notice is required to include the following information;
* A brief description of the breach, including the date of the breach and the date of its discovery, if known;
* A description of the type of Unsecured Protected Health Information involved in the breach; Steps you should take to protect yourself from potential harm resulting from the breach;
* A brief description of actions we are taking to investigate the breach, mitigate losses, and protect against further
* breaches; and
* Contact information, including a toll-free telephone number, e-mail address, Web site or postal address to permit you to ask questions or obtain additional information.
In the event the breach involves 10 or more patients whose contact information is out of date, we will post a notice of the breach on the home page of our Web site or prominent media outlets. If the breach involves more than 500 patients in the state or jurisdiction, we will send notices to prominent media outlets. If the breach involves more than 500 patients we are required to immediately notify the Secretary of the U.S. Department of Health and Human Services. We are also required to submit an annual report to the Secretary of the U.S. Department of Health and Human Services of a breach that involves less than 500 patients during the year and will maintain a written log of breaches involving less than 500 patients.
7. How to File a Privacy Complaint.
If you believe your privacy rights have been violated, you may report a privacy complaint to the Corporate Compliance Privacy Officer in writing to the following address. Complaints to the Corporate Compliance Privacy Officer must be in writing and submitted to:
Corporate Compliance Privacy Officer
170 William Street
New York, New York 10038
You will not be retaliated against or denied any health services if you file a complaint. If you are not satisfied with the Provider's response to your privacy complaint or otherwise wish to file a privacy complaint with the Secretary U.S. Department of Health and Human Services, per Federal regulation 45 CFR §164.520(b).
Go to Top
OTHER USES OF MEDICAL INFORMATION
1. Written Authorization.
For any purposes other than the ones described in this Notice the Provider may only use or disclose PHI when you give the Provider your authorization on the Provider's authorization form. . If you provide us authorization to use or disclose medical information about you, you may revoke that authorization, in writing, at any time. If you revoke your authorization, we will no longer use or disclose medical information about you for the reasons covered by your written authorization. However, we may continue to use or disclose that information to the extent we have relied on your authorization. You also understand that we are unable to take back any disclosures we have already made with your authorization, and that we are required to retain our records of the care that we provided to you.
2. Special Authorization.
Confidential HIV-related information (for example, information regarding whether you have ever been the subject of an HIV test, have HIV infection, HIV-related illness or AIDS, or any information which could indicate that you have ever been potentially exposed to HIV) will not be used or disclosed to any person without your specific written authorization, except to certain other persons who need to know such information in connection with your medical care, and, in certain limited circumstances, to public health or other government officials (as required by law), to persons specified in a court order, to insurers as necessary for payment for your care or treatment, or to public authorities in order to contact persons with whom you have had sexual contact or have shared needles or syringes (in accordance with a specified process set forth in New York State law). Federal regulation requires special authorization with respect to the disclosure of substance abuse treatment records.
Privacy and Your Health Information
Your Health Information Privacy Rights