Notice of Privacy – Assessment
NOTICE OF PRIVACY PRACTICES
THIS RISK ASSESSMENT DOES NOT PROVIDE A MEDICAL SERVICE OF ANY KIND. THE INFORMATION CONTAINED IN THE RISK ASSESSMENT IS FOR YOUR PERSONAL USE ONLY AND IS NOT INTENDED TO DIAGNOSE, CURE, MITIGATE, TREAT, OR PREVENT DISEASE OR OTHER CONDITIONS AND IS NOT INTENDED TO PROVIDE A DETERMINATION OR ASSESSMENT OF YOUR STATE OF HEALTH. ALWAYS CONSULT A LICENSED HEALTHCARE PROFESSIONAL SUCH AS YOUR FAMILY PHYSICIAN OR YOUR SPECIALIST TO MAKE HEALTHCARE DECISIONS OR BEFORE STARTING ANY DIET OR EXERCISE PROGRAM. THE HOSPITAL MAKES NO WARRANTIES, EXPRESSED OR IMPLIED, IN CONNECTION WITH THE RISK ASSESSMENT OR THE PERFORMANCE OF THE RISK ASSESSMENT, NOR SHALL THE HOSPITAL’S LICENSORS OR THE HOSPITAL BE HELD RESPONSIBLE OR LIABLE FOR ANY COSTS OR DAMAGES RELATED TO USE OF THE RISK ASSESSMENT OR ANY INFORMATION PROVIDED THEREFROM.
The information you provide is safe. The Hospital maintains appropriate administrative, technical and physical safeguards to ensure the confidentiality, availability and integrity of the information that you provide the Hospital as required by the HIPAA Security Rule, HITECH, and applicable state law.
This assessment is intended for adults. It requires the user to enter age, and on certain occasions date of birth. It will not collect information on any individuals younger than age 20.
- The Hospital’s Definitions of Collected and Potentially Stored Data from this Risk Assessment
- “Genetic Information” is (1) any data with respect to disorder in family members of such individual and any request for, or receipt of, Genetic Services, or participation in clinical research which includes Genetic Services, by the individual or any family member of the individual; (2) any reference to Genetic Information, which includes that of a fetus (carried by the individual or family member) and any embryo legally held by an individual or family member utilizing an assisted reproductive technology.
- “Genetic Services” means (1) a genetic test; (2) genetic counseling (including obtaining, interpreting or assessing genetic information); or (3) genetic education.
- “Non-identifiable” information is data stored in a form that does not permit the identification of a specific individual without extraordinary effort.
- “Personal Information” is any data held, transmitted or stored that may be personally identifiable to an individual without extraordinary effort.
- “Protected Health Information” is any identifiable health information, including Genetic Information, transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium.
- “Usage Data” includes page visits, time on page, button clicks, and other similar data. This is collected automatically when interacting with the Risk Assessment and is always non-identifiable, as it is stored anonymously in aggregated form.
- “User Data” includes any data entered voluntarily into the Risk Assessment such as:
- “Medical Data”: includes diseases, treatments, lifestyle behaviors, family history, genotype, phenotype and other similar personal data. By default, this is non-identifiable unless Demographic Data is also volunteered via the “opt-in” feature.
- “Demographic Data”: includes name, address, phone numbers, email address and other similar personal data. This is identifiable data, which must be volunteered via the “opt-in”, as the Risk Assessment does not require it.
- Hospital Use of Personal Information/Protected Health Information from this Risk Assessment
- The “opt-in” feature allows users to request communication from the Hospital, and in return allows any Identifiable Information collected from individuals and third parties on their behalf, including Medical Information and Demographic Information, to potentially be used to communicate targeted educational content, service opportunities, and promotions from the Hospital.
- The Hospital may contact the individual for fundraising purposes, but the individual has the right to opt-out of receiving such communications.
- The Hospital will make every effort to discontinue the use of an individual’s Personal Information and Protected Health Information as soon as practicable if requested by that individual. The Hospital may need to retain Information in its archives and records to comply with law, resolve disputes, analyze problems, assist with any investigations, enforce other Hospital policies, and take other actions otherwise permitted or required by law.
- Any other uses or disclosures of an individual’s Personal Information not outlined within this Agreement will require separate written authorization by the individual. The individual may revoke this authorization at any time, provided that the revocation is in writing.
- An Individual has a right to request restriction of certain uses and disclosures of Protected Health Information to a health plan where the individual pays out-of-pocket in full for a healthcare item or service.
- To the extent that the Hospital acts as a group health plan, health insurance issuer (including HMOs) or an issuer of Medicare supplemental policies and performs underwriting, the Hospital is prohibited from using or disclosing Genetic Information for such purposes, except with regard to issuers of long term care policies, which are not subject to the underwriting prohibition. However, to the extent the Hospital is acting as a health care provider, the Hospital may use or disclose Genetic Information as it sees fit for treatment of an individual. If a covered entity, such as an HMO, acts as both a health plan and health care provider, it may use Genetic Information for purposes of treatment, to determine the medical appropriateness of a benefit, and as otherwise permitted by the Privacy Rule, but may not use such Genetic Information for underwriting purposes.
- Specific types of information that require authorization for disclosure include: (1) psychotherapy notes, (2) uses and disclosure of Protected Health Information for marketing purposes, (3) disclosures that constitute a sale of Protected Health Information, and (4) research as set forth in §164.508 and other provisions in HIPAA.
- Storage of Personal Information and Protected Health Information from this Risk Assessment
- The Hospital will take reasonable and appropriate measures to keep identifiable Personal Information and Protected Health Information confidential and in a secure environment, including taking appropriate action in the event of unauthorized disclosure.
- The Hospital will develop policies and procedures and train workforce members on and have sanctions imposed for failure to comply with policies.
- The Hospital will make reasonable efforts to limit disclosure of Protected Health Information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
- Access to identifiable Personal Information and Protected Health Information will be restricted to only those personnel with a legitimate business purpose.
- The Hospital owns all data, Usage data and User data, provided to it by individuals and collected in accordance with this Policy. When individuals provide Medical Information to the Hospital, the Hospital will ensure that they acknowledge their assignment of the right to use the data to the Hospital.
- Scientific Research
Any research funded by the Hospital that involves human subjects (e.g., information collected on individuals) must be endorsed by the sponsoring institution’s committee on clinical investigation or other appropriate body, and conform ethically to the guidelines prescribed by the National Institutes of Health, which include obtaining informed consent and an authorization from each individual.
- Third Party Disclosure
No permission is necessary for Non-identifiable Information to be disclosed, since it does not identify a specific individual.Permission is required before the Hospital discloses Personal Information or Protected Health Information to a third party.
- For disclosure of Demographic Information (e.g., rentals or exchanges of donor lists), the Hospital as a minimum will use the “opt-out” approach. An “opt-out” is obtained when the Hospital through some correspondence gives an individual the opportunity to decline or “opt- out” of disclosures to third parties. If the individual does not opt out, permission is deemed granted. Depending upon the nature of an activity or project, a higher standard than “opt-out” may be used, such as “opt-in” whereby an individual must affirmatively give consent before information is disclosed.
- For research awardees, permission is deemed granted upon submission of an application for a grant to the Hospital. Therefore, the Hospital may disclose Personal Information, including funding and project summary information, on research program awardees to third parties.
- For disclosure of Medical Information or Protected Health Information, Informed Consent is required before the Hospital discloses Medical Information or Protected Health Information to a third party. Informed Consent occurs when an individual has sufficient facts about the disclosure, comprehends those facts, and voluntarily consents to the disclosure. Where a third party such as the employer or healthcare provider of an individual requires the individual to participate in a Hospital program that collects Medical Information, the Hospital will require the employer or healthcare provider to procure Informed Consent before the Hospital will release Medical Information or Protected Health Information to that employer or healthcare provider.
- From time to time, there is a benefit in allowing a third party to use collected Personal Information or Protected Health Information on individuals. However, unless an individual gives permission, the Hospital will not disclose Personal Information or Protected Health Information collected by the Hospital to any third party. The Hospital sometimes engages third parties to provide certain operational services to the Hospital or on its behalf. The Hospital may disclose Personal Information or Protected Health Information to those third parties on a “need to know” basis under a written contract.
- The Hospital uses and allows third parties to use aggregate Non-Identifiable Information for research purposes for the development or implementation of its programs, products and services.
- The Hospital may not sell your Personal Information or Protected Health Information to third parties unless a separate authorization is obtained.
- However, the Hospital may disclose your Protected Health Information, without your authorization, to the Secretary of the Department of Health and Human Services (“Secretary”) during complaint investigation or compliance reviews. This information will not be disclosed by the Secretary except as necessary for determining and enforcing compliance with HIPAA, rules or otherwise required by law.
- The Hospital may disclose your Protected Health Information 50 years after your death.
- Right of Individual To Obtain Copy of Individual’s Protected Health Information From the Hospital
- If an individual requests an electronic copy of Protected Health Information that is maintained electronically in one or more designated record sets, the Hospital will provide the individual with access to the electronic information in the electronic form and format requested by the individual, if it is readily producible, or, if not, in a readable electronic form and format as agreed to by the Hospital and the individual (in a machine readable copy).
- The individual may direct the Hospital to transmit the copy directly to individual’s designee provided such choice is clear, conspicuous and specific.
- The Hospital can impose a reasonable cost-based fee for a copy of the Protected Health Information. This fee includes: (1) the cost of supplies for creating the paper copy or electronic media (i.e., physical media such as a compact disc (CD) or universal serial bus (USB) flash drive); (2) actual labor costs of copying the Protected Health Information; (3) the postage associated with mailing the Protected Health Information, if applicable; and (4) the preparation of an explanation of summary of the Protected Health Information, if agreed to by the individual.
- The Hospital has 30 days to respond to the individual’s request. Pursuant to §164.524(b), the Hospital is permitted a one-time extension of 30 days to respond to an individual’s request (with written notice to the individual of the reasons for delay and the expected date by which the Hospital will complete action on the request).
- Right of Individual to Be Notified if There is a Security Breach of Unsecured Protected Health Information
- If there is a Security Breach, then the affected individual will be notified without unreasonable delay but no later than 60 calendar days from discovery of the breach, except for certain circumstances where law enforcement has requested the information not be disclosed.
- The Notification will be provided by first class mail to your last known address, or that of your next of kin, and include:
- A brief description of what happened, including the date of breach if known,
- A description of types of unsecured Protected Health Information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
- Any steps individuals should take to protect themselves from potential harm resulting from the breach;
- A brief description of what the covered entity involved is doing to investigate the breach, to mitigate the harm to individuals, and to protect against any further breaches; and
- Contact procedures for individuals to ask questions or learn additional information, which shall include a toll free telephone number, email address, web site, or postal address.
- If the Security Breach involves more than 500 individuals in a State, then the notice discussed above will be included on the Hospital web site or displayed conspicuously in a major print or broadcast media.
- The Secretary will be notified of all Security Beaches involving 500 individuals in a State not later than 60 days after the breach is discovered. In addition, the Secretary will be notified of any Security Breaches involving less than 500 individuals 60 days after the end of the calendar year.
- Links to Third Party Web SitesThe Site may contain links to other web sites. The Hospital is not responsible for the privacy practices or the content of such web sites. The Hospital has no control over the use of such web sites and you should exercise caution when deciding to disclose any Personal Information or Protected Health Information on those web sites. You also agree and acknowledge that the Hospital will not be responsible or liable, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any such content, services or resource or goods on or through any such site. The Hospital encourages you to read the privacy statements on each web site you visit. The Hospital may also provide links to original articles written and maintained by third parties. These links are provided as a convenience and do not imply a claim of ownership in that content.
TERMS & CONDITIONS OF USE
By accessing, browsing and/or otherwise using this Risk Assessment, you acknowledge that you have read, understood and agree to be bound by these terms and conditions described here, and to comply with all applicable laws and regulations. If you do not agree to all of these terms and conditions, you may not access, browse, and/or use this Risk Assessment. The material provided in this Risk Assessment is protected by law, including, but not limited to, United States copyright law and international treaties.
These terms and conditions of use apply to your access to and use of this Risk Assessment only and do not alter in any way the terms and conditions of any other agreement you may have with the Hospital for health services or otherwise.
All Risk Assessment materials, including, without limitation, text, pictures, graphics, and other files and the selection and arrangement thereof are copyrighted materials of the Hospital and/or its licensors, or by the original creator of the material. Permission is granted to download the materials on this Risk Assessment for your use only and only for the purposes for which the Hospital provided you access to the Risk Assessment, provided you do not modify the materials and that you retain all copyright and other proprietary notices contained in the materials, as applicable. You may not, however, distribute, copy, reproduce, display, republish, download, or transmit any material on this Risk Assessment for commercial use without prior written approval of the Hospital. You may not “mirror” any material contained on this Risk Assessment on any other server without prior written permission from the Hospital. Any unauthorized use of any material contained on this Risk Assessment may violate copyright laws, trademark laws, the laws of privacy and publicity and communications regulations and statutes.
The trademarks, service marks, trade names, and logos (the “Trademarks”) used and displayed on this Risk Assessment are registered and unregistered Trademarks of the Hospital and/or its licensors. In addition, all page headers, custom graphics, button icons, and scripts are service marks, trademarks, and/or trade dress of the Hospital and/or its licensors, and may not be copied, imitated or used, in whole or in part, without the prior written permission of the Hospital and/or its licensors. You acknowledge that the Trademarks used and displayed on this Risk Assessment are and shall remain the sole property of the Hospital and/or its licensors. Nothing in this Agreement shall confer any right of ownership of any of the Trademarks to you. Further, nothing in this Risk Assessment shall be construed as granting, by implication, estoppel or otherwise any license or right to use any Trademark used or displayed on the Risk Assessment, without the express written permission of the Hospital and/or its licensors. The misuse of the trademarks displayed on this Risk Assessment, or any other content on the Risk Assessment, is strictly prohibited.
Except as otherwise expressly permitted by the Hospital and/or its licensors, any access or attempt to access other areas of the Hospital and/or its licensors’ computer system or other information contained on the system for any purposes is strictly prohibited. You agree that you will not use any robot, spider, other automatic device, or manual process to “screen scrape,” monitor, “mine,” or copy the pages on the Risk Assessment or the content contained therein. You will not spam or send unsolicited e-mail to any other user of the Risk Assessment for any reason. You agree that you will not use any device, software or routine to interfere or attempt to interfere with the proper working of the Risk Assessment. You agree that you will not take any action that imposes an unreasonable or disproportionately large load on the Hospital and/or its licensors’ infrastructure. You further agree not to disseminate, store, or transmit viruses, Trojan horses or any malicious code or program or engage in any other activity deemed by the Hospital to be in conflict with the spirit or intent of this Agreement. You agree that you will not use this Risk Assessment in violation of any local, state, federal, or non-United States law or regulation. You are prohibited from posting on, or transmitting through, this Site any material or content that is unlawful, harmful, threatening, abusive, harassing, defamatory, vulgar, obscene, profane, hateful or otherwise objectionable including, but not limited to, any material or content that may constitute a criminal offense, give rise to civil liability or otherwise violate any applicable law.
LINKS FROM AND TO THIS SITE
You acknowledge and agree that the Hospital has no responsibility for the accuracy or reliability of information provided by linked sites. Links to external web sites do not constitute an endorsement by the Hospital of the sponsors of such sites or the content, services, products, advertising or other materials presented on such sites. The Hospital shall not be liable for any decision made or action taken by you or others based upon reliance on information or materials obtained through use of the information or content provided on the linked sites. Information on the web pages that are linked to this Site comes from a variety of sources. The Hospital does not author, edit, or monitor these unofficial pages or links. You acknowledge and agree that the Hospital shall not be responsible or liable, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any such content, goods or services available on such external sites or resources.
THIS RISK ASSESSMENT, INCLUDING ALL SOFTWARE, FUNCTIONS, MATERIALS, AND INFORMATION IS PROVIDED “AS IS” WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED. THE HOSPITAL AND/OR ITS LICENSORS DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, WARRANTIES OF QUIET ENJOYMENT AND NON-INFRINGEMENT AND IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, TITLE, DATA ACCURACY, AND INFORMATIONAL CONTENT. THE HOSPITAL AND/OR ITS LICENSORS DO NOT WARRANT OR MAKE ANY REPRESENTATIONS REGARDING THE OPERATION OF THIS RISK ASSESSMENT, THE USE, VALIDITY, ACCURACY, OR RELIABILITY OF, OR THE RESULTS OF THE USE OF THE MATERIALS ON THIS RISK ASSESSMENT OR ANY OTHER SITES LINKED TO THIS RISK ASSESSMENT. THE HOSPITAL AND/OR ITS LICENSORS DO NOT AND CANNOT GUARANTEE OR WARRANT THAT THE FILES AVAILABLE FOR DOWNLOADING FROM THIS RISK ASSESSMENT WILL BE FREE FROM INFECTION, VIRUSES, WORMS, TROJAN HORSES, OR OTHER CODE THAT MANIFEST CONTAMINATING OR DESTRUCTIVE PROPERTIES. HOSPITAL AND/OR ITS LICENSORS DO NOT WARRANT THAT THIS RISK ASSESSMENT OR ITS SERVICES WILL BE UNINTERRUPTED OR ERROR-FREE OR THAT ANY DEFECTS IN THIS RISK ASSESSMENT OR ITS SERVICES WILL BE CORRECTED.
LIMITATION OF LIABILITY
IN NO EVENT WILL THE HOSPITAL AND/OR ITS LICENSORS OR OTHER THIRD PARTIES MENTIONED AT OR IN THIS RISK ASSESSMENT BE LIABLE FOR ANY DAMAGES, INCLUDING, WITHOUT LIMITATION, DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, DAMAGES RELATING TO THE USE OR INABILITY TO USE THIS RISK ASSESSMENT, THE MATERIALS OR OTHER INFORMATION CONTAINED IN THIS RISK ASSESSMENT, WHETHER BASED ON WARRANTY, CONTRACTS, STATUTES, REGULATIONS, TORT (INCLUDING, BUT NOT LIMITED TO, NEGLIGENCE), OR ANY OTHER LEGAL THEORY AND WHETHER OR NOT ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU.
No waiver of any term, provision or condition of this Agreement, whether by conduct or otherwise, in any one or more instances, shall be deemed to be, or shall constitute, a waiver of any other term, provision or condition hereof, whether or not similar, nor shall such waiver constitute a continuing waiver of any such term, provision or condition hereof. No waiver shall be binding unless executed in writing by the party making the waiver.
If any provision of this Agreement is determined to be illegal or unenforceable, then such provision will be enforced to the maximum extent possible and the other provisions will remain fully effective and enforceable.
This Agreement is made in and shall be governed and construed by the laws of the State of Minnesota, United States of America, without reference to conflicts of laws. If you access this site from locations outside Minnesota or the United States, you are voluntarily and purposefully availing yourself of the laws of the State of Minnesota, United States of America, and you are solely responsible for compliance with all your local laws. Access to the Site from locations where the Site’s contents may be unlawful is prohibited. All actions, claims or disputes arising under or relating to this Agreement shall be brought in the federal or state courts located in Washington County, Minnesota. You irrevocably submit and consent to the exercise of subject matter jurisdiction and personal jurisdiction over you by the federal and/or state courts in Washington County, Minnesota. You hereby irrevocably waive any and all objections which you may now or hereafter have to the exercise of personal and subject matter jurisdiction by the federal or state courts in Washington County, Minnesota and to the laying of venue of any such suit, action or proceeding brought in any such federal or state court in Washington County, Minnesota.
The captions and headings of this Agreement are included for ease of reference only and shall be disregarded in interpreting or construing this Agreement.
This Agreement constitutes the complete and exclusive statement of the agreement between the parties and supersedes any and all prior or contemporaneous communications, representations, statements and understandings, whether oral or written, between the parties.
REVISIONS TO THIS AGREEMENT
The Hospital and/or its licensors may revise this Agreement at any time without notice by updating this posting. By using this Risk Assessment you agree to be bound by any such revisions and should therefore periodically visit this Site and page to determine the then current terms and conditions of use to which you are bound.