Notice of Privacy Practices

Effective: October 24, 2018

• Missouri State University • Missouri State University, Springfield • Missouri State University, West Plains • Missouri State University, Mountain Grove • Magers Health and Wellness Center • Learning Diagnostic Clinic • Speech-Language-Hearing Clinic • Physical Therapy Clinic •

This notice describes how your medical information may be used or disclosed and how you can get access to this information. Please review it carefully. Our pledge regarding your medical information:

This notice is intended to inform you about our practices related to the protection of your medical information. We are required by law to follow the terms of the notice that is currently in effect. This notice will explain how we may use and disclose your medical information, our obligations related to the use and disclosure of that medical information, and your rights related to medical information we have and maintain about you. When we use the words “medical information,” we mean individually identifiable health information, known as protected health information or “PHI.” This notice applies to all such information about your past, present, or future health or conditions; genetic information; pharmacy and prescription records; the provision of health care services; and the payment for those health care services, whether created by our employees or your physician. We may obtain, but we are not required to obtain, your consent for the use or disclosure of your medical information for treatment, payment, or health care operations. We are required to obtain your authorization for the use or disclosure of information for other specific purposes or reasons. We have listed some of the types of uses or disclosures below. Not every use or disclosure is covered, but all of the ways that we are allowed to use and disclose information will fall into one of the categories.

Who will follow this notice: Missouri State University ("MSU") facilities, departments, clinics and Affiliated Covered Entities. This includes, but is not limited to: Missouri State University; Missouri State University – Springfield; Missouri State University – West Plains; Missouri State University – Mountain Grove; Magers Health and Wellness Center; Learning Diagnostic Clinic; Speech-Language-Hearing Clinic; and Physical Therapy Clinic; and any new entities or facilities created or acquired by MSU in the future. This Notice also applies to all employees, physicians, allied health professionals, contractors, medical staff credentialed providers, volunteers, and students conducting internships or clinical practice. The individuals listed above may share medical information as described in this Notice of Privacy Practices. These participants are hereinafter referred to collectively with the university as "MSU". Private physician offices may have different policies or notices regarding the physician's use and disclosure of medical information created in that physician's office.

How we may use and disclose your medical information without your authorization: For Treatment: We may use or disclose your medical information to provide medical treatment or services. We may need to use or disclose your information to doctors, nurses, technicians, students or other MSU personnel involved in your treatment. For example, a doctor may need to know what drugs you are allergic to before prescribing medications. Further, departments or entities throughout MSU may share your medical information to coordinate your care. For instance, the laboratory may request information to complete lab work. We may also provide your physician or a subsequent health care provider with copies of various reports that should assist in treating you once you are discharged from our care.

For Payment: We may use and disclose your medical information so that the treatment and services you receive from MSU or another health care provider may be appropriately billed, and so that payment may be collected from you, an insurance company or a third-party payer. For example, we may disclose your medical information to your insurance company about a service you received at MSU so that your insurance company can pay us or reimburse you for the service. We may also ask your insurance company for prior authorization for a service to determine whether the insurance company will cover it. We may disclose your medical information to a court of law in order to collect an unpaid account. Further, you maintain the right to require MSU or one of our providers to withhold from a health plan/insurer any information pertaining to treatment you pay for out-of-pocket, unless otherwise required by law.

For health care Operations: We may use and disclose your medical information for MSU operations. These include uses and disclosures that are necessary to run MSU and make sure our patients receive quality care. These uses and disclosures include, but are not limited to the following: quality assessment and improvement activities, reviewing competence or qualifications of health care professionals, and reviews by external agencies for licensure, accreditation, or auditing. For example, we may disclose your medical information to outside organizations or providers in order for them to provide services to you on our behalf. We may use or disclose your medical information to evaluate our staff's performance in caring for you. Medical information about you and other patients may also be combined to allow us to evaluate whether MSU should offer additional services or discontinue other services and whether certain treatments are effective. We may also compare this information with other health care systems to evaluate whether we can make improvements in the care and services that we offer.

When Required By Law: When required to do so by federal, state, or local law, including those that mandate the reporting of certain types of wounds or physical injuries.

To Avert a Serious Threat to Health or Safety: We may use and disclose your medical information when necessary to prevent a serious threat to the health and safety of you, the public, or any other person. However, any such disclosure would only be to someone able to help prevent the threat.

For Organ and Tissue Donation: If you are an organ donor, we may release your medical information to organizations that handle organ procurement or organ, eye or tissue transplantation, or to an organ donation bank, as necessary to facilitate organ or tissue donation and transplantation.

Military and Veterans: If you are a member of the armed forces, we may release your medical information as required by military command authorities or for the purpose of a determination by the Department of Veterans Affairs of your eligibility for benefits. We may also release medical information about foreign military personnel to the appropriate foreign military authority.

Workers' Compensation: When disclosure is necessary to comply with Workers' Compensation laws or purposes, we may release your medical information for workers' compensation or similar programs.

Public Health Risks: We may disclose medical information about you for public health activities. These activities generally include the following: to prevent or control disease, injury or disability; to report births and deaths; to report reactions to medications or problems with products; to notify people of product recalls; to notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition; or to notify the appropriate government authority if we believe a patient has been the victim of abuse, neglect or domestic violence. We may also disclose your medical information, if directed by a public health authority, to a foreign government agency collaborating with the public health authority.

Health Oversight Activities: We may disclose your medical information to a health oversight agency for activities authorized by law. These oversight activities include audits, investigations, inspections, and licensure. These activities are necessary to monitor the health care system, government pro-grams, and civil rights compliance.

Legal Proceedings: We may disclose your medical information in the course of any judicial or administrative proceeding; in response to a court order or an administrative tribunal (to the extent such disclosure is expressly authorized); in certain conditions in response to a subpoena or discovery request; or for other lawful purposes.

Criminal Activity: Consistent with applicable federal and state laws, if we believe the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of yourself or others, we may disclose your medical information. However, any such disclosure would only be to someone able to help prevent the threat.

Law Enforcement: We may release medical information if asked to do so by a law enforcement official, under the following circumstances and as otherwise allowed by law: (1) about a patient who may be the victim of a crime if, under certain limited circumstances, we are unable to obtain the patient's agreement; (2) about a death we believe may be the result of criminal conduct; (3) about criminal conduct at the facility; (4) about a patient where a patient commits or threatens to commit a crime on the premises or against MSU staff (in which case we may release the patient's name, address, and last known whereabouts); (5) in emergency circumstances, to report a crime, the location of the crime or victims, and the identity, description and/or location of the person who committed the crime; and (6) when the patient is a forensic client and we are required to share with law enforcement by Missouri statute. In the event the requested medical information is protected by 42 CFR Part 2 (a federal law protecting the confidentiality of drug and alcohol abuse treatment records), a court order is required prior to MSU releasing the information.

Relating to Decedents: We may release your medical information to the coroner or medical examiner for identification purposes, determination of cause of death or for the coroner or medical examiner to perform other duties authorized by law. We may also disclose your medical information to a funeral director, as authorized by law, in order to permit the funeral director to carry out their duties. We are further permitted to make relevant disclosures to a decedent’s family and friends under essentially the same circumstances such disclosures were permitted when the patient was alive as long as MSU is unaware of an expressed preference to the contrary.

National Security and Intelligence Activities: We may release your medical information to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law.

Protective Services for the President and Others: We may disclose your medical information to authorized federal officials so they may conduct investigations or provide protection to the President and other authorized persons or foreign heads of state.

Inmates: If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may release your medical information to the correctional institution or law enforcement official if the release is necessary: (1) for the institution to provide you with health care; (2) to protect your health and safety or the health and safety of others; or (3) for the safety and security of the correctional institution.

Emergency or Disaster Events: We may use or disclose your medical information to a public or private entity authorized by law to assist in disaster relief efforts, for the purpose of coordinating care or services with such entities. This may include, but is not limited to emergency managers, fire officials, law enforcement officers, public health authorities, emergency medical services such as ambulance districts and other public works officials regarding: the numbers and locations of our patients; emergency notification contacts to expedite contact with families, legal guardians, representatives or others regarding the need for evacuation or emergency care; any special needs that justify prioritization of utility restoration such as, but not limited to, dependence on respirator or other medical equipment, phone for emergency contact, etc.; or any other information that is deemed necessary to protect the health, safety and well-being of MSU patients.

Food and Drug Administration - We may disclose your medical information to a person or company required by the Food and Drug Administration to report adverse events; product defects or problems; biologic product deviations; track products; to enable product recalls; to make repairs or replacements; or for post-marketing surveillance.

Change of Ownership: In the event MSU is sold or merged with another organization, your medical information will become the property of the new owner.

Research: We may disclose your medical information to researchers when their research has been approved by an Institutional Review Board that has reviewed the research proposal and established protocols to ensure the privacy of your information. These protocols may include a waiver of authorization that has been approved by the Institutional Review Board, Privacy Committee, or any university sponsored Institutional Review Board approved by the Food and Drug Administration. For example, a research project may involve comparing the health and recovery of all patients who received one medication to those who received another medication for the same condition. All research projects, however, are subject to a special approval process under applicable law. This process evaluates a proposed research project and its use of medical information, trying to balance the research needs with the patients' need for privacy of their medical information. Before we use or disclose medical information for research, the project will have been approved through this research approval process. We may, however, disclose medical information about you to people preparing to conduct a research project, for example, to help them look for patients with specific medical needs, so long as the medical information they review does not leave the facility.

Special Circumstances: In addition, MSU reserves the right to allow your medical information to be de-identified and aggregated by MSU or third parties in accordance with all applicable laws for such uses as research, public health activities, or other health care operations.

Unless you object, we are permitted to make the following uses or disclosures: We will use or disclose your medical information for the purposes described in this section unless you object to or otherwise restrict a particular release. You must direct your written objections or restrictions to the on-site Privacy Manager the MSU Privacy Officer identified in this Notice.

Appointment Reminders/Scheduling/Follow-up Calls: We may use and disclose medical information to contact you about an appointment, a referral visit, or to follow-up with you after a visit. We may leave a brief reminder on your answering machine or voicemail system unless you tell us not to do so.

Individuals Involved in your health care: We will only disclose your medical information to a member of your family, a relative, or any other person you identify and we will limit such information to that which directly relates to that person's involvement in your care. You will be asked to provide the names of these individuals.

In an Emergency: We may use or disclose your medical information in an emergency situation. If this happens, we shall try to obtain your acknowledgement as soon as reasonably practicable after the delivery of treatment.

Communication Barriers: In the event unforeseen communications barriers prohibit us from obtaining your consent, MSU will use its professional judgment to determine the level of care provided until consent can be facilitated.

Fundraising Activities: We may use or disclose your demographic information, your health insurance status, general department of service information, treating physician information, outcome information and the dates you received treatment, as necessary, in order to contact you for fundraising activities supported by MSU. You have the right to opt out of such solicitations by notifying in writing the applicable Unit Privacy Officer or the MSU Privacy Officer.

Available Services: We may use or disclose your medical information to provide you with information about or recommendations of possible treatment options, alternatives, health benefits or services that may interest you.

Immunization Records: We are required to obtain agreement, whether in writing or given orally, from a parent, guardian, or person acting in loco parentis prior to disclosing or providing proof of immunizations to an educational institution admitting a minor student. No separate written HIPAA authorization is required for this action by MSU.

All other uses and disclosures require your prior written authorization. This includes most uses and disclosures for marketing purposes, any transaction in which MSU receives direct or indirect financial remuneration in exchange for your medical information, and the sharing of psychotherapy notes. If you provide us written authorization to use or disclose your medical information, you can change your mind and revoke your authorization at any time in writing. If you revoke your authorization, we will no longer use or disclose the information. However, we will not be able to take back any disclosures that we have made pursuant to your previous authorization.

Your rights with respect to medical information: Right to Inspect and Copy: You may inspect and obtain a copy of your medical information contained in an electronic health record or other requested designated record set for as long as we maintain that information. A "designated record set" contains medical and billing records and any other re-cords we use for making decisions about your treatment. If you request an electronic copy, it must be provided in the format requested or in a mutually agreed-upon format. Your request must be submitted in writing to each clinic or entity where you received treatment. A copy of the authorization to request the release of information is available from the MSU Privacy Officer or the Unit Privacy Officer for the applicable department within MSU. If you request a copy of the information, we may charge a reasonable fee for the costs of copying, mailing, providing any electronic media (such as a USB flash drive), or other supplies associated with your request. This same right to inspect and copy extends to Business Associates of MSU as well as their Subcontractors. We may deny your request to inspect and copy based on federal law. If you are denied access to medical information, you may request the denial be reviewed. Another licensed health care professional chosen by the organization will review your request and the denial. The person conducting the review will not be the person who denied your original request. We will comply with the outcome of the review.

Right to Request an Amendment: You have a right to request your medical information be amended (changed) if you believe it is incorrect or incomplete for as long as MSU keeps the information. To request an amendment, you must submit a written request to the Director of the Magers Health and Wellness Center. This written request must include why you want the information amended and why you believe the information is incorrect or incomplete. We can deny your request if it is not in writing and if it does not include a reason why the information should be amended. We can also deny your request for the following reasons: (1) the information was not created by MSU, unless the person or entity that did create the information is no longer available; (2) the information is not part of the medical record kept by or for MSU; (3) the information is not part of the information that you would be permitted to inspect and copy; or (4) we believe the request to change is not accurate. If the request for change is denied, the request will be made a part of the medical record.

Right to an Accounting of Disclosures: You have the right to request an "accounting of disclosures." This is a list of the disclosures we make of your medical information for purposes other than treatment, payment or health care operations as described in this Notice. MSU is required to provide an accounting of disclosures of electronic health records and other records upon request for a period of up to 6 years. It will exclude disclosures: (1) to individuals about themselves; (2) pursuant to an authorization; (3) for national security or intelligence purposes; (4) to correctional institutions or law enforcement officials; (5) as part of a limited data set; and (6) that occurred prior to the compliance date for the covered entity. To request an accounting of disclosures, you must submit your request in writing to MSU’s Privacy Officer. Your data will be provided to you within 60 days unless we notify you of circumstances that warrant delay. Your first request within a 12-month period will be free. For additional requests, we may charge you for the cost of providing the list. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time before any costs are incurred.

Right to Request Restrictions: You have the right to request a restriction or limitation on the medical information we use or disclose about you for treatment, payment or health care operations. You also have the right to request a limit on the medical information we disclose about you to someone who is involved in your care or the payment for your care. We are not required to agree with your request. If we do agree, we will comply with your request unless the information is needed to provide you emergency treatment. To request restrictions, you must make your request in writing to MSU’s Privacy Officer or General Counsel. In your request, you must tell us: what information you want to limit; whether you want to limit our use, disclosure or both; and to whom you want the limits to apply (for example, disclosure to your spouse).

Right to Request Confidential Communications: You have the right to request we communicate with you about medical matters in a certain way or at a certain location. For example, you can ask that we only contact you at work or by mail. To request confidential communications, you must make your request in writing to MSU's Privacy Officer or the Unit Privacy Officer at the entity where you are receiving treatment. We will not ask you the reason for your request. We will accommodate all reasonable requests. Your request must specify how or where you wish to be contacted.

Right to a Paper Copy of This Notice: You have the right to a paper copy of this notice. To obtain a paper copy of this Notice, contact the MSU Privacy Officer. You may also obtain a copy of this Notice at our website, https://privacy.missouristate.edu/hipaa/default.htm.

Breach: In the event MSU improperly discloses or uses your medical information in violation of federal or state law, we are required to notify you of such a breach within 60 days of the event.

Complaints: If you believe we have violated your privacy rights or have not adhered to the information contained in this Notice, you may file a complaint by putting it in writing and sending it to the MSU’s Privacy Officer listed at the end of this document. You may also file a complaint with the Secretary of the U.S. Department of Health and Human Services at +1-800-368-1019 (any language) or +1-800-537-7697 (TDD), or view the web-site: https://www.hhs.gov/hipaa/filing-a-complaint/what-to-expect/index.html. You will not be retaliated against for filing a complaint with either MSU or the U.S. Department of Health and Human Services.

CHANGES TO THIS NOTICE OF PRIVACY PRACTICES: We reserve the right to change or modify the information contained in this Notice. Any changes will be effective for any medical information we have about you and any information we might obtain. Each time you receive services from MSU, we will have available the most current copy of our Notice of Privacy Practices. The most recent version will be posted in our building and our website (https://privacy.missouristate.edu/hipaa/default.htm). Also, you can call or write our contact person, whose information is included in this Notice, to obtain the most recent version.

If you have any questions about this Notice, please contact: Frederick D. Muegge, M.D., Privacy Officer, Missouri State University, 901 S. National Ave., Springfield, MO 65897. Email: DaveMuegge@MissouriState.edu or call 417-836-4041.