Patient Privacy

Rush University System for Health is committed to protecting your health information and upholding your privacy.

Rush University System for Health is committed to protecting your health information and upholding your privacy.

Rush University System for Health is committed to protecting your health information and upholding your privacy.

Regulatory Update Announcement to our Community and Government Partners

This update describes changes Rush University System for Health is making in how patient information is shared, in compliance with federal regulations.

Regulatory Update Announcement to our Community and Government Partners

General Data Protection Regulation Privacy Notice

This Notice describes Rush University System for Health's commitment to comply with the European Union’s General Data Protection Regulation.

General Data Protection Regulation Privacy Notice

Rush SMS Notice

When you sign up for text messages from Rush, you are signing up to receive text messages related to your relationship with Rush, including updates related to your visits, your MyChart account, one-time passcodes, billing notifications, prescription reminders and care management. These text message will come from a short code. A short code is a 5- or 6-digit phone number that is used by organizations to send text messages.

You can opt-out of SMS messages at any time by replying STOP to the respective short code message. Your opt-out request will generate one final message confirming that you have been unsubscribed. You will no longer receive SMS messages from the short code you opted out from. If you want to join again, sign up using MyChart or text HELP to the short code for instructions. 

If you experience issues with text messages you can reply with the keyword HELP for more assistance, or you can get help directly at (312) 563-6600. 

Carriers are not liable for delayed or undelivered messages. Message and data rates may apply for any messages sent to you from us and to us from you. Message frequency may vary.

Our Notice of Privacy Practices is available on this web page and via rush.edu/privacy.  
 

Rush University Medical Center and Rush Oak Park Hospital 

Notice of Privacy Practices

This Notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.

Notice of Privacy Practices (English)
Aviso de Prácticas de Privacidad (Spanish)
Powiadomienie Dotyczące Zasad Ochrony Prywatności (Polish)

Patient Privacy Rights

The Privacy and Security Office ensures that patient rights are respected and processes are in place that permit patients to make requests and to receive a response in a timely manner. Patient Privacy Rights granted under the Health Insurance Portability And Accountability Act (HIPAA) include those outlined in the Notice of Privacy Practices and are summarized in this video produced by the Department of Health and Human Services Office for Civil Rights. 

Important Privacy Forms

Patient Privacy Rights Request Forms

We have several different forms related to patient privacy rights:

  • Confidential communication
    • You have the right to request that when we communicate with you about your protected health information, we use alternative ways or an alternative location

Click here to download the confidential communication form.

  • Accounting of disclosures
    • You have the right to get a report from us that tells you about any protected health information of yours that we or our business associates have shared about you

Click here to download the accounting of disclosures form.

  • Amendment request
    • You have the right to request that we change or amend your protected health information in our medical record

Click here to download the amendment request form.

Patient Privacy Opt-Out Form

(click here to download the form).

This form is used for several different purposes:

Opt Out: You can request that your information be excluded from Care Everywhere (which refers to sharing of the electronic patient record to other external healthcare entities that are also using Epic) and Cures ADT (which refers to electronically sharing of your information regarding new admissions to your Primary Care Provider (PCP).

Reverse Opt Out: You previously chose to Opt Out of Care Everywhere and Cures ADT and am now choosing to participate (Opt In).

Patient Request for Restriction of Release of Information

(click here to download the form)

  • Patient Request for Restriction of Release of Information
    • You have the right to request that we restrict the use or disclosure of your health information

About the Privacy Office

Mission: The Privacy Office promotes the confidentiality of patient information, also known as "protected health information" (PHI). Our mission includes providing leadership, oversight and assistance in the implementation of the Health Insurance Portability and Accountability Act (HIPAA), as well as the Health Information Technology for Economic and Clinical Health Act (HITECH). There are many federal and state laws and regulations that affect privacy and security; our goal is to ensure that Rush University Medical Center and Rush Oak Park Hospital have the right policies and procedures established to address these requirements.

What we do: The operations of the Privacy Office include such activities as administering HIPAA patient rights; providing awareness and training on privacy and security topics; conducting reviews into privacy incidents; and creating policies and procedures. Additional information about HIPAA and patient privacy can be found at the U.S. Department of Health and Human Services.

How to contact us: Please contact the Privacy Office at any time with questions or concerns at (312) 942-5303 or privacy_office@rush.edu.

Rush Copley Medical Center 

HIPAA Joint Notice of Privacy Practices

This notice describes how medical information about patients may be used and disclosed and how patients can access this information. Please review this document carefully. Privacy of medical information is important to us.

Effective date of this notice: February 1, 2017. This notice will remain in effect until it is revised and/or updated.

This Notice of Privacy Practices is given on behalf of certain health care provider affiliates of Rush Copley Medical Center, including Copley Memorial Hospital, Rush Copley Medical Group NFP, Fox Valley Cardiovascular Consultants, Rush Copley Hospitalists, LLC, Castle Surgicenter, Rush Orthopaedics and Sports Medicine and all applicable subsidiary corporations, and all of their employed health care providers, students and volunteers (collectively “Copley”). All of these entities may share patient information with each other for treatment, payment or health care operations.

Summary

In the course of receiving medical services, patients provide Copley with personal information about their health, with the understanding that this information will be kept confidential. Copley may obtain health information from examinations or tests, or from others who have provided medical care.

Copley uses patient information when providing treatment and may disclose patient information to other health care providers to assist them in providing treatment.

Copley may disclose information to insurance companies to receive payment; may use the information within the organization to evaluate quality and improve processes; and may disclose patient information as required by law or as permitted by Copley policies.

Kinds of Information this Notice Applies to

This notice applies to protected health information ("PHI") consisting of any information in Copley's possession that would allow someone to identify a patient and learn something about their health.

Joint Notice

Copley and certain non-employed hospital-based physician groups are presenting this notice as a joint notice. Those physician groups include radiology, anesthesia, pathology, neonatology, Intensive Care Unit intensivist physicians and the Emergency Department. PHI from Copley will be shared with these physicians as necessary to carry out their treatment, payment and health care operations.

Providers participating in the Organized Health Care Arrangement (OHCA) use the same electronic medical record to document and review the health care services they provide to you. Use of the electronic medical record allows your providers to coordinate your care, improve the exchange of important information about your treatment, and get complete and up-to-date information to any provider who uses the shared electronic medical record.

This notice applies to services received at Copley. This includes services from some of the physicians who are not employed by Copley. If services are received from any of these physicians in their own offices, they may give patients a different Notice of Privacy Practices that applies to their offices.

Some physicians who provide care at Copley Memorial Hospital are independent contractors and are not agents, servants or employees of the hospital, unless otherwise identified. These physicians exercise their own medical judgment in treating and providing services to patients and are solely responsible for their compliance with state and federal privacy laws. Nothing in this privacy notice is meant to imply or create any agency or employment relationship between these physicians and the hospital, either actual or implied, nor does this privacy notice alter, limit or modify any other consent for treatment or procedures that patients may sign while receiving care at Copley.

Copley’s Legal Duties

  • Maintain the privacy of PHI
  • Provide this Notice of Privacy Practices and legal duties regarding PHI to anyone who asks for it
  • Abide by the terms of this notice

How Health Information May Be Disclosed

Copley may use PHI or disclose it to others for a number of reasons. The following examples do not include all of the specific ways information may be used or disclosed.

1. Treatment. Copley will use PHI to provide medical care and services. This means that Copley employees, students, volunteers and others who work under Copley's direct control may read PHI to learn about a patient's medical conditions and use it to make decisions about care. For instance, a hospital nurse may read a medical chart in order to care for that patient properly. PHI will be disclosed to others who need it in order to provide medical treatment or services. For instance, Copley may send a doctor the results of a laboratory test performed at Copley.

2. Payment. PHI is disclosed as necessary to obtain payment for the services provided. For instance, an employee in the business office may use PHI to prepare a bill. That bill may be sent, along with any PHI it contains, to the patient's insurance company. PHI may be disclosed to companies that Copley utilizes for payment-related services. For instance, PHI may be given to a collection company to collect bills. Copley will not use or disclose more information for payment purposes than is necessary.

3. Health Care Operations. PHI may be used for activities that are necessary to operate Copley. This includes reading PHI to review the performance of staff. PHI may be used to plan for services that may be provided in the future, expanded or reduced. PHI may be provided to students who are authorized to receive training at Copley. PHI may be disclosed as needed to others whom Copley contracts with to provide administrative services. This may include lawyers, auditors, accreditation services and consultants.

4. Legal Requirement to Disclose Information. PHI will be disclosed when required by law. This includes reporting information to government agencies that have the legal responsibility to monitor Copley. For instance, Copley may be required to disclose PHI if an audit is conducted by a federal or state agency. PHI will be disclosed when required by a court order or other judicial or administrative process.

5. Public Health Activities. PHI will be disclosed when required for public health purposes. This includes reporting patient visits, certain diseases, births, deaths and reactions to certain medications to federal or state agencies. It may also include notifying people who have been exposed to a disease.

6. To Report Abuse. PHI may be disclosed when the information relates to a victim of abuse, neglect or domestic violence. Copley will make this report only in accordance with laws that require or allow such reporting or with patient authorization.

7. Law Enforcement. PHI may be disclosed for law enforcement purposes. This includes providing information to help locate a suspect, fugitive, material witness or missing person, or in connection with suspected criminal activity. Copley must also disclose PHI to a federal agency investigating Copley's compliance with federal privacy regulations.

8. Specialized Purposes. PHI may be disclosed for a number of other specialized purposes. Copley will disclose only as much information as is necessary for the purpose. For example, Copley may disclose the following:

  • Information of members of the armed forces as required by military command authorities
  • Information to coroners, medical examiners, funeral directors and organ procurement organizations (for organ, eye or tissue donation)
  • Information for national security, intelligence and protection of the President
  • Information about an inmate to a correctional institution or to law enforcement officials to provide the inmate with health care, to protect the health and safety of the inmate and others, and for the safety, administration and maintenance of the correctional institution
  • Information to an employer for purposes of workers' compensation and worksite safety laws

9. To Avert a Serious Threat. PHI may be disclosed if necessary to prevent serious harm to the public or to an individual. The disclosure will be made only to someone who is able to prevent or reduce the threat.

10. Family and Friends. Copley may disclose PHI to notify a family member, personal representative or another person responsible for their care of the patient's location, general condition or death. If the patient is present, then before disclosing the information, verbal or written consent will be obtained or the patient will have the opportunity to object. PHI will not be disclosed to family or friends if the patient objects. In the event of a disaster, PHI may be provided to a disaster relief organization so they can notify the family of the patient’s condition and location. In the event of the patient's incapacity or emergency circumstances, PHI may be disclosed based upon the professional judgment of the physician.

11. Facility Directory and Doors. Copley Memorial Hospital will list patients in the patient directory and on patient doors when they are admitted. The directory listing includes name, general condition and location in the hospital. Copley Memorial Hospital will also list the patient's religion in the directory but will disclose that information only to members of the clergy. Except for members of the clergy, Copley will disclose the information in the directory only to visitors who ask for a patient by name. If requested by a patient, Copley will not list them in the directory or place their name on their room door.

12. Research. PHI may be disclosed in connection with medical research projects. Federal rules govern any disclosure of PHI for research purposes without patient authorization.

13. Fundraising. PHI may be used to contact patients to ask for donations to Copley. PHI may be disclosed to a related foundation for the same purpose. If patients do not want to be contacted for this purpose, they have the right to opt-out of fundraising communications with each solicitation.

Breach Notification

1. Notice. Patients have the right to receive notice in the event of a breach of unsecured PHI. Copley will notify individuals who may be affected by a breach of unsecured PHI that compromises the security or privacy of the PHI. Copley will also notify the Department of Health and Human Services and the media, as applicable, in the event of a breach of this nature. All suspected breaches will be investigated and all necessary notifications will be sent in accordance with federal law.

2. Breach. "Breach" means the unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of the PHI, except where an authorized person to whom such information is disclosed would not reasonably have been able to retain such information.

Patient Rights

1. Authorization. The following uses and disclosures will be made only with authorization from the patient: uses and disclosures for marketing purposes, uses and disclosures that constitute sale of PHI, and other uses and disclosures not described in this notice. If a patient authorizes Copley to use or disclose their PHI, they have the right to revoke the authorization at any time. For information about how to authorize Copley to use or disclose PHI or about how to revoke an authorization, contact the Privacy Officer listed under "Whom to Contact" at the end of this notice. Patients may not revoke an authorization for Copley to use and disclose their information to the extent that we have taken action on an authorization. If the authorization is to permit disclosure of information to an insurance company as a condition of obtaining coverage, other laws may allow the insurer to continue to use PHI to contest claims or coverage even after the authorization is revoked.

2. Request Restrictions. Patients have the right to restrict how Copley uses or discloses their PHI, including the right to restrict PHI to health plans if the patient has paid out-of-pocket, in full, for services, and the patient requests that Copley not disclose PHI related solely to those services paid out-of-pocket to a health plan.

Copley is not required to agree to the request. If Copley does agree, it will comply with the request unless the information is needed to provide emergency treatment.

Copley cannot agree to restrict disclosures that are required by law.

3. Confidential Communication. Patients have the right to ask Copley to communicate with them at a special address or by special means. For example, they may ask Copley to send mail to a different address rather than to their home, or they may ask Copley to speak to them personally on the telephone rather than sending PHI by mail. Patients must make this request in writing to Copley, and the request must specifically and clearly state how or where the patient wants to be contacted. Copley will not ask the reason for the request and will attempt to accommodate reasonable requests.

4. Inspect And Receive a Copy of PHI. Patients have a right to inspect their PHI contained in Copley's records and to receive a paper and/or electronic copy of it. This right is limited to information about them that is kept in records that are used to make decisions about them. For instance, this includes medical and billing records. If patients want to review or receive a copy of these records, they must make the request in writing. Copley may charge a fee for the cost of copying and mailing the records. To ask to inspect records or to receive a copy, the patient must contact the medical records department at Copley. Copley will respond to the request within 30 days. Copley may deny access to certain information. If access is denied, Copley will give the reason in writing and explain how the patient may appeal the decision.

5. Amend PHI. Patients have the right to ask to amend PHI about them which they believe is not correct or not complete. Patients must make this request in writing and give the reason they believe the information is not correct or complete. Copley will respond to the request in writing within 30 days. The request may be denied if Copley did not create the information, if it is not part of the records used to make decisions about the patient at Copley, if the information is something patients would not be permitted to inspect or copy, or if the record is complete and accurate.

6. Accounting of Disclosures. Patients have a right to receive an accounting of certain disclosures of their information to others. This accounting will list when PHI has been given to others. The list will include dates of the disclosures, the names of the people or organizations to whom the information was disclosed, a description of the information and the reason. Patients must specifically state the time period they want the list to cover. Patients may not request a time period longer than six years.

Disclosures for the following reasons will not be included on the list: disclosures for treatment, payment and health care operations; disclosures of information in a facility directory; disclosures for national security purposes; disclosures to correctional or law enforcement personnel; disclosures that patients have authorized; and disclosures made directly to the patient.

7. Paper Copy of this Privacy Notice. Patients have a right to receive a paper copy of this notice. If patients receive this notice electronically, they may receive a paper copy by contacting the person listed under "Whom to Contact" at the end of this notice.

8. Complaints. Patients have a right to complain about Copley's privacy practices if they think their privacy has been violated. Patients may file a complaint with the Privacy Officer listed under "Whom to Contact" at the end of this notice. A complaint may also be filed directly with the Secretary of the U.S. Department of Health and Human Services. All complaints must be in writing. Copley will not take any retaliation against anyone for filing a complaint.

Rush Health Connect

Copley participates in a health information exchange operated by Rush Health (Rush Health Connect). As a participant, Copley makes patient medical information available electronically to other participating hospitals, physicians and authorized users for treatment, payment and health care operations purposes. Copley may also receive information about patients from other participants in Rush Health Connect. Rush Health Connect may participate in other health information exchanges (HIEs) on our behalf. In the future, Copley may also participate in additional regional, state or federal HIEs.

Copley's participation in Rush Health Connect and other HIEs has been designed to comply with federal and state privacy and security laws. Access to patient information through Rush Health Connect is limited to authorized users who confirm that they will comply with these laws. Patients may elect to opt-out and not allow health or medical information to be available electronically to other providers through Rush Health Connect for treatment. If patients do not want health or medical information to be shared with other providers through Rush Health Connect, they should contact Copley's Privacy Officer, as identified at the bottom of this form, to receive an Opt-Out Form and return it to Copley. Please note that if a patient chooses to opt-out after their information has been shared through Rush Health Connect, information that was previously shared may still be available to other participants, although no new information will be shared. Making medical information available for treatment through Rush Health Connect is not a condition for receiving care.

For more information regarding Rush Health Connect, including its participants, visit https://www.rush-health.com.

Information Sharing Through Electronic Medical Record

Rush Copley Medical Group (RCMG) uses an electronic medical record software called Epic, which has a number of programs that allow Copley to electronically exchange medical information with other health care providers, included but not limited to Care Everywhere and Carequality. These programs facilitate the electronic sharing and exchange of medical and other individually identifiable health information among health care providers. Through these programs, Copley may electronically disclose demographic, medical, billing and other health-related information about patients to other health care providers and electronically request such information from them for purposes including, but not limited to, facilitating or providing treatment, arranging for payment for health care services, or otherwise conducting or administering health care operations.

Patient Privacy Opt-Out Form

(click here to download the form).

This form is used for several different purposes:

Opt Out: You can request that your information be excluded from Care Everywhere (which refers to sharing of the electronic patient record to other external healthcare entities that are also using Epic) and Cures ADT (which refers to electronically sharing of your information regarding new admissions to your Primary Care Provider (PCP).

Reverse Opt Out: You previously chose to Opt Out of Care Everywhere and Cures ADT and am now choosing to participate (Opt In).

Non-Discrimination

Copley complies with applicable Federal civil rights laws and does not discriminate on the basis of race, color, national origin, age, disability or sex. Copley does not exclude people or treat them differently because of race, color, national origin, age, disability or sex. Copley provides the following:

  • Free aids and services to people with disabilities to communicate effectively with Copley providers, such as:
    • Qualified sign language interpreters
    • Written information in other formats (large print, audio, accessible electronic formats, other formats)
  • Free language services to people whose primary language is not English, such as:
    • Qualified interpreters
    • Information written in other languages

If you need these services, contact the Patient Advocate. If you believe Copley has failed to provide these services or discriminated in another way on the basis of race, color, national origin, age, disability or sex, you can file a grievance with:

Patient Advocate
2000 Ogden Ave.
Aurora, IL 60504
(630) 978-4832, (630) 375-2833 (fax)
(630) 978-6224 (TTY)
patientadvocate@rushcopley.com

You can file a grievance in person or by mail, fax or email. If you need help filing a grievance, the Patient Advocate is available to help you.

You can also file a civil rights complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, electronically through the Office for Civil Rights Complaint Portal, available at https://ocrportal.hhs.gov/ocr/portal/lobby.jsf, or by email or phone at:

U.S. Department of Health and Human Services
200 Independence Ave., SW
Room 509F, HHH Building
Washington, DC 20201
(800) 368-1019, (800) 537-7697(TTY)

Complaint forms are available at http://www.hhs.gov/ocr/office/file/index.html.

Right to Change This Notice

Copley reserves the right to change the organization's privacy practices as described in this notice at any time. Copley reserves the right to apply these changes to any PHI it already has, as well as to health information received in the future. The new notice will be posted in the Copley facilities and the Copley website. The new notice will include an effective date.

Whom to Contact:
Privacy Officer
Rush Copley Medical Center
2000 Ogden Ave.
Aurora, IL 60504
(630) 499-4721

Last updated: 2/1/17

Protecting your personal health information

While Rush University System for Health uses security tools and processes to keep your information safe, we also want to recommend tips that you can also use to protect your privacy and personal health information. 

One of the first ways to protect yourself is by recognizing and preparing for privacy threats before they happen. Below you can find information on popular scams and tips for protecting yourself.

Telephone Call Scams

Telephone scammers try to steal your personal information, including insurance or medical information. Scams may come through phone calls from real people, robocalls, or text messages. Phone scammers can manipulate caller ID information, also called spoofing, to make it appear as if the received telephone call is coming from a legitimate Rush telephone number. This scam tactic makes the call more likely to be trusted and answered. When the call is answered, the scammer may attempt to obtain your personal information.

Email Message Scams

Scammers may also attempt to obtain your personal information by sending a malicious email in a scam called phishing. They may impersonate a legitimate business, such as Rush, and ask you to confirm or provide personal information. These emails may look legitimate and create a sense of urgency or alarm, making you feel as if you must act.

Tips for Protecting Your Personal Health Information

  • Create unique passwords for your online accounts using a combination of letters, numbers and symbols. 
  • If available on devices such as your phone, tablet, or laptop, enable biometric access features e.g., using your fingerprint, facial recognition, voice activation, etc. to unlock your device.
  • Be alert if asked for personal information (such as Social Security number, medical identification number, credit card number) or health insurance information. 
  • If you can’t confirm the identity of someone requesting your personal health information, call the person back using a publicly available phone number or a phone number you already have on file.
  • Take a moment to carefully review your emails. Ask yourself whether you were expecting to receive the message.
  • Look for common signs of fake emails – typos, grammatical errors, awkward language, extra spaces, or missing words.
  • Be wary of emails that contain an attachment or a link to click, which requires you to provide personal information.

What To Do if You Receive a Telephone or Email Scam

If you believe you’ve received a fraudulent phone call or email, you can report it to RUSH and federal agencies.