top of page

Right to Privacy – HIPPA

Protected Health Information



COSC will meet all state and federal regulations related to patient privacy and confidentiality of individually identified protected health information (PHI). The policy applies to all COSC employees, contracted workers, volunteers, and students.




To ensure that Central Oregon Surgery Center, LLC (COSC) meets or exceeds all state and federal regulations related to patient privacy and confidentiality and to ensure that privacy practices support and enhance the provisions of safe, timely, and effective patient care.




This policy will apply to all COSC staff, volunteers, students and contracted personnel and will address the following issues associated with patient privacy and confidentiality related to PHI.


1.   Permitted uses and disclosures of PHI

2.   Restrictions on uses and disclosures of PHI

3.   Required disclosures of PHI

4.   Patient privacy rights

5.   Use and disclosure of PHI for marketing

6.   Use and disclosure of PHI for fundraising

7.   Use and disclosure of PHI for research purposes

8.   Staff training of PHI

9.   Role of the privacy officer

10. Reporting breaches in confidentiality

11.  Sanctions for breaches in confidentiality


The following are definitions of terms associated with patient privacy and confidentiality of individual identifiable PHI.


Health Information: any information, whether oral or recorded in any medium, that is created by COSC and relates to past, present, or future physical or mental health condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of healthcare to an individual.


Individually Identifiable Health Information: Information that is a subset of health information, including demographic information that identifies the individual or can be used to identify the individual.


Protected Health Information (PHI): Individually identifiable health information that is maintained in any form or medium and/or is transmitted by any electronic medium.


Treatment, Payment, and Healthcare Operations (TPHO): This phase is used to describe the basic circumstances under which PHI may be used and disclosed. (Please see Volume 65 Federal Register, pages 82803-82805 dated 12/28/2000 for more a more detailed description of treatment, payment, and healthcare operations.)


Treatment- refers to the provision or coordination of care, consultation between providers, or referral to another provider.


Payment- refers to activities associated with billing and reimbursement.


Healthcare Operations- refers to any activities associated with conduction the business of providing care to patients.


Minimum Necessary: This is a term used to describe the healthcare providers’ responsibility when requesting or providing PHI to limit the request or disclosure to the minimum amount of information necessary to accomplish the intended purpose of the request or disclosure. That is, providers have a responsibility to specifically determine what information they require and limit their request to that information, rather than requesting the entire record merely for the sake of convenience.


Business Associate: Any individual or entity that performs work on behalf of the healthcare provider organization. Business associates requiring access to PHI must agree in writing to hold that information at the same level of confidentiality as the provider organization on whose behalf they work.


Designated Record Set (DRS): A group of medical and billing records of a patient used to make decisions with. In this content, “record” means any item, collection, or group of information that includes PHI and is maintained, collected, used or disseminated by or for the provider organization.


Marketing: is the communication about a product or service for the purpose of encouraging recipients of the communication to purchase or use the product or service.


Authorization: refers to a document that allows the covered entity to use a patient’s PHI for purposes other than treatment, payment, or healthcare operations. Examples requiring authorization include the use of PHI for marketing, research, or release of information to other third parties. Authorization is time limited and the timeframe for which the authorization is valid must be included in the authorization.


1.    Permitted uses and disclosures of protected health information (PHI)

a.    Individually identifiable PHI cannot be used or disclosed without written consent or authorization of the individual, the parent of a minor child, or the individual’s personal representative.

b.    PHI may be used or disclosed for treatment, payment, or healthcare operations by the treating facility. PHI may be shared with other healthcare providers for that provider’s treatment and payment activities.


2.    Restriction on uses and disclosures of PHI with opportunities to agree or object.

a.    Uses and disclosures of PHI within COSC’s patient directory without written consent, provided the patient is informed in advance that their information will be included and has a chance to object to the use or disclosure, in attempt of others to reach the patient. PHI that can be included within COSC’s patient directory is limited to the individual’s condition and location in the facility. This information can be disclosed only to those persons who ask for the patient by name.

b.    PHI can be disclosed to family members, other relatives, a close personal friend, or any other person identified by the patient as long as the PHI disclosed is directly relevant to the person’s involvement with the patient’s care or payment for treatment.

c.    PHI can be used or disclosed to notify, identify, or locate a family member, personal representative or another responsible person of the patient, the patient’s location, general condition, or death, provided the patient has been informed in advance the at their information may be used in this manner and has had the opportunity to object.

d.    If the patient is capable of making their own decisions, the provider must abide by these decisions. If the patient is incapable to make their own healthcare decisions, the provider may use professional judgement and experience with common practice to make reasonable inference about the patient’s best interests


3.    Required disclosures of PHI

a.    Use and disclosure of PHI is required by law in certain circumstances, and in those circumstances, does not require the express consent of the patient. The most common circumstances are: abuse cases, reportable diseases, and police matters.




4.    Patient Privacy Rights

a.    Patients have a number of rights pertaining to privacy and access to their own medical records. These rights include:

                                          i.    Notice of Privacy Practices (NOPP) is a written document that describes the patient’s rights with regard to the uses and disclosures of PHI that may be made by COSC. This notice must be provided and explained to patients, beginning after April 15, 2003. COSC will offer a copy of the NOPP to each patient.

                                        ii.    Access to Medical Records: Patients have the right to view or obtain a copy of their own medical records. All requests must be made in writing.

(See Policy #1.14 – Patient Access to Records)

                                       iii.    Amendments to Medical Records: Patients have the right to request that the healthcare provider amend those medical records that are maintained in the designated record set. All requests for amendments must be made in writing.

(See Policy #1.15 – Request for Amendment of Records)

                                       iv.    Accounting of Disclosures: Patients have the right to an accounting of disclosures of their PHI that was created after April 15, 2003. The request for an accounting of disclosures must be made in writing.

(See Policy #1.13 – Right to Receive Accounting of Disclosures- HIPAA)

                                        v.    Patient Complaint Process: Patients have the right to make complaints about COSC’s privacy policies, procedures, and practices.

(See Policy #1.5 – Voicing of Complaint / Grievances)


5.     Use and disclosure of PHI for marketing

a.    PHI may not be used for marketing purposes without expressed authorization of the patient unless the communication:

                                          i.    Occurs in a face-to-face encounter with the patient; or

                                         ii.    Concerns products or services of normal value

b.    Communication is not considered “marketing” if it is:

                                          i.    Tailored to a particular individual and the communication is made as a part of the individual’s treatment and for the purpose of furthering the treatment.

                                         ii.    Made in the course of treatment or for the purpose of describing alternative forms of treatment or therapy.

                                        iii.    Made orally, or in writing and the provider does not receive remuneration from a third party for making the communication.


6.    Use and disclosure of PHI for fundraising

a.    PHI may not be used or disclosed for fundraising for COSC’s own benefit without the patient’s expressed prior consent, provided that the disclosure is limited to demographic information about the individual and the dates of treatment.

b.    No other uses or disclosures of PHI for fundraising are permitted unless a statement is included in the Notice of Privacy Practices.

c.    Any fundraising material sent to individuals must include instructions on how to opt out of receiving further fundraising communications.

d.    COSC must make reasonable efforts to ensure that individuals who opt out of receiving fundraising communication are not sent such communication.


7.     Uses and disclosure of PHI for research purposes

a.    Authorization for the use and disclosure of PHI for research purposes must be obtained prior to the use or disclosure of that information.

b.    Individuals have the right to refuse authorization for the use and disclosure of their PHI for research purposes and treatment cannot be denied for this reason unless the treatment is to be rendered as a result of participation in the research.


8.     Staff training

a.     All members of the healthcare provider’s workforce must participate in training focused on policies and procedures pertaining to the patient privacy and confidentiality of the individually identifiable PHI.

b.    New employees must be trained within 30 days of employment.

c.    All affected staff must be re-trained whenever there is a change to the policies and procedures pertaining to patient privacy and confidentiality of individually identifiable PHI in a timely manner.


9.     Role of the Privacy Officer

a.    The Privacy officer is an internal resource responsible for the development and implementation of policies and procedures related to privacy and confidentiality of individually identifiable PHI.

b.    The Privacy Officer is responsible for continued compliance by COSC with its established policies and procedures and with applicable State and Federal laws.

c.    The Privacy Officer is responsible for receiving, investigating, and making appropriate dispositions of any complaints related to privacy violations.


10.   Sanctions for breaches in confidentiality

a.     All staff members are required to comply with this policy and any other privacy policies and procedures. Failure to comply with established privacy policies and procedures would result in appropriate disciplinary action, depending upon the nature of the violation and circumstances. If the violation is found to have malicious intent and/or for the purpose of personal gain, it could result in immediate termination without benefit of a progressive disciplinary process.

b.    Contractors, vendors or any other business associates of COSC are required to comply with established privacy policies and procedures when acting on behalf or in concert with COSC. Failure to comply may result in termination of the business relationship.

c.    Members of the medical staff are required to comply with established privacy policies and procedures as identified in the Medical Staff Bylaws. Failure to comply with established rules and regulations would be addressed in accordance with those rules.

bottom of page