All heb.com
  • All heb.com
  • Products Only
  • Recipes Only

H-E-B Health Care Services
Notice of Privacy Practice

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

H-E-B Health Care Services is required by law to maintain the privacy of your Protected Health Information (PHI) and to provide individuals with notice of our legal duties and privacy practices with respect to PHI. We are also required to notify you of a Breach of your Unsecured PHI. PHI includes information held by H-E-B Health Care Services that may identify you and that relates to your past, present or future physical or mental health or condition or payment for health care services.

This Notice of Privacy Practices (Notice) describes how we may use and disclose PHI to carry out treatment, payment or health care operations and for other specified purposes that are permitted or required by law. The Notice also describes your rights with respect to PHI.

H-E-B Health Care Services is required to follow the terms of this Notice. We reserve the right to change our practices and the terms of this Notice at any time. We also reserve the right to make the new Notice provisions effective for all PHI we currently maintain, as well as any PHI we receive in the future. If we make material or important changes to our privacy practices, we will promptly revise our Notice. The revised Notice will be posted at all H-E-B Health Care Services locations and on the H-E-B Health Care Services website, http://www.heb.com/index.jsp, and copies will be available upon request at all H-E-B Health Care Services locations.

Your Health Information Rights

You have the following rights with respect to your PHI:

Obtain a paper copy of the Notice upon request. You may request a paper copy of this Notice at any time, even if you have agreed to receive this Notice electronically. You may obtain a paper copy at your Health Care Services location or by contacting the H-E-B Privacy Office.

Review and obtain a copy of PHI. You have the right to review and copy your PHI contained in a designated record set for as long as H-E-B Health Care Services maintains your PHI. The designated electronic record set usually will include prescription and/or billing records. To request a review or copy of your PHI, complete and submit a Request to Review and Copy form. The form is available from any H-E-B Health Care Services location or the H-E-B Privacy Office.

You may request access to your PHI in a certain electronic form and format if readily producible or, if not readily producible, in a mutually agreeable electronic form and format. If our electronic health records system is capable of fulfilling your request for your PHI in electronic format, we will provide your PHI to you in electronic form within 15 business days after we receive your written request, unless you agree to accept the PHI in another form.

If you request a copy of your PHI, we may charge a cost-based fee for the labor, supplies, and postage required to meet your request. We may deny your request to review and copy in certain limited circumstances. If you are denied access to your PHI, you may request the denial be reassessed.

Request an amendment of PHI. If you feel that PHI we maintain about you is incomplete or incorrect, you may request that we amend your PHI. You may request an amendment for as long as we maintain the PHI. To request an amendment, you must complete and submit a Request for Amendment form. The form is available from any H-E-B Health Care Services location or the H-E-B Privacy Office. In certain cases, we may deny your request for amendment. If we deny your request for amendment, you have the right to file a statement of disagreement with the decision and we may give a rebuttal to your statement.

Receive an accounting of disclosures of PHI. You have the right to request an accounting of the disclosures we have made of your PHI. Your request must specify the time period to be accounted for, but may not be longer than six years prior to the date on which the accounting is requested. Please note that certain disclosures need not be included in the accounting we provide to you, such as disclosures made directly to you, disclosures authorized by you, disclosures to friends or family members involved in your care, and disclosures for notification purposes as outlined in federal and state regulations. The right to receive an accounting is subject to certain other exceptions, restrictions, and limitations. To request an accounting, you must complete and submit a Request for Accounting form. The form is available from any H-E-B Health Care Services location or the H-E-B Privacy Office.

The first accounting requested within a twelve month period will be provided free of charge, but you may be charged for the cost of providing additional accountings. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time.

Request communications of PHI by alternate means or at alternate locations. You have the right to request that we communicate with you in a certain manner or at a certain location regarding the services you receive from us. For example, you may request that we contact you about medical matters only in writing or at a different residence or post office box. To request confidential communication of your PHI, complete and submit a Request of Alternative Communication form. The form is available from any H-E-B Health Care Services location or the H-E-B Privacy Office. We will accommodate all reasonable requests.

Request a restriction. You have the right to request a restriction on how we use and disclose your PHI for treatment, payment, and health care operations. In most circumstances, we are not required to agree to your request. If we do agree, we will comply with your request unless the information is needed to provide you emergency treatment. We are required to agree to a request that we restrict a disclosure made to a health plan for payment or health care operations purposes that is not otherwise required by law, if you, or someone other than the health plan on your behalf, paid for the service or item in question out-of-pocket in full. To request a restriction, complete and submit a written Request of Additional Restrictions form. The form is available from any H-E-B Health Care Services location or the H-E-B Privacy Office. Each request will be evaluated on a case by case basis.

Incidental disclosures. H-E-B Health Care Services will make reasonable efforts to avoid incidental disclosures of your protected health information. An example of an incidental disclosure is conversations that may be overheard between the pharmacy staff and the patient at the drive-thru, as a result of the speaker system. To reduce the likelihood of this happening, H-E-B recommends that you go inside the store to the pharmacy for any consultations.

Examples of How We May Use and Disclose PHI

The following are descriptions and examples of ways H-E-B Health Care Services may use and disclose PHI:

Treatment: We may use and disclose your PHI to provide you with treatment. For example, we may contact you regarding medications, product recalls, re-fill reminders or disease state management. We may disclose your PHI to another pharmacist or to your physician for the purpose of a consultation.

Payment: We may use and disclose your PHI for payment purposes. For example, we may contact your insurer, pharmacy benefits manager, discount card provider, or other third-party payer to determine whether the payer will pay for your prescription and the amount of your copayment. We may bill you or a third-party payer for the cost of prescription medications or other services provided to you. The information on or accompanying the bill may include information that identifies you, your diagnosis, as well as the prescriptions you are taking and the services provided.

Health care operations: We may use and disclose your PHI to support certain of our business activities, known as our health care operations. For example, we may use your PHI to monitor the performance of the licensed health care professional(s) providing your treatment. This information may be used in an effort to continually improve the quality and effectiveness of the health care and service we provide. We may also disclose your PHI to third party "business associates" that perform certain services on our behalf. In these cases, we enter into written contracts with the business associates to ensure they protect the privacy of your PHI. For example, we may contract for certain services, such as claims auditing. When these services are contracted for, we may release your PHI to our business associate so that they can perform the job we have contracted them to do.

Communication with individuals involved in your care or payment for your care and notification: If you verbally agree to the use or disclosure and in certain other circumstances, we may make the following disclosures. We may disclose to your family, friends, and anyone else whom you identify who is involved in your medical care or who helps pay for your care, PHI relevant to that person's involvement in your care or paying for your care. We may also make these disclosures after your death unless doing so is inconsistent with any prior expressed preference that is known to us. We may use or disclose your information to notify or assist in notifying a family member, personal representative or any other person responsible for your care regarding your physical location within H-E-B Health Care Services, your general condition, or death. We may also use or disclose your PHI to disaster-relief organizations so that your family or other persons responsible for your care can be notified about your condition, status and location.

Health Information Exchange: We may share your medical information with an approved Health Information Exchange (HIE) for the purpose of healthcare treatment by other health care providers. Health Information Exchanges facilitate the exchange of electronic PHI between healthcare providers to provide better coordination of care and informed healthcare treatment decisions.

Health-related communications: We may send written treatment communication to you regarding: certain health-related products or services that we offer, case management and care coordination, prescription refill reminders, or to direct or recommend alternative treatments, therapies, health care providers or setting of care that may be of interest to you. In some cases where we are compensated by third parties to send these types of communications, we must obtain your authorization before sending the communication.

Workers' compensation: We may disclose your PHI as authorized by and as necessary to comply with laws relating to workers' compensation or similar programs that provide benefits for work-related injuries or illness without regard to fault.

Public health: We may disclose your PHI for public health activities such as preventing or controlling disease, injury, or disability; reporting births or deaths; reporting child abuse or neglect; activities related to the quality, safety, or effectiveness of FDA-regulated products; to notify a person who may have been exposed to a communicable disease or may be at risk for contracting or spreading a disease or condition as authorized by law; to notify an employer of findings concerning workrelated illness or injury or general medical surveillance that the employer needs to comply with the law if you are provided notice of such disclosure; and to provide proof of a student or prospective student's immunization to a school if the school is required by law to have such proof of immunization prior to admitting the student and we obtain written or verbal authorization for the disclosure from a parent, guardian, or person acting in the place of a parent for the individual, or from the individual himself if he/she is an adult or emancipated minor.

Law enforcement: We may disclose your PHI to law enforcement officials for several different purposes: to comply with a court order, warrant, subpoena, summons, or other similar process; to identify or locate a suspect, fugitive, material witness, or missing person; about the victim of a crime, if the victim agrees or we are unable to obtain the victim's agreement; about a death we suspect may have resulted from criminal conduct; about criminal conduct we believe in good faith to have occurred on our premises; and to report a crime not occurring on our premises, the nature of a crime, the location of a crime, and the identity, description and location of the individual who committed the crime, in an emergency situation.

As required by law: We may use and disclose your PHI when required to do so by law.

Health oversight activities: We may disclose your PHI to a health oversight agency for activities authorized by law. These oversight activities are necessary for the government to monitor the health care system, government benefit programs, compliance with government regulatory programs, and compliance with civil rights laws.

Judicial and administrative proceedings: If you are involved in a legal proceeding, we may disclose your PHI in response to a court or administrative order. We may also disclose your PHI in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have been made to tell you about the request or to obtain an order protecting the requested PHI.

Research: We may use and disclose your PHI to researchers when their research has been approved by an institutional review board (IRB) or Privacy Board that has reviewed the research proposal and approved protocols to ensure the privacy of your information, as allowed by law, and for certain other research activities.

Coroners, medical examiners, and funeral directors: We may disclose your PHI to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law. We may also disclose PHI to funeral directors consistent with applicable law to carry out their duties. Organ or tissue procurement organizations: Consistent with applicable law, we may use and disclose your PHI to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye or tissue donation and transplantation.

Correctional institution: If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may disclose your PHI to the correctional institution or law enforcement official to assist them in providing you health care, protecting your health and safety or the health and safety of others, or for the safety of the correctional institution.

To avert a serious threat to health or safety: If there is a serious threat to your health and safety or the health and safety of the public or another person, we may use and disclose your PHI to someone able to help prevent the threat or as necessary for law enforcement authorities to identify or apprehend an individual.

Military and veterans: If you are a member of the armed forces, we may disclose your PHI as required by military command authorities. We may also disclose PHI about foreign military personnel to the appropriate military authority.

National security and intelligence activities: We may disclose your PHI to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law.

Protective services for the President and others: We may disclose your PHI to authorized federal officials so they may provide protection to the President, other authorized persons or foreign heads of state, or conduct special investigations.

Victims of abuse, neglect, or domestic violence: We may disclose your PHI to a government authority, such as a social service or protective services agency, if we reasonably believe you are a victim of abuse, neglect, or domestic violence. We will only make this disclosure if you agree, or when required or authorized by law. We may make this disclosure if expressly authorized by law and we believe it is necessary to prevent serious harm to you or you are unable to agree to the disclosure because of incapacity and the law enforcement or public official that is to receive the report represents that it is necessary and will not be used against you.

Other Uses and Disclosures of PHI

H-E-B Health Care Services will obtain your written authorization before using or disclosing your PHI for purposes other than those covered above in this Notice. Some examples include:

  • Psychotherapy Notes: We usually do not maintain psychotherapy notes about you. If we do, we will only use and disclose them with your written authorization except in limited situations.
  • Marketing: We may only use and disclose your PHI for marketing purposes with your written authorization, unless the communication is a face-to-face communication made by us to you or a promotional gift of nominal value provided to you by us.
  • Sale of Your PHI: We may sell your PHI only with your written authorization.


You may revoke an authorization in writing at any time. Upon receipt of the written revocation, we will stop using or disclosing your PHI as specified by your revocation, except to the extent that we have already taken action in reliance on the authorization.

Notice of Electronic Disclosure

Your PHI may be disclosed electronically. We may not electronically disclose your PHI to any person without a separate authorization from you for each disclosure, except as otherwise authorized or required by state or federal law (such as those purposes outlined above). This authorization for electronic disclosure may be made in written or electronic form, or in oral form if we document it in writing.

For More Information or to Report a Problem

If you have questions or would like additional information about H-E-B Health Care Services' privacy practices, you may contact the H-E-B Privacy Officer at (210) 938-4923, toll free at 1-866-432-4318, or by email at privacyoffice@heb.com.

If you believe your privacy rights have been violated, you can file a complaint with the H-E-B Privacy Office at (210) 938-4923, toll free at 1-866-432-4318, or by email at privacyoffice@heb.com or with the Secretary of the U. S. Department of Health and Human Services. You will not be retaliated against for filing a complaint.

Effective Date

This Notice is effective as of September 23, 2013