H-E-B Health Care Services
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU
MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO
THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
Notice of Privacy Practice
H-E-B Health Care Services is required by law to maintain the privacy of
your Protected Health Information (PHI) and to provide individuals with
notice of our legal duties and privacy practices with respect to PHI. We
are also required to notify you of a Breach of your Unsecured PHI. PHI
includes information held by H-E-B Health Care Services that may
identify you and that relates to your past, present or future physical or
mental health or condition or payment for health care services.
This Notice of Privacy Practices (Notice) describes how we may use and
disclose PHI to carry out treatment, payment or health care operations
and for other specified purposes that are permitted or required by law.
The Notice also describes your rights with respect to PHI.
H-E-B Health Care Services is required to follow the terms of this Notice.
We reserve the right to change our practices and the terms of this Notice
at any time. We also reserve the right to make the new Notice provisions
effective for all PHI we currently maintain, as well as any PHI we receive
in the future. If we make material or important changes to our privacy
practices, we will promptly revise our Notice. The revised Notice will be
posted at all H-E-B Health Care Services locations and on the H-E-B
Health Care Services website, http://www.heb.com/index.jsp, and copies
will be available upon request at all H-E-B Health Care Services
Your Health Information Rights
You have the following rights with respect to your PHI:
Obtain a paper copy of the Notice upon request
. You may request a
paper copy of this Notice at any time, even if you have agreed to receive
this Notice electronically. You may obtain a paper copy at your Health
Care Services location or by contacting the H-E-B Privacy Office
Review and obtain a copy of PHI.
You have the right to review and
copy your PHI contained in a designated record set for as long as H-E-B
Health Care Services maintains your PHI. The designated electronic
record set usually will include prescription and/or billing records. To
request a review or copy of your PHI, complete and submit a Request to
Review and Copy form. The form is available from any H-E-B Health Care
Services location or the H-E-B Privacy Office
You may request access to your PHI in a certain electronic form and
format if readily producible or, if not readily producible, in a mutually
agreeable electronic form and format. If our electronic health records
system is capable of fulfilling your request for your PHI in electronic
format, we will provide your PHI to you in electronic form within 15
business days after we receive your written request, unless you agree to
accept the PHI in another form.
If you request a copy of your PHI, we may charge a cost-based fee for the
labor, supplies, and postage required to meet your request. We may
deny your request to review and copy in certain limited circumstances. If
you are denied access to your PHI, you may request the denial be
Request an amendment of PHI.
If you feel that PHI we maintain about
you is incomplete or incorrect, you may request that we amend your PHI.
You may request an amendment for as long as we maintain the PHI. To
request an amendment, you must complete and submit a Request for
Amendment form. The form is available from any H-E-B Health Care
Services location or the H-E-B Privacy Office
. In certain cases, we may
deny your request for amendment. If we deny your request for
amendment, you have the right to file a statement of disagreement with
the decision and we may give a rebuttal to your statement.
Receive an accounting of disclosures of PHI.
You have the right to
request an accounting of the disclosures we have made of your PHI. Your
request must specify the time period to be accounted for, but may not be
longer than six years prior to the date on which the accounting is
requested. Please note that certain disclosures need not be included in
the accounting we provide to you, such as disclosures made directly to
you, disclosures authorized by you, disclosures to friends or family
members involved in your care, and disclosures for notification purposes
as outlined in federal and state regulations. The right to receive an
accounting is subject to certain other exceptions, restrictions, and
limitations. To request an accounting, you must complete and submit a
Request for Accounting form. The form is available from any H-E-B
Health Care Services location or the H-E-B Privacy Office
The first accounting requested within a twelve month period will be
provided free of charge, but you may be charged for the cost of providing
additional accountings. We will notify you of the cost involved and you
may choose to withdraw or modify your request at that time.
Request communications of PHI by alternate means or at alternate
You have the right to request that we communicate with you
in a certain manner or at a certain location regarding the services you
receive from us. For example, you may request that we contact you
about medical matters only in writing or at a different residence or post
office box. To request confidential communication of your PHI, complete
and submit a Request of Alternative Communication form. The form is
available from any H-E-B Health Care Services location or the H-E-B
. We will accommodate all reasonable requests.
Request a restriction.
You have the right to request a restriction on
how we use and disclose your PHI for treatment, payment, and health
care operations. In most circumstances, we are not required to agree to
your request. If we do agree, we will comply with your request unless the
information is needed to provide you emergency treatment. We are
required to agree to a request that we restrict a disclosure made to a
health plan for payment or health care operations purposes that is not
otherwise required by law, if you, or someone other than the health plan
on your behalf, paid for the service or item in question out-of-pocket in
full. To request a restriction, complete and submit a written Request of
Additional Restrictions form. The form is available from any H-E-B
Health Care Services location or the H-E-B Privacy Office
. Each request
will be evaluated on a case by case basis.
H-E-B Health Care Services will make
reasonable efforts to avoid incidental disclosures of your protected health
information. An example of an incidental disclosure is conversations
that may be overheard between the pharmacy staff and the patient at the
drive-thru, as a result of the speaker system. To reduce the likelihood of
this happening, H-E-B recommends that you go inside the store to the
pharmacy for any consultations.
Examples of How We May Use and Disclose PHI
The following are descriptions and examples of ways H-E-B Health Care
Services may use and disclose PHI:
We may use and disclose your PHI to provide you with
treatment. For example, we may contact you regarding medications,
product recalls, re-fill reminders or disease state management. We may
disclose your PHI to another pharmacist or to your physician for the
purpose of a consultation.
We may use and disclose your PHI for payment purposes.
For example, we may contact your insurer, pharmacy benefits manager,
discount card provider, or other third-party payer to determine whether
the payer will pay for your prescription and the amount of your
copayment. We may bill you or a third-party payer for the cost of
prescription medications or other services provided to you. The
information on or accompanying the bill may include information that
identifies you, your diagnosis, as well as the prescriptions you are taking
and the services provided.
Health care operations:
We may use and disclose your PHI to support
certain of our business activities, known as our health care operations.
For example, we may use your PHI to monitor the performance of the
licensed health care professional(s) providing your treatment. This
information may be used in an effort to continually improve the quality
and effectiveness of the health care and service we provide. We may also
disclose your PHI to third party "business associates" that perform
certain services on our behalf. In these cases, we enter into written
contracts with the business associates to ensure they protect the privacy
of your PHI. For example, we may contract for certain services, such as
claims auditing. When these services are contracted for, we may release
your PHI to our business associate so that they can perform the job we
have contracted them to do.
Communication with individuals involved in your care or payment
for your care and notification
: If you verbally agree to the use or
disclosure and in certain other circumstances, we may make the
following disclosures. We may disclose to your family, friends, and
anyone else whom you identify who is involved in your medical care or
who helps pay for your care, PHI relevant to that person's involvement in
your care or paying for your care. We may also make these disclosures
after your death unless doing so is inconsistent with any prior expressed
preference that is known to us. We may use or disclose your information
to notify or assist in notifying a family member, personal representative
or any other person responsible for your care regarding your physical
location within H-E-B Health Care Services, your general condition, or
death. We may also use or disclose your PHI to disaster-relief
organizations so that your family or other persons responsible for your
care can be notified about your condition, status and location.
: We may send written treatment
communication to you regarding: certain health-related products or
services that we offer, case management and care coordination,
prescription refill reminders, or to direct or recommend alternative
treatments, therapies, health care providers or setting of care that may
be of interest to you. In some cases where we are compensated by third
parties to send these types of communications, we must obtain your
authorization before sending the communication.
: We may disclose your PHI as authorized by
and as necessary to comply with laws relating to workers' compensation
or similar programs that provide benefits for work-related injuries or
illness without regard to fault.
We may disclose your PHI for public health activities
such as preventing or controlling disease, injury, or disability; reporting
births or deaths; reporting child abuse or neglect; activities related to the
quality, safety, or effectiveness of FDA-regulated products; to notify a
person who may have been exposed to a communicable disease or may
be at risk for contracting or spreading a disease or condition as
authorized by law; to notify an employer of findings concerning workrelated
illness or injury or general medical surveillance that the employer
needs to comply with the law if you are provided notice of such
disclosure; and to provide proof of a student or prospective student's
immunization to a school if the school is required by law to have such
proof of immunization prior to admitting the student and we obtain
written or verbal authorization for the disclosure from a parent,
guardian, or person acting in the place of a parent for the individual, or
from the individual himself if he/she is an adult or emancipated minor.
We may disclose your PHI to law enforcement
officials for several different purposes: to comply with a court order,
warrant, subpoena, summons, or other similar process; to identify or
locate a suspect, fugitive, material witness, or missing person; about the
victim of a crime, if the victim agrees or we are unable to obtain the
victim's agreement; about a death we suspect may have resulted from
criminal conduct; about criminal conduct we believe in good faith to have
occurred on our premises; and to report a crime not occurring on our
premises, the nature of a crime, the location of a crime, and the identity,
description and location of the individual who committed the crime, in an
As required by law:
We may use and disclose your PHI when required
to do so by law.
Health oversight activities:
We may disclose your PHI to a health
oversight agency for activities authorized by law. These oversight
activities are necessary for the government to monitor the health care
system, government benefit programs, compliance with government
regulatory programs, and compliance with civil rights laws.
Judicial and administrative proceedings:
If you are involved in a
legal proceeding, we may disclose your PHI in response to a court or
administrative order. We may also disclose your PHI in response to a
subpoena, discovery request, or other lawful process by someone else
involved in the dispute, but only if efforts have been made to tell you
about the request or to obtain an order protecting the requested PHI.
We may use and disclose your PHI to researchers when their
research has been approved by an institutional review board (IRB) or
Privacy Board that has reviewed the research proposal and approved
protocols to ensure the privacy of your information, as allowed by law,
and for certain other research activities.
Coroners, medical examiners, and funeral directors:
disclose your PHI to a coroner or medical examiner for the purpose of
identifying a deceased person, determining a cause of death, or other
duties as authorized by law. We may also disclose PHI to funeral
directors consistent with applicable law to carry out their duties.
Organ or tissue procurement organizations: Consistent with
applicable law, we may use and disclose your PHI to organ procurement
organizations or other entities engaged in the procurement, banking, or
transplantation of cadaveric organs, eyes, or tissue for the purpose of
facilitating organ, eye or tissue donation and transplantation.
If you are an inmate of a correctional
institution or under the custody of a law enforcement official, we may
disclose your PHI to the correctional institution or law enforcement
official to assist them in providing you health care, protecting your health
and safety or the health and safety of others, or for the safety of the
To avert a serious threat to health or safety:
If there is a serious
threat to your health and safety or the health and safety of the public or
another person, we may use and disclose your PHI to someone able to
help prevent the threat or as necessary for law enforcement authorities to
identify or apprehend an individual.
Military and veterans:
If you are a member of the armed forces, we
may disclose your PHI as required by military command authorities. We
may also disclose PHI about foreign military personnel to the appropriate
National security and intelligence activities:
We may disclose your
PHI to authorized federal officials for intelligence, counterintelligence,
and other national security activities authorized by law.
Protective services for the President and others:
We may disclose
your PHI to authorized federal officials so they may provide protection to
the President, other authorized persons or foreign heads of state, or
conduct special investigations.
Victims of abuse, neglect, or domestic violence:
We may disclose
your PHI to a government authority, such as a social service or protective
services agency, if we reasonably believe you are a victim of abuse,
neglect, or domestic violence. We will only make this disclosure if you
agree, or when required or authorized by law. We may make this
disclosure if expressly authorized by law and we believe it is necessary to
prevent serious harm to you or you are unable to agree to the disclosure
because of incapacity and the law enforcement or public official that is to
receive the report represents that it is necessary and will not be used
Other Uses and Disclosures of PHI
H-E-B Health Care Services will obtain your written authorization before
using or disclosing your PHI for purposes other than those covered above
in this Notice. Some examples include:
- Psychotherapy Notes: We usually do not maintain psychotherapy
notes about you. If we do, we will only use and disclose them with
your written authorization except in limited situations.
- Marketing: We may only use and disclose your PHI for marketing
purposes with your written authorization, unless the communication
is a face-to-face communication made by us to you or a promotional
gift of nominal value provided to you by us.
- Sale of Your PHI: We may sell your PHI only with your written
You may revoke an authorization in writing at any time. Upon receipt of
the written revocation, we will stop using or disclosing your PHI as
specified by your revocation, except to the extent that we have already
taken action in reliance on the authorization.
Notice of Electronic Disclosure
Your PHI may be disclosed electronically. We may not electronically
disclose your PHI to any person without a separate authorization from
you for each disclosure, except as otherwise authorized or required by
state or federal law (such as those purposes outlined above). This
authorization for electronic disclosure may be made in written or
electronic form, or in oral form if we document it in writing.
For More Information or to Report a Problem
If you have questions or would like additional information about H-E-B
Health Care Services' privacy practices, you may contact the H-E-B
at (210) 938-4923, toll free at 1-866-432-4318, or by
email at email@example.com
If you believe your privacy rights have been violated, you can file a
complaint with the H-E-B Privacy Office
at (210) 938-4923, toll free at
1-866-432-4318, or by email at firstname.lastname@example.org
or with the
Secretary of the U. S. Department of Health and Human Services. You
will not be retaliated against for filing a complaint.
This Notice is effective as of September 23, 2013