University of Michigan Notice of Privacy Practices
Dowload PDF version
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND
HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
The mission of the University of Michigan* is to serve the people of Michigan and the world through preeminence in creating,
communicating, preserving and applying knowledge, art, and academic values, and in developing leaders and citizens who will
challenge the present and enrich the future. The University is a major employer and provider of health benefits+ and operates
hospitals and health centers, other health care organizations and managed care plans+. Through these activities and with numerous
academic departments engaged in cutting-edge medical, public health, social science and behavioral research, the University
collects, uses, and discloses personal health information to carry out its mission. This information is private and confidential.
There are policies and procedures in place to protect the information against unlawful use and disclosure. The notice also provides
you with other important information, including how to contact us with questions about this notice or our privacy practices.
- What is this notice?
This notice describes information we collect, how we use that information, and when and to whom we may disclose it.
- What is "personal health information"?
Personal health information or "PHI" (also called "protected health information"), is current, past or future information created or received by the University through its health care providers, health plans and contractors. It relates to the physical or mental condition of a patient or plan member, the provision of health care to that person, or payment for the provision of health care to
that person. The term PHI does not generally include publicly available information, or information available or reported in a summarized or grouped manner.
- What types of personal health information does the University of Michigan collect?
The University collects PHI through interactions with your health care providers. It can be obtained through applications, interviews, surveys and other forms. PHI may be obtained in writing, in person, by telephone and electronically. The information we collect varies depending on who collects it and why, but generally includes information about your relationship and
transactions with our affiliates, our agents and us. Examples include:
- University Providers. If you receive health care services as a patient of one of our hospitals or health centers, University Health Services, Michigan Visiting Nurses, or other individual providers or health care organizations employed or operated by
the University (the "University Providers"), the provider may collect or create information such as your name, address,
telephone number, social security number, date of birth, medical history, diagnosis, treatment, provider identification and
treatment information, financial responsibility and payment information, and family and emergency contact information.
- Employee Plans. If you receive health care benefits through a University-sponsored health benefits plan (an "Employee
Plan") as an employee or graduate student of the University or the employee's or student's dependent (spouse/domestic
partner or child), we may collect information such as name, address, telephone number, social security number, date of birth,
and related information. The organizations that administer these plans - commercial health benefits plans, pharmacy benefits
managers, and others - may collect and exchange additional information, such as medical diagnosis and treatment
information, but our employee benefits office generally does not request copies of this information without your authorization.
- Affiliated Health Plan Members. If you are a member of a health plan administered by the University or any of its subsidiaries
(e.g., M-CARE, M-CAID, Kids Care - our "Affiliated Health Plans"), the plan may collect information:
* When we refer to the University of Michigan, the University, or we or us, we mean The Regents of the University of Michigan
and its applicable affiliates to the extent they are acting as "health plans," "health care providers," and/or "health care
clearinghouses" under the Health Insurance Portability and Accountability Act and related privacy regulations ("HIPAA"). A
disability or worker's compensation plan is not a health plan. Nor is the University of Michigan Medical School (including
any University faculty member performing research), a health care provider. When we refer to "you," we mean a patient of a
University of Michigan health care provider; a University of Michigan employee who receives health benefits through the
University; or a member of a health plan administered by a University affiliate such as M-CARE, M-CAID, or Kids Care.
+ If you are a University employee or dependent, or if you are covered under an Affiliated Health Plan, this notice is not part of
your health plan documents (group policy, certificate or evidence of coverage, booklet, group service agreement, schedule of
benefits, etc.). It is provided to you for information only.
[ Top ]
- From your plan sponsor or other payors (e.g., employers, unions, government agencies) regarding eligibility for coverage
and other available coverage.
- From health care providers (e.g., doctors, dentists, psychologists, pharmacies, hospitals and other caregivers) such as
medical history, diagnosis and treatment.
- From affiliates and agents (e.g., central diagnostic and referral units, pharmacy benefits managers, vendors, etc.) who help
administer our Affiliated Health Plans about service requests and benefits provided.
- From you, your family or other caregivers about your treatment, medical history, or any aspect of coverage under the
Affiliated Health Plan.
- How does the University of Michigan protect personal health information internally?
Access to PHI is restricted to only those employees who need it to provide services, products, or benefits to our patients,
employees, health plan members and their dependents. We maintain physical, technical and procedural safeguards to protect PHI
against unauthorized use and disclosure. We have several Privacy Offices that are responsible for developing, educating
University personnel about, and overseeing the implementation and enforcement of policies and procedures designed to safeguard
PHI against inappropriate use and disclosure consistent with the applicable law.
- What personal health information do the University and other health care providers, employers and
health plans use or disclose to third parties, and for what purposes?
When necessary for a patient's care or treatment, the operation of an Employee Plan or Affiliated Health Plan, or for other related activities, we use PHI internally, share it with our affiliates, and disclose it to health care providers (doctors, dentists, psychologists, pharmacies, hospitals and other caregivers), insurers, third party administrators, plan sponsors and other payors
(employers, health care provider organizations, and others who may be responsible for paying for or administering your health
benefits); vendors, consultants, government authorities; and their respective agents. They are required by law to keep PHI
confidential. Some examples of what we do with the information we collect and the reasons it might be disclosed to third parties
are described below.
Treatment, Payment and Health Care Operations
We may use or disclose PHI with or without your consent to provide health care services or administer our health benefits plans. Examples of these uses and disclosures include:
Other Activities Permitted or Required by Law
- Treatment. University Providers use and disclose PHI without specific consent to provide, coordinate and manage health care
and related services. These activities include coordination or management of health care by University Providers with other
University units and third parties; consultation among our Affiliated Providers or between our Affiliated Providers and other
health care providers; and patient referrals among providers.
- Payment. University Providers, Employee Plans and Affiliated Health Plans all use and disclose PHI to obtain and provide
reimbursement for the provision of health care to patients and health plan members. Our Employee Plans and Affiliated
Health Plans also use and disclose PHI to obtain premiums or determine or fulfill their responsibilities for coverage and
provision of benefits under the plans. Examples of these payment activities include: billing, claims management, collections
activities, and administration of reinsurance, stop loss and excess loss insurance policies, as well as related data processing;
making eligibility, coverage, medical necessity, and related determinations, coordinating benefits among various payors,
recovering payments from third parties liable for coverage; risk adjustment; utilization review activities, and disclosures to
consumer reporting agencies. We may use or disclose PHI in connection with payment activities with or without your
- Health Care Operations. University Providers, Employee Plans and Affiliated Health Plans all use and disclose PHI in connection with their standard business operations, including quality assessment and improvement activities. Examples of
these activities include obtaining accreditation from independent organizations like the Joint Commission for the
Accreditation of Healthcare Organizations, the National Committee for Quality Assurance and others, outcomes evaluation
and development of clinical guidelines, operation of preventive health, early detection and disease management programs,
case management and care coordination, contacting of health care providers and patients with information about treatment
alternatives, and related functions; evaluations of health care providers (credentialing and peer review activities) and health
plans; operation of educational programs; underwriting, premium rating and other activities relating to the creation, renewal or
replacement of health benefits contracts; obtaining reinsurance, stop-loss and excess loss insurance; conducting or arranging
for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs;
business planning and development; and business management and general administrative activities, including data and
information systems management, customer service, resolution of internal grievances, and sales, mergers, transfers, or
consolidations with other providers or health plans or prospective providers or health plans
We may use or disclose PHI for other important activities permitted or required by law, with or without your authorization.
Our use and disclosure of PHI must comply not only with federal privacy regulations but also with applicable Michigan law.
Michigan law provides different and sometimes more stringent protections to PHI than federal regulations. Examples of these
protections include: (i) special protections for sensitive information, such as information about HIV/AIDS, treatment for
psychiatric conditions or substance abuse problems, and certain genetic information; (ii) a bar against redisclosure of PHI collected
by third party administrators of health plans for certain purposes; and (iii) a prohibition against making changes to medical records
that would conceal or alter prior entries (even if inaccurate).
- Appointment Reminders and Treatment Alternatives. We may contact you to provide appointment reminders or information about treatment alternatives or other health-related benefits or services that may be of interest.
- Public Health and Safety. We may use or disclose PHI as necessary to prevent or reduce a serious and imminent threat to the health or safety of a person or the public, to people who may be able to reduce the threat, including the threatened person or
law enforcement officials; or for other public health activities to public health authorities (such as the Michigan Department of
Community Health or the U.S. Department of Health and Human Services) engaged in preventing or controlling disease,
injury, or disability. For example, Michigan health care providers (including the University Providers) are required to report
information about patients with certain conditions, such as HIV/AIDS and cancer, to central registries; they also are required
to report information about immunizations administered to their patients. We also may disclose PHI to manufacturers of
drugs, biologics, devices, and other products regulated by the federal Food and Drug Administration when the information is
related to their quality, safety, or effectiveness. PHI also may be disclosed to certain people exposed to communicable
diseases and to employers in connection with occupational health and safety or worker's compensation matters.
- Required by Law. We may use or disclose PHI to the extent such use or disclosure is required by law and it complies with and is limited to the requirements of that law. For example, if you are treated by one of our Affiliated Providers for a gunshot
or knife wound or similar trauma, we may be required to report that information to the police. If we suspect a person is a
victim of abuse, neglect, or domestic violence, we may be required to file a report to the Family Independence Agency or
another local or state agency and possibly to the police as well. We also use and disclose PHI for certain law enforcement
purposes and in response to official subpoenas, court orders, discovery requests and other legal process. In addition, we use
and disclose PHI in connection with health oversight activities (e.g., government audits of our compliance with certain laws
and regulations; oversight of government-funded health benefits programs, etc.).
- Other Government Functions. We may use or disclose PHI in connection with military and veterans activities, national security and intelligence activities, protective services for the President of the United States and other dignitaries, and certain
correctional facility activities.
- Research. We use and disclose PHI in connection with research performed by faculty members of the University of Michigan Medical School++ and other departments and divisions, as well as researchers outside the institution. This research generally is
subject to the oversight of a University of Michigan Institutional Review Board.++ In most cases, while PHI may be used to
help prepare a research project or to contact you to ask whether you want to participate in a study, it will not be further
disclosed for research without your authorization. Sometimes, however, where permitted under federal law and institutional
policy, and approved by an Institutional Review Board or a privacy board, PHI may be used or disclosed. In addition, PHI
may be used or disclosed to compile "limited or de-identified data sets" that do not include your name, address, social security
number or other direct identifiers. These data sets may, in turn, be used for research purposes.
- Fundraising. We may contact you to ask for contributions or assistance in raising funds to help pursue our mission.
- Facilities Directories. Our hospitals and other facilities use PHI to maintain directories of people staying in our facilities, including name, location, general condition (e.g., critical, stable), and religious affiliation. They also disclose this information to members of the clergy (e.g., priests, pastors, imams, rabbis) and to others who ask for an individual by name. You may
object to these uses or disclosures when you enter our facilities.
++ Neither the Medical School nor our Institutional Review Boards are "health plans," "health care providers," or "health care
clearinghouses" under HIPAA.
[ Top ]
- Plan Sponsor Communications. Our Employee Plans and Affiliated Health Plans may disclose PHI to the employer, union, government agency or other organization that pays for the costs of your coverage (the "plan sponsor") as follows: to carry out
plan administration functions; in summary form to obtain premium bids from health plans or to modify, amend, or terminate
plans; and enrollment and participation information. We will disclose PHI to a plan sponsor only upon receipt of certification
by the plan sponsor that it will appropriately use and protect the information and honor your rights (as described in Section
VIII below) to access, review and amend the information, and to receive an accounting of certain disclosures of the
information. For example, the plan sponsor will not be permitted to use the information for the purpose of employmentrelated
actions or decisions or in connection with any other benefit or employee benefit plan that it sponsors.
- Family and Friends. Under certain circumstances, we may disclose PHI to family members, other relatives, or close personal
friends or others that you identify to the extent it is directly relevant to their involvement with your care or payment related to
your care; or to notify them of your location, general condition, or death.
- After Death. We may disclose PHI to coroners or medical examiners to identify a person who has died, determine the cause
of death, or perform other functions authorized by law; and (before or after death) to funeral homes as necessary to carry out
their duties. In addition, PHI of a person who has died may be used or disclosed in connection with research that does not
involve any live subjects.
- Why is it important that personal health information be used and disclosed as described above?
The activities described above are necessary to effectively operate our hospitals and health centers, employee benefits and health
plans, and other relevant units of the University. For example, many health plans feature cancer screening reminder programs that
promote early detection of breast, cervical and colorectal cancer when these illnesses are most treatable. Disease management
programs help patients work with their physicians to effectively manage chronic conditions like asthma, diabetes, and heart disease
to improve quality of life and avoid preventable emergencies and hospitalizations. Initiatives to reduce medical errors help
providers recognize and avoid potential safety hazards, like dangerous drug interactions. Quality assessment and research
programs help us review and improve the services we provide. A variety of outreach programs help us educate patients and health
plan members about the programs and services that are available to them, and let them know how they can make the most of their
health benefits. Therefore, to the extent permitted or required by law, we use and disclose PHI as provided in Section V regardless
of individual preferences. We recognize that many patients and health plan members do not want to receive unsolicited marketing
materials unrelated to their health care or health benefits. For this reason, we ask for special permission before disclosing PHI for
these marketing purposes.
- What does a person need to do to request other disclosures of personal health information?
Many patients and health plan members ask us to disclose PHI to people in ways not described above. For example, an elderly
person may want us to make her records available to a neighbor who is helping her resolve a question about her care or payment
for that care. Contact information to authorize us to disclose your personal health information to a person or organization or for
reasons other than those described in Section V above appears below in section VIII.
If you fill out a form and later change your mind about the special authorization, you may send a letter to us at the address listed on
the form to let us know that you would like to revoke the special authorization. In any communication with us, please provide
your name, address, patient or member identification number or Social Security number, and a telephone number where we can
reach you in case we need to contact you about your request.
- What other rights does a person have with respect to personal health information, and how can the
person exercise those rights?
You have a right to receive an accounting of disclosures made by a University Provider, an Employee Plan, or an Affiliated Health
Plan to any third party in the six years prior to the date on which the accounting is requested. This right does not apply to certain
disclosures, including, but not limited to, disclosures made for the purposes of treatment, payment or health care operations;
disclosures made to you or to others involved in your care; disclosures made with your authorization; disclosures made for national
security or intelligence purposes or to correctional institutions or law enforcement purposes; or disclosures made prior to April 14,
2003. You must make any request for an accounting in writing and we may charge a fee to fill more than one request in any given
year. Written requests should go to:
- You have a right to ask us in writing to restrict use or disclosure of your PHI related to your treatment, related to your
payment or related to routine health care facility operations. In addition, you may request PHI disclosure restrictions to family members, other relatives or close friends involved in your care. We are not required to agree to such a restriction, but
if we do agree, we will honor our agreement except in case of an emergency. Any restriction we agree to is not effective to
prevent uses or disclosures of PHI (i) required by the Secretary of the Department of Health and Human Services to
investigate or determine our compliance with federal privacy regulations adopted under the Health Insurance Portability and
Accountability Act of 1996; (ii) for health facility directories (e.g., a roster of patients staying at a hospital); or (iii) for certain
activities permitted or required by law (see Section V above).
- You may request, in writing, to receive confidential communications containing your PHI from us in ways or at locations that
are outside our usual process. Our health care providers will make every effort to accommodate reasonable requests.
However, the University's Benefits Office and/or our affiliated health benefits plans may require that you demonstrate danger
to yourself if we do not comply with your request. For example, this rule protects patients who are victims of domestic
violence who wish to have health information sent to an address other than his or her own. If you are requesting, in writing, to
receive confidential communications at a different address than your address of record, then you must make it clear that you
may be in personal danger if the request is not honored.
- You have a right to review and obtain a copy of existing PHI contained in (i) medical and billing records about you
maintained by any University provider; (ii) enrollment, payment, claims adjudication and case or medical management
record systems maintained by or for the Employee Plans or Affiliated Health Plans; and (iii) records used by or for any
University provider or health plan to make decisions about you. You must make your request in writing and this right is
limited to existing records that are maintained, collected, used or disseminated by or for a University Provider, an Employee
Plan or an Affiliated Health Plan. It does not apply to psychotherapy notes we maintain; information we compile in
reasonable anticipation of, or for use in, civil, criminal or administrative actions or proceedings; or to certain clinical
laboratory information. We may charge a fee for any copies you request.
- You have a right to request that we amend the records described above for as long as we maintain them. You must make the
request in writing and give us a reason for the amendment. We may deny your request if: (i) we determine that we did not
create the record, unless the originator of the PHI is no longer available to act on the requested amendment; or (ii) if we
believe that the existing records are accurate and complete. Note that an amendment may take several forms, for example we
may add an explanatory statement to a record rather than changing it.
Director of Privacy
What does the University of Michigan plan to do with personal health information about patients, employees and health plan members who are no longer affiliated with the University?
University of Michigan Health System
M7300 Med Sci I
Ann Arbor, MI 48109-0625
Toll Free: 1-866-482-1252
The University does not necessarily destroy PHI when individuals terminate their relationships with us. The information is
necessary and used for many of the purposes described in Section V, even after the person stops receiving treatment or benefits
through the University, or terminates employment with us. In many cases, the information is subject to legal retention
However, the policies and procedures that protect all PHI against inappropriate use and disclosure apply regardless of the status of
any individual whose information is maintained.
[ Top ]
- How is this notice distributed and updated?
The University of Michigan posts this notice on our internet site at http://www.med.umich.edu/hipaa and distributes this notice:
We reserve the right to change the terms of this notice. Any changes will be effective for all personal health information that we
- To patients of our hospitals, health centers, and other points of care, no later than the date of first service delivery; or, in the
event of an emergency, as soon as reasonably practical after the emergency is over. University Providers also make copies of
the notice available and prominently posted at the point of care.
- To employees, at the time they enroll in an Employee Plan.
- To subscribers of our Affiliated Health Plans - including M-CARE, M-CAID, and Kids Care - at the time of enrollment and
within sixty (60) days of any material revision of the notice.
- To patients, employees and their dependents, and health plan members upon request (see Section VIII for contact
- What more do I need to know about my privacy rights?
The University of Michigan is required by law to maintain the privacy of personal health information and to provide individuals with notice of its legal duties and privacy practices with respect to that information. We are required to abide by the terms of the notice currently in effect.
- What should I do if I want a paper copy of this notice, if I have questions about it, or if I think my privacy
rights have been violated?
If you would like a paper copy of this notice, have questions about it, or believe its terms or any University of Michigan privacy or
confidentiality policy has been violated with respect to information about you, please let us know immediately at the address above
or by phone Toll Free: 1-866-482-1252. Please include your name, address, and a telephone number where we can contact you,
and a brief description of the complaint. If you prefer, you may lodge an anonymous complaint. You also may contact the
Secretary of the Department of Health and Human Services at:
The U.S. Department of Health and Human Services
Please provide as much information as possible so that the complaint can be properly investigated. Neither the University of
Michigan nor any of its affiliates will retaliate against a person who files a complaint with us or with the Secretary of the
Department of Health and Human Services.
200 Independence Avenue, S.W.
Washington, D.C. 20201
Toll Free: 1-877-696-6775
Dowload PDF version