Effective Date: January 23, 2023
Your Information. Your Rights. Our Responsibilities.
Memorial Sloan Kettering Cancer Center and Memorial Medical Care, P.C. participate in an Organized Health Care Arrangement (OHCA). This lets us share health information to carry out treatment, payment, and joint health care operations activities that relate to the OHCA.
Examples of activities include integrated information system management, participation in health information exchange, and quality improvement activities. Organizations that will follow this notice include Memorial Sloan Kettering Cancer Center, Memorial Hospital for Cancer and Allied Diseases, the Sloan Kettering Institute for Cancer Research (collectively, MSK), and Memorial Medical Care, P.C. (MMC).
This notice describes how medical information about you may be used and disclosed. It also tells you how you can get access to this information. Please review it carefully.
The full notice begins below. Please read it carefully. It includes sections that describe:
- Your Information: this section describes the information that is covered by this notice, called protected health information.
- Your Rights: this section describes specific rights you have related to your protected health information and how to exercise those rights.
- Your Choices: this section describes choices you can make about how we use and share your protected health information.
- Our Uses and Disclosures: this section describes the ways we may use and share your information without asking you for permission.
- Our Responsibilities and Other notices: these sections describe our obligation to comply with this notice, other state laws we follow, and some additional information.
- Changes to the Terms of this Notice: this section tells you how we will let you know if we make changes to this notice.
This notice describes how we use, disclose, and protect certain health information called “protected health information” or “PHI.”
Your PHI includes:
- demographic information we collect (such as your name, date of birth, mailing or email address); or
- unique numbers that may identify you (such as your social security number, your phone number, or your driver’s license number); combined with
- information about your health or indicating that you are our patient or receiving other health-related services from us.
The federal health privacy law described in this notice does not protect the health information of people who died more than 50 years ago. But if other laws require us to protect this health information, we will continue to protect it.
When it comes to your protected health information, you have certain rights. This section explains your rights and some of our responsibilities.
- You can ask to see or get an electronic or paper copy of your medical record and certain other health information we have about you. We will give you a copy or a summary of your health information, usually within 30 days of your request. We may charge a reasonable fee based on our costs. Please contact our Health Information Management department at 646-227-2089 for information on how to ask for your records.
- For your convenience, we encourage you to use our patient portal, MyMSK, to see your health information or to ask for a copy of your records. If you do not yet have a MyMSK account, you can register by visiting my.mskcc.org or talking with your healthcare team.
- MSK maintains the medical record of MMC patients on behalf of MMC. If you are a patient of MMC and ask for your records, they will include both your MMC and MSK records.
- We may deny (not give) access to your health information under certain circumstances. If we deny your request, you have a right to get a formal review of our decision. We will tell you how to do this.
- You can ask us to correct or amend health information about you in your medical record that you think is wrong or incomplete. Please contact our Health Information Management department at 646-227-2089 for information on how to make this request.
- We may say “no” to all or part of your request. We will tell you why in writing within 60 days.
- You can ask us to contact you in a specific way. For example, you can tell us to call your home or office phone, or to send mail to a different address.
- We will say “yes” to all reasonable requests.
- You can ask us not to use or share certain PHI for treatment, payment, or our healthcare operations. We are not required to agree to your request. For example, we may say “no” if it would affect your care or our healthcare operations.
- If you pay for a service or health care item out-of-pocket in full, you can ask us not to share that information for the purpose of payment or our healthcare operations with your health insurer. We will say “yes” unless a law requires us to share that information.
- You can ask for a list of the times we’ve shared your PHI. This is called an accounting of disclosures. It will tell you who we shared your information with, and why, during the 6 years before your request.
- We are not required to include on this list disclosures about treatment, payment, or healthcare operations. We’re also not required to include some other disclosures, such as those you asked us to make. We will give you 1 accounting every 12 months (1 year) for free. We will charge you a reasonable fee based on our costs if you ask for another one during that period.
- To request an accounting of disclosures, please call the Privacy Office at 646-227-2056 or email [email protected].
You can ask for a paper copy of this notice at any time, even if you agreed to get the notice electronically. We will give you a paper copy right away. Please call the Privacy Office at 646-227-2056 or email [email protected]. You may also get a copy from our website at www.mskcc.org or ask for a copy at your next visit.
- If you have given someone medical power of attorney or if someone is your legal guardian, that person can exercise your rights. That means they can ask for access to your PHI and make choices about your PHI.
- Before we take any action, we will make sure this person has authority (is allowed) to act for you.
- You can complain if you feel we have violated your rights by calling our Privacy Office at 646-227-2056 or emailing [email protected]. You can also send a letter to our Privacy Office at 633 Third Ave., New York, NY 10017.
- You can file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201. You can also call 1-877-696-6775 or visit www.hhs.gov/ocr/privacy/hipaa/complaints/.
- We will not retaliate (take action) against you for filing a complaint.
For certain situations, you can tell us your choices about what we share. For the situations below, please tell us if you have a preference for how we share your PHI. We will follow your instructions.
We are allowed to use some of your protection health information for our fundraising efforts and may contact you for fundraising. You can tell us not to contact you again and not to use your PHI for fundraising by calling the Privacy Office at 646-227-2056 or emailing at [email protected].
We take part in electronic health information exchanges (HIEs) to share protected health information electronically with other healthcare providers, as permitted by law. Visit our website at www.mskcc.org/public-notices/electronic-health-information-exchange for more information about our participation in HIEs. You must opt-out of this information exchange if you don’t want us to exchange your PHI through the HIEs. To opt-out or change your HIE choice, email [email protected] or call our Health Information Management department at 646-227-2942.
We may also use your PHI in our Patient Directory. We can disclose it from the directory or share it with family and friends involved in your care without your written permission. We always will give you an opportunity to tell us you don’t want to share your PHI for the purposes below. Sometimes, there may not be enough time for that because of a medical emergency. Talk with us about your preferences as soon as the emergency is over. We will follow your wishes, unless the law says we cannot do what you ask.
- Patient Directory. Unless you tell us not to, our Patient Directory will include information about you while you’re admitted here. It will have your name, religious affiliation, and your location within our building. It also will have your general condition, such as fair, stable, or critical. We will release this directory information, except for your religion, to people who ask for you by name. Your religious affiliation may be shared with a member of the clergy, such as a priest, rabbi, or imam. We may share that information even if they don’t ask for you by name.
- Family and Friends Involved in Your Care. Unless you tell us not to, we may share your health information with people who support or pay for your care. This includes a family member, domestic partner, or other close friend. We also may share other information with a family member, personal representative, or other support person responsible for your care. We may share information about your location and general condition while you’re in the hospital, including news about a death. Sometimes we may need to share your information with a disaster relief group that will help us notify these people.
- Certain marketing activities.
- Sale of your PHI.
- Most sharing of “psychotherapy notes,” if we maintain any. Under federal law, “Psychotherapy notes” are notes that may be kept by a mental health professional and are maintained separately from the rest of your medical record. If a mental health provider maintains these separate notes, we will not share them without your written permission. However, notes documented by your mental health provider within your medical record will be treated like other PHI in your record, as described in this Notice.
We do not need your written permission to use, share, or disclose your PHI for these common purposes:
To treat you
We can use your health information and share it with other healthcare providers who are treating you.
Example: An MSK doctor may share your health information with another MSK doctor, or with a non-MSK doctor, to diagnose or treat you.
To run our organization
We can use and share your PHI to run our healthcare locations and to improve the care we provide. We can use it to contact you when necessary. We may also share your PHI with certain vendors, called business associates, who help us run our organization. We will have a written contract with these business associates that makes sure they also protect the privacy of your information.
Example: We use health information about you to manage the services we provide. We use it to evaluate the performance of our staff who care for you.
To bill for services
We can use and share your health information to bill and get payment from health plans or others that pay for your care.
Example: We give information about you to your health insurance plan so it will pay for your services.
We are allowed or required to share your PHI in the ways described below. Most often, they contribute to the public good, such as public health and research. The law makes us meet many conditions before we can share your information for the following purposes:
To help with public health and safety issues
We can share your PHI, including with public health authorities, in certain situations such as:
- Preventing disease.
- Helping with product recalls.
- Reporting adverse reactions to medications.
- Reporting suspected abuse, neglect, or domestic violence.
- Preventing or reducing a serious threat to anyone’s health or safety.
To do research
We can use or share your protected health information for health research under certain conditions. All MSK research is approved through a special review process to protect patient safety, welfare (well-being), and confidentiality (privacy). In most cases, we will ask for your written permission before using or sharing your PHI to do our research. However, there are times when we’re allowed to use your PHI for our research without your authorization (permission). This happens only if we get approval from a special review board. These research studies don’t affect your treatment or welfare, and we will continue to protect your privacy. We can do some research using de-identified health information, which is health information that does not identify a person. We can use or share de-identified health information without your authorization.
To comply with (obey) the law
We will share PHI about you if state or federal laws require it. For example, if the Department of Health and Human Services wants to see that we’re complying with federal privacy laws.
To respond to requests for organ and tissue donation
We can share PHI about you with organ procurement organizations. These are groups involved with organ, eye, or tissue donation or transplantation.
To work with a medical examiner or funeral director
We can share PHI with a coroner, medical examiner, or funeral director when someone dies.
To address workers’ compensation, law enforcement, and other government requests
We can use or share certain PHI about you:
- For workers’ compensation claims.
- For law enforcement purposes or with a law enforcement official.
- With health oversight agencies for activities authorized (allowed) by law.
- For special government purposes, such as military, national security, and presidential protective services.
To respond to lawsuits and legal actions
We can share PHI about you in response to a court or administrative order. We can also share it in response to a subpoena if it meets certain requirements (rules).
- By law, we must take steps to keep your PHI private and secure.
- We will tell you as soon as possible, and always within 60 days, if a breach occurs that may have compromised the privacy or security of your PHI.
- We must give you a copy of this notice and follow the duties and privacy practices the notice describes.
- We will not use or share your PHI other than as described here unless you tell us we can in writing. Even if you give us your written approval, you can change your mind at any time by telling us in writing.
Genetic, HIV, Alcohol and Substance Abuse, and Mental Health Information.
We follow Federal rules about privacy. We also follow New York State laws about health care privacy, and other state laws if they apply to us. We will get any consents required by applicable state laws before we share:
- Your genetic test results
- Information about your HIV status
- Certain information about your substance abuse or mental health
We take reasonable steps to keep your PHI private. However, it’s still possible your PHI may be disclosed. Disclosure can happen during allowed PHI uses or disclosures, or as an unavoidable result of them.
Example: People in the waiting room may overhear your name when you are called in for your appointment.
When health information is completely “de-identified” it’s no longer PHI, and the protections described in this notice no longer apply. De-identified means we have removed any information that could identify you, as required by law. For example, a lab report is de-identified if we keep the test results, but edit it to remove:
- Your name
- Your date of birth
- Your medical record number
- All other information that could identify you
Once your information has been de-identified, we may use it for any lawful purpose. This may include using and sharing the de-identified data to develop new tests, procedures, commercial products, or for other commercial purposes.
We can change the terms of this Notice, and the changes will apply to all information covered by this notice. The new notice will be available upon request at locations where we care for you, and on our website.