This notice describes how medical information about you may be used and disclosed and
how you can get access to this information. Please review it carefully.

The University of Maine System (“University” or “we”) is required by law to maintain the privacy of
your protected health information (“PHI”), give you this notice that describes our legal duties and
privacy practices concerning your PHI and to notify you following a breach of security of your PHI. In
general, when we release your PHI, we must release only that information necessary to achieve the
purpose of the use or disclosure. However, all of your PHI, with limited exceptions, will be available for
release if you sign an authorization form, if you request the information for yourself, to a provider
regarding your treatment, or due to a legal requirement. Health information and other records of
University of Maine System students generally are not subject to this notice and are protected by
other federal and state laws.

Without your written authorization, we may use and disclose your PHI as follows:

  1. Treatment: For example, we may use or disclose PHI to determine which treatment option best addresses your health needs or so other health care professionals can make decisions about your care. However, in non-emergency situations, authorization is required to disclose certain mental health care information to outside providers or facilities.
  2. Payment: In order for an insurance company to pay for your treatment, we must disclose PHI that identifies you, your diagnosis, and the treatment provided to you, to the insurance company.
  3. Health Care Operations: We may use or disclose your PHI in order to improve the quality or cost of care we deliver. These activities may include evaluating the performance of your health care providers, or examining the effectiveness of the treatment provided to you. In addition, we may use or disclose your PHI to send you a reminder about your next appointment.
  4. Required by Law: As required by law, we may use and disclose your PHI. For example, we may disclose medical information to government officials to demonstrate compliance with HIPAA.
  5. Public Health: As required by law, we may use or disclose your PHI to public health authorities for purposes related to: preventing or controlling disease, reporting child abuse or neglect, and reporting to the FDA.
  6. Health Oversight Activities: We may use or disclose your PHI to health agencies during the course of audits, investigations, licensure and other proceedings related to oversight of the health care system.
  7. Judicial and Administrative Proceedings: We may use or disclose your PHI in the course of any administrative or judicial proceeding, in response to a court order or as otherwise authorized or required by statute.
  8. Law Enforcement: We may use or disclose your PHI to a law enforcement official for purposes such as reporting a crime at our facility, complying with a court order or subpoena, and for other law enforcement purposes as authorized or required by statute.
  9. Coroners, Medical Examiners and Funeral Directors: We may use or disclose your PHI to coroners, medical examiners and funeral directors.
  10. Organ and Tissue Donation: If you are an organ donor, we may use or disclose your PHI to organizations involved in procuring, banking or transplanting organs and tissues.
  11. Public Safety: We may use or disclose your PHI to appropriate persons in order to prevent or lessen a serious and imminent threat to the health and safety of any individual.
  12. National Security: We may use or disclose your PHI to authorized officials for purposes of intelligence or other national security activities and protective services for governmental leaders as authorized or required by statute.
  13. Worker’s Compensation: We may disclose your PHI as necessary to comply with worker’s compensation laws.
  14. Disclosures to Plan Sponsors: We may disclose your PHI to the sponsor of your health plan (if applicable), for the purposes of administering benefits under the plan.
  15. Domestic Violence: We may disclose your PHI to a authorized government authority if we reasonably believe you to be a victim of abuse, neglect, or domestic violence to the extent the disclosure is required or authorized by law or if you agree to the disclosure.
  16. Research: We may disclose your PHI for research, regardless of the source of funding of the research, provided that we obtain documentation that an alteration to or waiver of authorization for use or disclosure of PHI has been approved either by an Institutional Review Board or a privacy board, or if such disclosure is otherwise permitted by law.
  17. Military and Veterans: If you are a member of the armed forces, we may use or disclose your PHI to provide information about immunization and/or a brief confirmation of general health status as required by military command authorities.
  18. Inmates: If you are an inmate at a correctional facility or in the custody of a law enforcement official, we may use or disclose your PHI to the facility or the official as may be necessary to provide information about immunization and/or a brief confirmation of general health status, or as otherwise authorized or required by law.
  19. Family or Household Members: We may use or disclose your PHI, pursuant to your verbal agreement, and in certain circumstances without your agreement, for the purpose of including you in our directory or for purposes of releasing information to family or household members, who are involved in your care or payment for your care.
  20. Emergency Services: We may use or disclose your PHI to provide to emergency services, health care or relief agencies a brief confirmation of your health status for purposes of notifying your family or household members.
  21. Business Associates: We may use or disclose your PHI to a Business Associate, who is specifically contracted to provide us with services utilizing that health information, pursuant to an approved business associate agreement which assures that the business associate will handle the PHI in compliance with privacy regulations.
  22. Limited Data Set: We may use or disclose your PHI as part of a limited data set if we enter into a data use agreement with the limited data set recipient. A limited data set is PHI that excludes most direct identifiers.
  23. Underwriting: If we use your PHI for underwriting purposes for your health plan, we are prohibited from using your genetic information for such purposes.

When the University of Maine System May Not Use or Disclose Your PHI:

Except as described in this Notice of Privacy Practices we will not use or disclose your PHI without
written authorization from you. A written authorization is required, with limited exceptions, for the use
or disclosure of psychotherapy notes, for the sale of your PHI and for the use or disclosure of your PHI
for marketing purposes. If we ask for an authorization, we will give you a copy. If we disclose partial
or incomplete information as compared to the authorization to disclose, we will expressly indicate that
the information is partial or incomplete. If you do authorize us to use or disclose your health
information for another purpose, you may revoke your authorization in writing at any time. If you
revoke your authorization, we will no longer be able to use or disclose health information about you
for the reasons covered by your written authorization, though we will be unable to take back any
disclosure we have already made with your permission. Revocation may be the basis for the denial of
health benefits or other insurance coverage or benefits

Statement of Your Health Information Rights:

  1. Right to Request Restrictions: You have the right to request restrictions on certain uses and disclosures of your health information. The University is not required to agree to every restriction that you request. If you would like to make a request for restrictions, submit your request in writing to the Contact Person listed at the end of this Notice.
  2. Right to Request Confidential Communications: You have the right to request that you receive your health information through a reasonable alternative means or at an alternative location. A University health care provider is required to accommodate reasonable requests. A health plan must permit you to request and accommodate reasonable requests to receive communications by alternative means or at alternative locations, if you clearly state that the disclosure could endanger you. To request confidential communications, submit your request in writing to the Contact Person listed at the end of this Notice.
  3. Right to Inspect and Copy: With very limited exceptions, you have the right to inspect and copy your health information. To inspect and copy such information, submit your request in writing to the Contact Person listed at the end of this Notice. If you request a copy of the information, we may charge you a reasonable fee to cover the expenses associated with your request. In the event that the University uses or maintains an Electronic Health Record of information about you, then upon your request, we will provide an electronic copy of the PHI to you or to a third party designated by you.
  4. Right to Request Amendment: You have the right to request the University correct, clarify and amend your health information. To request a correction, clarification or amendment, submit your request in writing to the Contact Person listed at the end of this Notice. We may add a response to your submitted correction, clarification or amendment and will provide you with a copy.
  5. Right to Accounting of Disclosures: You have the right to receive a list or “accounting of disclosures” of your health information made by the University, except that we generally do not have to account for non-electronic disclosures made for the purposes of treatment, payment, or health care operations; for disclosures made to you; for disclosures made pursuant to an authorization; for those made to our facility’s directory or to those persons involved in your care; incidental disclosures; for lawful inquiries made pursuant to national security or intelligence purposes; for lawful inquiries made by correctional institutions or other law enforcement officials in custodial situations; or, for disclosures when your information may become part of a limited data set. To request an accounting of disclosures, submit your request in writing to the Contact Person listed at the end of this Notice. Your request should specify a time period of up to six years and may not include dates before April 14, 2003. The University will provide one list per 12 month period free or charge; we may charge you for additional lists.
  6. Right to Paper Copy: You have a right to receive a paper copy of this Notice of Privacy Practices at any time. To obtain a paper copy of this Notice, send your written request to the Contact Person listed at the end of this Notice. You may also obtain a copy of this notice at our website: http://www. maine.edu. If you would like to have a more detailed explanation of these rights, or if you would like to exercise one or more of these rights, contact the Contact Person listed at the end of this Notice.

Changes to this Notice of Privacy Practices

The University of reserves the right to amend this Notice of Privacy Practices at any time in the future
and to make the new Notice provisions effective for all health information that we maintain. We will
promptly revise our Notice and distribute it to you at your next visit whenever we make material
changes to the Notice. Participants in the Health Plans, Health Care Advantage Account, and the
System EAP Plan will receive a revised copy within 60 days of a material revision. The University is
required by law to abide by the terms of the Notice currently in effect.

Complaints

Complaints about this Notice of Privacy Practices or requests for further information should be directed
to the Contact Person listed below. The University will not retaliate against you in any way for filing a
complaint, participating in an investigation, or exercising any other rights under the Health Insurance
Portability and Accountability Act (HIPAA). All complaints to the University must be submitted in
writing. If you believe your privacy rights have been violated, you also may file a complaint with the
Secretary of the U. S. Department of Health and Human Services.

University Health and Counseling HIPAA compliance contact person: Anna Moskey, CMA (AAMA) 207-780-5787

Effective date of Notice: 08/28/2013