HIPAA Notice

HIPAA Notice

HIPAA Notice

Download a PDF version of this document.


Effective Date: September 23, 2013




This notice describes the health information practices of the UNIVERSITY MEDICAL CENTER (UMC), a health care component of The University of Alabama (a covered hybrid entity) and to the administrative departments at the University of Alabama that provide legal, billing, auditing, or other administrative support for UMC , including but not limited to The University of Alabama Office of Counsel, The University of Alabama System Office of Internal Audit, the University’s Privacy and Security Officers, the Office of Information Technology, Human Resources, and UA and UAB Risk Management. In addition, this Policy applies to the Capstone Health Services Foundation (CHSF) and to all members of its workforce. These two entities (UMC and CHSF) are hereby designated as an organized health care arrangement under HIPAA. For purposes of this Notice and HIPAA policies, these covered entities and the University’s affiliated administrative support departments shall collectively be referred to as “University Medical Center” or UMC.



We understand that medical information about you and your health is personal.  We are committed to protecting medical information about you. We create a record of the care and services you receive at UMC. We need this record to provide you with quality care and to comply with certain legal requirements. This notice applies to all of the records of your care generated or maintained by UMC, whether made or maintained by UMC personnel or your personal doctor.  

This notice will tell you about the ways in which we may use and disclose medical information about you. We also describe your rights and certain obligations we have regarding the use and disclosure of medical information. We are required by law to:

  • make sure that medical information that identifies you is kept private;
  • give you this notice of our legal duties and privacy practices with respect to medical information about you; 
  • notify in the case of a breach of your identifiable medical information; and
  • follow the terms of the notice that is currently in effect.


The following categories describe different ways that we use and disclose medical information. Not every use or disclosure in a category will be listed. However, all of the ways we are permitted to use and disclose information will fall within one of the categories.  

  • For Treatment and Treatment Alternatives

    We may use medical information about you to provide, coordinate, or manage your medical treatment and/or related services. We may disclose medical information about you to doctors, nurses, technicians, medical residents, student trainees, volunteers, or other UMC personnel or people outside our facility who are involved in taking care of you. For example, medical information may be shared in order to coordinate different things you may need, such as prescriptions, lab work, and x-rays. We may also disclose your medical information, as necessary, to other physicians or health care providers who may be treating you or to whom you have been referred to ensure that the physician or provider has the necessary information to diagnose or treat you. We also may disclose medical information about you to people outside UMC who may be involved in your medical care after you leave, such as your local physician, family members, clergy or others we use to provide services that are part of your care. We may use and disclose your medical information to tell you about or recommend possible treatment options or alternatives that may be of interest to you. 

  • For Payment

    We may use and disclose medical information about you so that the treatment and services you receive at UMC may be billed to you and payment may be collected from you, an insurance company or a third party. For example, we may need to give your health plan information about a treatment or services you received so your health plan will pay us or reimburse you for those treatments or services. We may also tell your health plan about a treatment you are going to receive to obtain prior approval or to determine whether your plan will cover the treatment. 

  • For Routine Health Care Operations

    We may use and disclose medical information about you for UMC routine health care operations. For example, we may use/disclose your medical information to conduct or arrange for medical reviews, legal services, and auditing functions; to resolve internal grievances; or to conduct other business management and general administrative activities of UMC. These uses and disclosures are necessary to run UMC and make sure that all of our patients/ clients receive quality care. We may also use medical information to review our treatment and services and to evaluate the performance of our staff in caring for you. We may also combine medical information about many UMC patients/clients to decide what additional services UMC should offer, what services are not needed, and whether certain new treatments are effective. We may also disclose information to doctors, nurses, technicians, medical residents, student trainees, and UMC personnel for review and learning purposes.  We may also combine the medical information we have with medical information from other entities to compare how we are doing and see where we can make improvements in the care and services we offer. We may remove information that identifies you from this set of medical information so others may use it to study health care and health care delivery without learning who the specific patients are. 

  • Individuals Involved in Your Care or Payment for Your Care

    We may release medical information about you to a friend, relative, family member or any other person you identify who is involved in your medical care. We may also give information to someone who helps pay for your care. We may also tell your family or friends your condition and that you are in the hospital.  In addition, we may disclose medical information about you to an entity assisting in a disaster relief effort so that your family can be notified about your condition, status and location.

  • Appointment Reminders and Health-Related Benefits and Services

    We may use and disclose medical information to contact you as a reminder that you have an appointment for treatment or medical care at UMC or to tell you about health-related benefits or services that may be of interest to you.  

  • Research

    Under certain circumstances, we may use and/or disclose medical information about you to researchers when their clinical research study has been approved by UA’s or the facility’s Institutional Review Board.  Some clinical research studies require specific patient consent, while others do not require patient authorization. For example, a research project may involve comparing the health and recovery of all patients who received one medication to those who received another, for the same condition.  This would be done through a retrospective record review with no patient contact. The Institutional Review Board reviews the research proposal to make certain that the proposal has established protocols to protect the privacy of your health information. 

  • Fundraising Activities

    We may use medical information about you to contact you in an effort to raise money for UMC. We may disclose medical information to a foundation related to UMC so that the foundation may contact you in raising money for UMC. For example, we may use or disclose the following information to contact you for fundraising purposes: your name, address, and phone number, the physicians who furnished the service, and the location and dates you received treatment or services at UMC. If you do not want UMC to contact you for fundraising efforts, you have the right to opt of out of fundraising communications, as described in every fundraising communication.

  • Certain Marketing Activities

    UMC may use medical information about you to forward promotional gifts of nominal value, to communicate with you about services offered by UMC, to communicate with you about case management and care coordination and to communicate with you about treatment alternatives. We do not sell your health information to any third party for their marketing activities unless you sign an authorization allowing us to do this.

  • UMC Directory

    We may include certain limited information about you in our UMC directory while you are a patient/client at UMC. This information may include your name and location in UMC.  

  • Business Associates

    There are some services provided in UMC through contracts with business associates. Examples may include a copy service we use when making copies of your health record, consultants, accountants, lawyers, medical transcriptionists and third-party billing companies. When these services are contracted, we may disclose your health information to our business associate so that they can perform the job we’ve asked them to do. To protect your health information, however, we require the business associate to appropriately safeguard your information.

  • As Required By Law

    We will disclose medical information about you when required to do so by federal, state or local law.

  • Public Health Risks and Communicable Diseases

    We may disclose medical information about you to public health or legal authorities charged with preventing or controlling disease, injury, or disability. For example, we are required to report the existence of a communicable disease, such as tuberculosis, to the Alabama Department of Public Health to protect the health and well-being of the general public. We may disclose medical information about you to individuals exposed to a communicable disease or otherwise at risk for spreading the disease. We may disclose medical information to your employer if the employer requires the healthcare services to determine whether you suffered a work-related injury.  

  • Food and Drug Administration (FDA)

    We may disclose to the FDA and to manufacturers health information about adverse events with respect to food or supplements or product defects or problems, or post-marketing surveillance information to enable product recalls, repairs, or replacements.

  • Victims of Abuse, Neglect or Domestic Violence

    We are required to report child, elder and domestic abuse or neglect to the State of Alabama.

  • Health Oversight Activities

    We may disclose medical information to a health oversight agency for activities authorized by law. These oversight activities include, for example, audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws.

  • Lawsuits and Disputes

    If you are involved in a lawsuit or a dispute, we may disclose medical information about you in response to a court or administrative order. We may also disclose medical information about you in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have been made to tell you about the request or to obtain an order protecting the information requested. We may disclose medical information for judicial or administrative proceedings, as required by law.

  • Law Enforcement

    We may release medical information for law enforcement purposes, as required by law. We may disclose medical information: a) in response to a court order, court-ordered subpoena, warrant or summons issued by a judicial officer; b) to identify or locate a suspect, fugitive, material witness or missing person; c) about an individual suspected to be the victim of a crime if, under certain limited circumstances, we are unable to obtain the victim’s agreement; d) about a death we believe may be the result of criminal conduct; e) about criminal conduct occurring on the University’s or UMC’s premises; or f) in medical emergency circumstances, to report a crime, the location of the crime or victims, or the identity, description or location of the person who committed the crime.

  • Coroners, Medical Examiners and Funeral Directors

    We may release medical information to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person, determine the cause of death, or perform other legal duties. We may also release medical information about patients of the UMC to funeral directors as necessary to carry out their duties.  

  • Organ and Tissue Donation

    If you are an organ donor, we may use or release medical information to organizations that handle organ procurement or other entities engaged in procurement, banking or transportation of organ, eye or tissue to facilitate organ or tissue donation and transplantation. 

  • To Avert a Serious Threat to Health or Safety

    We may use and disclose medical information about you when necessary to prevent or lessen a serious threat to your health and safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone reasonably able to help prevent or lessen the threat.

  • Military and Veterans

    If you are a member of the armed forces, we may release medical information about you as required by military command authorities. We may also release medical information about foreign military personnel to the appropriate foreign military authority. 

  • National Security and Intelligence Activities

    We may release medical information about you to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law.  

  • Protective Services for the President and Others

    We may disclose medical information about you to authorized federal officials so they may provide protection to the President or other authorized persons or foreign heads of state or so they may conduct special investigations.    

  • Workers’ Compensation

    We may release medical information about you for workers’ compensation or similar programs that provide benefits for work-related injuries or illness. 

  • Inmates or Individuals in Custody

    If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may release medical information about you to the correctional institution or law enforcement official.  

  • Other uses and disclosures

    We will obtain your authorization to use or disclose your psychotherapy notes (other than for uses permitted by law without your authorization); to use or disclose your health information for marketing activities not described above; and prior to selling your health information to any third party. Any other uses and disclosures not described in this Notice will be made only with your written authorization. 


Although all records concerning your treatment obtained at UMC are the property of UMC, you have the following rights regarding medical information we maintain about you:


  • Right to Inspect and Copy

    You have the right to inspect and copy medical information that may be used to make decisions about your care. Usually, this includes medical and billing records, but does not include psychotherapy notes; information compiled in anticipation of criminal, civil, or administrative proceedings; or information subject to a law that prohibits access.

    To inspect and copy medical information that may be used to make decisions about you, you must submit your request in writing to UMC Privacy Officer. If you request a copy (paper or electronic) of the information, we may charge a fee for the costs of copying, mailing or other supplies associated with your request. 

    We may deny your request to inspect and copy in certain very limited circumstances. If you are denied access to medical information, you may request that the denial be reviewed. Another licensed health care professional chosen by UMC will review your request and the denial. The person conducting the review will not be the person who denied your request.  We will comply with the outcome of the review.  

  • Right to Amend

    If you feel that medical information we have about you in our records is incorrect or incomplete, you may ask us to amend the information. You have the right to request an amendment for as long as the information is kept by or for UMC. 

    To request an amendment, your request must be made in writing and submitted to the UMC Privacy Officer. In addition, you must provide a reason that supports your request. 

    We may deny your request for an amendment if it is not in writing or does not include a reason to support the request. In addition, we may deny your request if you ask us to amend information that:

    • Was not created by us, unless the person or entity that created the information is no longer available to make the amendment;
    • Is not part of the medical information kept by or for UMC;
    • Is not part of the information which you would be permitted to inspect and copy; or 
    • Is accurate and complete.
  • Right to an Accounting of Disclosures

    You have the right to request an “accounting of disclosures.” This is a list of certain disclosures we made of medical information about you.

    To request this list or accounting of disclosures, you must submit your request in writing to the UMC Privacy Officer. Your request must state a time period which may not be longer than six years from the date of your request. Your request should indicate in what form you want the list (for example, on paper or electronically). The first list you request within a 12-month period will be free. For additional lists, we may charge you for the costs of providing the list. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time before any costs are incurred.

  • Right to Request Restrictions

    You have the right to request a restriction or limitation on the medical information we use or disclose about you for treatment, payment or health care operations. You also have the right to request a limit on the medical information we disclose about you to someone who is involved in your care or the payment for your care, like a family member or friend. 

    We are not required to agree to your request.  If we do agree, we will comply with your request unless the information is needed to provide you emergency treatment.

    To request restrictions, you must make your request in writing to the UMC Privacy Officer. In your request, you must tell us (1) what information you want to limit; (2) whether you want to limit our use, disclosure or both; and (3) to whom you want the limits to apply, for example, disclosures to your spouse.

  • Right to Request That Health Information Pertaining to Services Paid Out of Pocket Not Be Sent to Insurance

    In some instances, you may choose to pay for a healthcare item or service out of pocket, rather than submit a claim to your insurance company.  You have the right to request that we not submit your health information to a health plan or your insurance company, if you, or someone or your behalf, pay for the treatment or service out of pocket in full.  To request this restriction, you must make your request in writing on the required form to the UMC Privacy Officer prior to the treatment or service.  In your request, you must tell us (1) what information you want to restrict (2) and to what health plan the restriction applies.

  • Right to Request Confidential Communications

    You have the right to request that we communicate with you about medical matters in a certain way or at a certain location.  For example, you can ask that we only contact you at work or by mail. 

    To request confidential communications, you must make your request in writing to the UMC Privacy Officer. We will not ask you the reason for your request.  We will accommodate all reasonable requests.  Your request must specify how or where you wish to be contacted and must provide information on how payment will be handled.

  • Right to Revoke Authorization

    You have the right to revoke your authorization to use or disclose your medical information except to the extent that action has already been taken in reliance on your authorization.

  • Right to a Paper Copy of  This Notice

    You have the right to a paper copy of this notice. You may ask us to give you a copy of this notice at any time.  Even if you have agreed to receive this notice electronically, you are still entitled to a paper copy of this notice.  

    You may obtain a copy of this notice at our website.

    To obtain a paper copy of this notice, contact the UMC Privacy Officer.


We reserve the right to change this notice. We reserve the right to make the revised or changed notice effective for medical information we already have about you as well as any information we receive in the future. We will post a copy of the current notice in the UMC facility and on our website noted above.  The notice will contain on the first page, in the top right-hand corner, the effective date. In addition, each time you visit UMC to receive health care services, we will make available a copy of the current notice in effect.  


If you have questions and would like additional information, you may contact the UMC Privacy Officer [805 5th Avenue East, Tuscaloosa, AL  35401].   

If you believe your privacy rights have been violated, you may file a complaint with UMC Privacy Officer or with the Secretary of the Department of Health and Human Services. To file a complaint with UMC Privacy Officer, contact Jan Chaisson,  Director of Medical Records, 348-1231. All complaints must be submitted in writing. Your complaint may be shared with the UA Privacy and Security Officers and others at the University who assist the UMC Privacy Officer with HIPAA compliance.

You will not be penalized or retaliated against for filing a complaint.


The effective date of the notice is September 23, 2013.

Welcome Welcome Welcome Welcome