Top Menu

Privacy Policy

Notice of Privacy Practices


WHO WILL FOLLOW THIS NOTICE: This notice describes our privacy practices and that of:

  • The physician members of the hospital’s medical staff and credentialed, non-physician health care professionals who may provide care in the hospital
  • All departments and units of the hospital
  • Any volunteers who perform volunteer work in the hospital, clinic, doctor’s office, or other health care entity
  • All employees, staff and other personnel at the hospitals, clinics, physicians’ offices, or other health care entities
  • HH System
  • HH Health System
  • Huntsville Hospital for Women and Children
  • Madison Hospital


All these entities, sites and locations follow the terms of this notice. In addition, these entities, sites and locations may share medical information with each other for treatment, payment or health care operations purposes described in this notice. 


We understand that medical information about you and your health is personal. We are committed to protecting medical information about you. We create a record of the care and services you receive at this health care entity to provide you with quality care and to comply with certain legal requirements. This notice applies to all of the records of your care generated by this entity, whether made by entity personnel or your personal doctor. Unless your personal doctor is a member of a physician group listed at the beginning of this Notice, your personal doctor may have different policies or notices regarding the doctor’s use and disclosure of your medical information created in the doctor’s own office or clinic.

This notice will tell you about the ways in which we may use and disclose medical information about you. We also describe your rights and certain obligations we have regarding the use and disclosure of medical information.

We are required by law to keep private medical information that identifies you; give you this notice of our legal duties and privacy practices with respect to medical information about you; and follow the terms of the Notice of Privacy Rights currently in effect.


The following describes the ways we may use and disclose health information that identifies you. For better understanding, we have provided some examples in each category. Not every use or disclosure in a category will be listed. However, all of the ways we are permitted to use and disclose information will fall within one of the categories.

For Treatment.  We may use your medical information to provide medical treatment or services to you.  We may disclose medical information about you to doctors, nurses, technicians, therapists, medical, nursing or other health care students, or other personnel taking care of you inside and outside of our Health System.  We may use and disclose your medical information to coordinate or manage your care.  As examples, a doctor treating you for a broken leg may need to know if you have diabetes because diabetes may slow the healing process, or the doctor may need to tell the dietitian if you have diabetes so you can have appropriate meals.  Departments within the Health System may share your medical information to schedule the tests and procedures you need, such as prescriptions, laboratory tests and x-rays.  We also may disclose your medical information to health care facilities if you need to be transferred from a Health System facility to another hospital, a nursing home, a home health provider, rehabilitation center, etc.  We also may disclose your medical information to people outside the Health System who are involved in your care while you are here or after you leave the Health System, such as other health care providers, family members or pharmacists.


For Payment.  We may use and disclose your medical information so that the treatment and services you receive can be billed and collected from you, an insurance company or another company or person.  As examples, we may give your insurance company (e.g.,  Medicare, Medicaid, CHAMPUS/TRICARE, or a private insurance company) information about surgery you received so your insurance company will pay us for the surgery.  We also may tell your insurance company about a treatment you are going to receive in order to determine whether you are eligible for coverage or to obtain prior approval from the company to cover payment for the treatment.  We could disclose your information to a collection agency to obtain overdue payment.  We might also be asked to disclose information to a regulatory agency or other entity to determine whether the services we provided were medical necessary or appropriately billed.

For Health Care Operations.  We may use and disclose your medical information for any operational function necessary to run the Health System and its facilities as a business and as a licensed/certified/accredited facility, including uses/disclosures of your information such as in the following examples: (1) Conducting quality or patient safety activities,  population-based activities relating to improving health or reducing health care costs, case management and care coordination, and contacting of health care providers and you with information about treatment alternatives; (2) Reviewing health care professionals’ backgrounds and grading their performance, conducting training programs for staff, students, trainees, or practitioners and non-health care professionals;  performing accreditation, licensing, or credentialing activities; (3) Engaging in activities related to health insurance benefits,  (4) Conducting or arranging for medical review, legal services, and auditing functions; (5) Business planning, development, and management activities, including things like customer service,  resolving complaints; sale, transfer or combine of all or part of the Health System entities and the background research related to such activities; and (6) Creating and using de-identified health information or a limited data set or having a business associate perform combine data or do other tasks for various operational purposes.

As additional examples, we may disclose your medical information to physicians on our Medical Staff who review the care that was provided to patients by their colleagues.  We may disclose information to doctors, nurses, therapists, technicians, medical, nursing or other health care students, and Health System personnel for teaching purposes.  We may combine medical information about many patients to decide what services the Health System should offer, and whether new services are cost-effective and how we compare from a quality perspective with other hospitals/health systems.  Sometimes, we may remove your identifying information from your medical information so others may use it to study health care services, products and delivery without learning who you are. We may disclose information to other health care providers involved in your treatment to permit them to carry out the work of their facility or to get paid.  We may provide information about your treatment to an ambulance company that brought you to the Health System so that the ambulance company can get paid for their services.

Activities of Our Affiliates.  We may disclose your medical information to our affiliates in connection with your treatment or other Health System activities.

Activities of Organized Health Care Arrangements in Which We Participate.  For certain activities, the Hospital, members of its Medical Staff and other independent professionals are called an Organized Health Care Arrangement.  We may disclose information about you to health care providers participating in our Organized Health Care Arrangement, such as a managed care or physician-Health System organization.  Such disclosures would be made in connection with our services, your treatment under a health plan arrangement, and other activities of the Organized Health Care Arrangement.  We operate under this Joint Notice for activities involving the Health System.

ImportanT:   The Health System may share your medical information with members of the Health System Medical Staff and other independent medical professionals in order to provide treatment, payment and healthcare operations and perform other activities for the Health System. While those professionals have agreed to follow this Notice and otherwise participate in the privacy program of the Health System, they are independent professionals and the Health System expressly disclaims any responsibility or liability for their acts or omissions relating to your care or privacy/security rights.

Health Services, Products, Treatment Alternatives and Health-Related Benefits.  We may use and disclose your medical information in providing face-to-face communications; promotional gifts; refill reminders or communications about a drug or biologic; case management or care coordination, or to direct or recommend alternative treatments, therapies, providers, or settings of care; or to describe a health-related product/service (or payment for such product/service) that is provided through a benefit plan; or to offer information on other providers participating in a healthcare network that we participate in, or to offer other health-related products, benefits or services that may be of interest to you.   We may use and disclose your medical information to contact and remind you of an appointment for treatment or medical care.

Health-Related Benefits and Services. We may use and disclose medical information to tell you about health-related benefits or services that may be of interest to you.

Fund Raising Activities. We may use and disclose your medical information to raise money for the Health System.  Huntsville Hospital Foundation is the Health System’s only fundraising entity.   The Health System is allowed to disclose certain parts of your medical information to the Foundation, unless you tell us you do not want such information used and disclosed.  For example, the Health System  may disclose to Huntsville Hospital Foundation demographic information, like your name, address, other contact information, telephone number, gender, age, date of birth,  the dates you received treatment by the Health System, the department that provided you service, your treating physician, outcome information, and health insurance status.  You have a right to opt-out of receiving fundraising requests.  If you do not want the Health System to contact you for fundraising, you can opt out by returning the pre-paid envelope or by calling 1-877-425-1850.

Hospital Directory. We may include certain information about you in the HH Health System Directory while you are a patient in these facilities.  This information may include your name, your room number, your general condition (fair, stable, etc.) and your religious affiliation.  Your religious affiliation may be given to a member of the clergy, such as a priest or rabbi, even if they don’t ask for you by name.  Directory information, except for your religious affiliation, may be released to people who ask for you by name.  This is so your family, friends and clergy can visit you in the Health System and generally know how you are doing.  If you do not want this information given out, please tell the Admissions Clerk.

Individuals Involved in Your Care or Payment for Your Care. We may release your medical information if you become incapacitated to the person you named in your Durable Power of Attorney for Health Care (if you have one), or otherwise to a friend or family member who is your personal representative (i.e., empowered under state or other law to make health-related decisions for you).  We may give information to someone who helps pay for your care.  In addition, we may disclose your medical information to an entity assisting in disaster relief efforts so that your family can be notified about your condition.  HIPAA also allows us at certain times to speak with those who are/were involved in your care/payment activities while being treated as patient and/or even after your death, if we reasonably infer based on our professional judgment that you would not object.  If you do not wish for us to speak with a particular person about your care, you should request a Restriction on PHI form.

Research. We may use and disclose your medical information for research purposes.  Most research projects, however, are subject to a special approval process.  Most research projects require your permission if a researcher will be involved in your care or will have access to your name, address or other information that identifies you.  However, the law allows some research to be done using your medical information without requiring your written approval.

As Required By Law. We will disclose your medical information when federal, state or local law requires it.  For example, the Health System and its personnel must comply with child and elder abuse reporting laws and laws requiring us to report certain diseases or injuries or deaths to state or federal agencies.

To Avert a Serious Threat to Health or Safety. We may use and disclose your medical information when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person.


Organ and Tissue Donation. If you are an organ donor, we may release your medical information to organizations that handle organ procurement or organ, eye or tissue transplantation or to an organ donation bank, as necessary to aid in its organ or tissue donation and transplantation process.

Access by Parents. Some state laws concerning minors permit or require disclosure of protected health information to parents, guardians, and persons acting in a similar legal status. We will act consistently with the law of the state where the treatment is provided and will make disclosures following such laws.

Military and Veterans. If you are a member of the U.S. or foreign armed forces, we may release your medical information as required by military command authorities.

Workers’ Compensation. We may release medical information about you for workers’ compensation or similar programs.  These programs provide benefits for work-related injuries or illness

Medical Surveillance of the Workplace. If you are an employee who is being evaluated at the request of your employer for medical surveillance of the workplace or in relation to a work-related illness or injury, we may share information obtained from such evaluation with your employer.

Public Health Risks. We may disclose your medical information (and certain test results) for public health purposes, such as –

             To a public health authority to prevent or control communicable diseases (including sexually transmitted diseases), injury or disability,

             To report births and deaths,

             To report child, elder or adult abuse, neglect or domestic violence,

             To report to FDA or other authority reactions to medications or problems with products,

             To notify people of recalls of products they may be using,

             To notify a person who may have been exposed to a disease or may be at risk for getting or spreading a disease or condition,

             To notify employer of work-related illness or injury (in certain cases),  and

             To a school to disclose whether immunizations have been obtained.

Health Oversight Activities. We may disclose your medical information to a federal or state agency for health oversight activities such as audits, investigations, inspections, and licensure of the Health System and of the providers who treated you at the Hospital.  These activities are necessary for the government to monitor the health care system, government programs, and compliance with laws.

Lawsuits and Disputes. We may disclose your medical information to respond to a court or governmental agency request, order or a search warrant.  We also may disclose your medical information in response to a subpoena, discovery request, or other lawful process by someone else involved in a dispute.

Law Enforcement. Subject to certain conditions, we may disclose your medical information for a law enforcement purpose upon the request of a law enforcement official or to report suspicion of death resulting from criminal conduct or crime on our premises or for emergency or other purposes.

Coroners, Medical Examiners and Funeral Directors. We may disclose your medical information to a coroner or medical examiner or funeral director so they may carry out their duties.

National Security and Intelligence Activities. We may disclose your medical information to authorized federal officials for national security activities authorized by law.

Protective Services. We may disclose your medical information to authorized federal officials so they may provide protection to the President of the United States and other persons. 

Inmates. If you are an inmate of a correctional institution or under the custody of a law enforcement officer, we may release your medical information to the correctional institution or a law enforcement officer.  This release would be necessary for the Health System to provide you with health care, to protect your health and safety or the health and safety of others, or for the safety and security of the law enforcement officer or the correctional institution.

Incidental Disclosures.   Although we train our staff in privacy, due to the way treatment and billing occurs, your medical or billing information may be overheard or seen by people not involved directly in your care.  For example, your visitors or visitors visiting other patients on your treatment floor could overhear a conversation about you or see you getting treatment.

Business Associates.  Your medical or billing information could be disclosed to people or companies outside our Health System who provide services to us.   We make these companies sign special confidentiality agreements with us before giving them access to your information.  They are also subject to fines by the federal government if they use/disclosure your information in a way that is not allowed by law.

Note:  State law provides special protection for certain types of health information, including information about alcohol or drug abuse, mental health and AIDS/HIV, and may limit whether and how we may disclose information about you to others.  Federal law provides additional protection for information that results from alcohol and drug rehabilitation treatment programs.  [MAY NEED TO ADD THIS ADDITIONAL 42 CFR PART 2 – FEDERAL DRUG AND ALCOHOL REHAB PROGRAM NOTICE IF YOU HEALTH SYSTEM IS COVERED; SAMPLE LANGUAGE FROM PART 2 REGS: 

Confidentiality of Alcohol and Drug Abuse Patient Records

The confidentiality of alcohol and drug abuse patient records maintained by a federally assisted alcohol and drug rehabilitation program is protected by Federal law and regulations. Generally, the program may not say to a person outside the program that a patient attends the program, or disclose any information identifying a patient as an alcohol or drug abuser Unless:

(1) The patient consents in writing:

(2) The disclosure is allowed by a court order; or

(3) The disclosure is made to medical personnel in a medical emergency or to qualified personnel for research, audit, or program evaluation.

Violation of the Federal law and regulations by a program is a crime. Suspected violations may be reported to appropriate authorities in accordance with Federal regulations.

Federal law and regulations do not protect any information about a crime committed by a patient either at the program or against any person who works for the program or about any threat to commit such a crime.

Federal laws and regulations do not protect any information about suspected child abuse or neglect from being reported under State law to appropriate State or local authorities.

(See 42 U.S.C. 290dd-3 and 42 U.S.C. 290ee-3 for Federal laws and 42 C.F.R. part 2 for Federal regulations.)]

Data Breach Notification Purposes.  We may use or disclose your Protected Health Information to provide legally required notices of unauthorized access to or disclosure of your health information.


Right to Inspect and Copy. You have the right to review and get a copy of  your  medical and billing information that is held by us in a designated record set (including the right to obtain an electronic copy if readily producible by us in the form and format requested).  TheMedical Records Department has a form you can fill out to request to review or get a copy of your medical information, and can tell you how much your copies will cost. The Health System is allowed by law to charge a reasonable cost-based fee for labor, supplies, postage and the time to prepare any summary.  The Health System will tell you if it cannot fulfill your request.  If you are denied the right to see or copy your information, you may ask us to reconsider our decision.  Depending on the reason for the decision, we may ask a licensed health care professional to review your request and its denial.  We will comply with this person’s decision.

Right to an Electronic Copy of Electronic Medical Records. If your Protected Health Information is maintained in an electronic format (known as an electronic medical record or an electronic health record), you have the right to request that an electronic copy of your record be given to you or transmitted to another individual or entity.  We will make every effort to provide access to your Protected Health Information in the form or format you request, if it is readily producible in such form or format.  If the Protected Health Information is not readily producible in the form or format you request your record will be provided in either our standard electronic format or if you do not want this form or format, a readable hard copy form.  We may charge you a reasonable, cost-based fee for the labor associated with transmitting the electronic medical record.

Out-of-Pocket-Payments.  If you paid out-of-pocket (or in other words, you have requested that we not bill your health plan) in full for a specific item or service, you have the right to ask that your Protected Health Information with respect to that item or service not be disclosed to a health plan for purposes of payment or health care operations, and we will honor that request.

Right to Amend. If you feel your medical information in our records is incorrect or incomplete, you may ask us in writing to amend the information.  You must provide a reason to support your requested amendment.  We will tell you if we cannot fulfill your request.  The Contact Person listed below can help you with your request.

Right to an Accounting of Disclosures. You have the right to make a written request for a list of certain disclosures the Health System has made of your medical information within a certain period of time.  This list is not required to include all disclosures we make.  For example, disclosure for treatment, payment, or Health System administrative purposes, disclosures made before April 14, 2003, disclosures made to you or which you authorized, and other disclosures are not required to be listed.  The Contact Person listed below can help you with this process, if needed.

Right to Request Restrictions. You have the right to make a written request to restrict or put a limitation on the medical information we use or disclose about you for treatment, payment or health care operations.  You also have the right to request a limit on your medical information that we disclose to someone involved in your care or the payment for your care, like a family member or friend.  We are generally not required to agree to your request, except as follows:

Payor Exception:  If otherwise allowed by law, we arerequired to agree to a requested restriction, if (1) the disclosure is to your health insurance plan for purposes of carrying out payment or health care operations and (2) the medical information to be restricted relates solely to a health care item or service for which all parties have been paid in full out of pocket.    NOTE:   During a single Hospital / Health System visit, you may receive a bill for payment from multiple sources, including the Hospital, laboratories, individual physicians who cared for you, specialists, radiologists, etc.   Therefore, if you wish to restrict a disclosure to your health insurance company from all these parties, you must contact each independent health care provider separately and you must submit payment in full to each individual provider. Hospital expressly disclaims any responsibility or liability for independent medical staff acts or omissions relating to your HIPAA privacy rights.

If we do agree to a request for restriction, we will comply with your request unless the information is needed to provide you with emergency treatment or to make a disclosure that is required under law.  In your request, you must tell us (1) what information you want to limit; (2) whether you want to limit our use, disclosure or both; and (3) to whom you want the limits to apply, for example, disclosures to your adult children.  The Contact Person listed below can help you with these requests if needed.

Right to Request Confidential Communications. You have the right to make a written request that we communicate with you about medical matters in a certain way or at a certain location.  For example, you can ask that we contact you only at work or by mail.  We will not ask you the reason for your request.  We will accommodate all reasonable requests.  Your request must specify how or where you wish to be contacted.  The Contact Person listed below can help you with these requests if needed.

Right to a Paper Copy of This Notice. You have the right to receive a paper copy of this Notice at any time even if you have agreed to receive this Notice electronically.  You may obtain a copy of this Notice at our website at or a paper copy from the Contact Person listed below.

Right to Receive a Notice of a Breach of Unsecured Medical / Billing Information.     You have the right to receive a notice in writing of a breach of your unsecured medical or billing or financial information.   Your physicians (who are not Health System employees) or other independent entities involved in your care will be solely responsible for notifying you of any breaches that result from their actions or inactions.


We reserve the right to change this Notice. We reserve the right to make the revised or changed Notice effective for medical information we already have about you as well as any information we receive in the future. We will post the current Notice in the Hospital, and throughout the Health System registration sites and on our website at


If you believe your privacy rights have been violated, you may file a written complaint with the Health System or with the Secretary of the Department of Health and Human Services or HHS.  Generally, a complaint must be filed with HHS within 180 days after the act or omission occurred, or within 180 days of when you knew or should have known of the action or omission.  To file a complaint with the Health System, contact thePrivacy Officer at 256.265.4477.You will not be denied care or discriminated against by the Health System for filing a complaint. To file a complaint with the Office for Civil Rights, contact: U.S. Department of Health and Human Services 61 Forsyth St, SW • Suite 3870 • Atlanta, GA 30323


Disclosures that are not referenced in this Notice of Privacy Practices or are not otherwise allowed or required by federal and/or state law or our policies and procedures, will require your authorization.  Uses and disclosures of your medical information not generally covered by this Notice or the laws and regulations that apply to the Health System will be made only with your written permission or authorization.  For example, unless otherwise allowed by law, most uses and disclosures of psychotherapy notes, uses and disclosures for marketing purposes and disclosures that constitute the sale of medical information require an authorization.

If you give us permission to use or disclose medical information about you, you may revoke that permission, in writing, at any time.  If you revoke your permission, we will no longer use or disclose your medical information for the reasons covered by your written authorization, but the revocation will not affect actions we have taken in reliance on your permission.  You understand that we are unable to take back any disclosures we have already made with your permission, we still must continue to comply with laws that require certain disclosures, and we are required to retain our records of the care that we provided to you.


If you have any questions about this Notice, please contact the Privacy Officer at 256.265.4477

© Huntsville Hospital. All rights reserved