Notice of Privacy Practices for MedStar Health Inc.

Who Will Follow This Notice

MedStar Health, Inc. and its affiliated entities and subsidiaries are separate legal entities. However, they are under common ownership and control, and thus have organized themselves as a single Affiliated Covered Entity (ACE) for the purposes of the HIPAA Privacy Rule. This status permits MedStar Health, its affiliated entities, and subsidiaries to maintain a single Notice of Privacy Practices. This notice describes the health information practices of the MedStar Health Inc, organization. All entities, sites and locations will follow the terms of this notice. In addition, these entities, sites and locations may share medical information with each other for treatment, payment and healthcare operations as described in this notice.

Our Obligation To You

We value the privacy of your medical information as an important part of our “patient first” pledge. We view the protection of patient privacy as an essential component of our vision to be the Trusted Leader in Caring for People and Advancing Health and our mission to serve our patients. We strive to use only the minimum amount of your health information necessary for the purposes described in this Notice of Privacy Practice (“Notice”).

We collect information from you and use it to provide you with quality care, and to comply with certain legal requirements. We are required by law to maintain the privacy of your health information, and to give you this Notice of our legal duties, our privacy practices, and your rights. We are required to follow the terms of our most current Notice. When we disclose information to other persons and companies to perform services for us, we will require them to protect your privacy. There are other laws we will follow that may provide additional protections, such as laws related to mental health, alcohol and other substance abuse, and communicable disease or other health conditions.

This Notice covers the following sites and people: all health care professionals authorized to enter information into your chart, all volunteers authorized to help you while you are here, all of our associates and on- site contractors, all departments and units within the hospital, all health care students, all health care delivery facilities and providers within the MedStar Health system, and your personal doctor and others while they are providing care at this site. Your doctor may have different policies or notices about the health information that was created in his or her private office or clinic.

How We May Use And Disclose Health Information

Treatment: We may use and disclose your health information to provide treatment or services, to coordinate or manage your health care, or for medical consultations or referrals.  We may use and disclose your health information among doctors, nurses, technicians, medical students and other personnel who are involved in taking care of you at our facilities or with such persons outside our facilities.  We may use or share information about you to coordinate the different services you need, such as prescriptions, lab work and x-rays.  We may disclose information about you to people outside our facility who may be involved in your care after you leave, such as family members, home health agencies, therapists, nursing homes, clergy, and others.  We may give information to your health plan or another provider to arrange a referral or consultation.

Payment: We may use and disclose your health information so that we can receive payment for the treatment and services that were provided.  We may share this information with your insurance company or a third party used to process billing information.  (As described below, if you pay for your health care in full and out-of-pocket, you may request that we not share your information with your insurance company.) We may contact your insurance company to verify what benefits you are eligible for, to obtain prior authorization, and to tell them about your treatment to make sure that they will pay for your care.  We may disclose information to third parties who may be responsible for payment, such as family members, or to bill you. We may disclose information to third parties that help us process payments, such as billing companies, claims processing companies, and collection companies.

Health Care Operations: We may use and disclose your health information as necessary to operate our facility and make sure that all of our patients receive quality care.  We may use health information to evaluate the quality of services that you received, or the performance of our staff in caring for you.  We may use health information to improve our performance or to find better ways to provide care.  We may use health information to grant medical staff privileges or to evaluate the competence of our health care professionals.  We may use your health information to decide what additional services we should offer and whether new treatments are effective.  We may disclose information to students and professionals for review and learning purposes.  We may combine our health information with information from other health care facilities to compare how we are doing and see where we can make improvements.  We may use health information for business planning, or disclose it to attorneys, accountants, consultants and others in order to make sure we are complying with the law.  We may remove health information that identifies you so that others may use the de-identified information to study health care and health care delivery without learning who you are.  If operating as a health plan, we will not use or disclose genetic information for underwriting purposes (this does not apply to long term care plans).

Business Associates: There are some services provided in MedStar Health through contracts with business associates.  Examples included a copy service we use when making copies of your health record, consultants, accountants, lawyers, medical transcriptionist and third party billing companies.  When these services are contracted, we may disclose your health information to our business associate so that they can perform the job we’ve asked them to do.  To protect your health information, however, we require the business associate to appropriately safeguard your information.

Certain Marketing Activities: We may use your medical information to forward promotional gifts of nominal value, to communicate with you about products, services and educational programs offered by MedStar Health, to communicate with you about case management and care coordination and to communicate with you about treatment alternatives.  We do not sell your health information to any third party for their marketing activities unless you sign an authorization allowing us to do this.

Health Information Exchanges: We may participate in health information exchanges (HIEs) to facilitate the secure exchange of your electronic health information between and among several health care providers or other health care entities for your treatment, payment, or other health care operations purposes.  This means we may share information we obtain or create about you with outside entities (such as hospitals, doctors offices, pharmacies, or insurance companies) or we may receive information they create or obtain about you (such as medication history, medical history, or insurance information) so each of us can provide better treatment and coordination of your health care services.  In addition, if you visit any MedStar Health facility, your health information may be available to other clinicians and staff who may use it to care for you, to coordinate your health services or for other permitted purposes.

The Chesapeake Regional Information System for our Patients (CRISP) is a regional HIE serving Maryland and D.C. in which we participate.  We may share information about you through CRISP for treatment, payment, health care operations or research purposes. You may “opt-out” and disable access to your health information available through CRISP by calling 1-877-952-7477 or completing and submitting an Opt-Out form to CRISP by mail, fax or through their website at As permitted by law, even if you opt-out of CRISP, public health reporting and Controlled Dangerous Substances information, as part of the Maryland Prescription Drug Monitoring Program (PDMP), will still be available to providers through CRISP.

Appointment Reminders and Service Information: We may use or disclose your health information to contact you to provide appointment reminders, or to let you know about treatment alternatives or other health related services or benefits that may be of interest to you. 

Individuals Involved In Your Care or Payment for Your Care: We may give your health information to people involved in your care, such as family members or friends, unless you ask us not to.  We may give your information to someone who helps pay for your care.  We may share your information with other health care professionals, government representatives, or disaster-relief organizations, such as the Red Cross, in emergency or disaster-relief situations so they can contact your family or friends or coordinate disaster-relief efforts.

Patient Directories: We may keep your name, location in the facility, and your general condition in a directory to give to anyone who asks for you by name.  We may give this information and your religious affiliation to clergy, even if they do not know your name.  You may ask us to keep your information out of the directory, but you should know that if you do, visitors and florists will not be able to find your room.  Even if you ask us to keep your information out of the directory, we may share your information for disaster-relief efforts or in declared emergency situations.

Fundraising Activities: We depend extensively on philanthropy to support our health care missions. We may use your name and other limited information to contact you, including the dates of your care, the name of the department where you were treated, and the name of your treating physician so that we may provide you with an opportunity to make a donation to our programs.  We may collaborate with a third party including Georgetown University, to manage our fundraising activities.  If we or any of our agents contact you for fundraising or philanthropy purposes, you will be told how you may ask us not to contact you in the future.

Research: We may use or disclose your health information for research that has been approved by one of our official research review boards, which has evaluated the research proposal and established standards to protect the privacy of your health information.  We may use or disclose your health information to a researcher preparing to conduct a research project.

Organ and Tissue Donation: We may use or disclose your health information in connection with organ donations, eye or tissue transplants or organ donation banks, as necessary to facilitate these activities. 

Public Health Activities: We may disclose your health information to public health or legal authorities whose official activities include preventing or controlling disease, injury, or disability.  For example, we must report certain information about births, deaths, and various diseases to government agencies.  We may disclose health information to coroners, medical examiners, and funeral directors as allowed by the law to carry out their duties.  We may use or disclose health information to report reactions to medications, problems with products, or to notify people of recalls of products they may be using.  We may use or disclose health information to notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease. 

Serious Threat to Health and Safety: We may use or disclose your health information when necessary to prevent a serious threat to your health and safety, or the health and safety of the public or another person.  We will only disclose health information to someone reasonably able to help prevent or lessen the threat, such as law enforcement or government officials. 

Required by Law, Legal Proceedings, Health Oversight Activities, and Law Enforcement: We will disclose your health information when we are required to do so by federal, state and other law.  For example, we may be required to report victims of abuse, neglect or domestic violence, as well as patients with gunshot and other wounds.  We will disclose your health information when ordered in a legal or administrative proceeding, such as a subpoena, discovery request, warrant, summons, or other lawful process.  We may disclose health information to a law enforcement official to identify or locate suspects, fugitives, witnesses, victims of crime, or missing persons.  We may disclose health information to a law enforcement official about a death we believe may be the result of criminal conduct, or about criminal conduct that may have occurred at our facility.  We may disclose health information to a health oversight agency for activities authorized by law, such as audits, investigations, inspections and licensure. 

Specialized Government Functions: If you are in the military or a veteran, we will disclose your health information as required by command authorities.  We may disclose health information to authorized federal officials for national security purposes, such as protecting the President of the United States or the conduct of authorized intelligence operations.  We may disclose health information to make medical suitability determinations for Foreign Service. 

Correctional Facilities: If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may release your health information to the correctional institution or law enforcement official.  We may release your health information for your health and safety, for the health and safety of others, or for the safety and security of the correctional institution.

Workers Compensation: We may disclose your health information as required by applicable workers compensation and similar laws. 

Health Plan:  When MedStar Health operates as a health plan, we will not use or disclose your genetic information for underwriting purposes.

Your Written Authorization: Other uses and disclosures of your health information not covered by this Notice, or the laws that govern us, will be made only with your written authorization.  These include the sale of your health information, use of your health information for marketing purposes, and certain disclosures of psychotherapy notes. You may revoke your authorization in writing at any time, and we will discontinue future uses and disclosures of your health information for the reasons covered by your authorization.  We are unable to take back any disclosures that were already made with your authorization, and we are required to retain the records of the care that we provided to you.

Your Privacy Rights Regarding Your Health Information

Right to Obtain a Copy of This Notice of Privacy Practices

We will post a copy of our current Notice in our facilities and on our website,  A copy of our current Notice will be available at our registration areas or upon request.  To request a copy of our current Notice of Privacy Practices, please call (410) 772-6606.

Right to See and Copy Your Health Record

You have the right to look at and receive a copy of your health record or your billing record.  To do so, please contact the facility where you received treatment, or the Privacy Office listed below.  You may be required to make your request in writing.  

You may request an electronic copy of this information, and we will provide access in the electronic form and format requested if it is readily reproducible in the requested format.  If not, we will discuss the issue with you and provide a copy in a readable electronic form and format upon which we mutually agree, depending on the information and our capabilities at the time of the request.  You may also request that we send your health information directly to a person you designate if your written request is signed, in writing and clearly identifies both the person designated and an address to send the requested information.

If you would like a copy of your health record, a fee may be charged for the cost of copying or mailing your record (and the electronic media if the request is to provide the information on portable electronic media), as permitted by law. 

We will provide a copy of your health record usually within 30 days. In certain situations, we may deny your request.  If we do, we will tell you, in writing, our reasons for the denial and explain your right to have the denial reviewed.

Right to Update Your Health Record

If you believe that a piece of important information is missing from your health record, you have the right to request that we add an amendment to your record.  Your request must be in writing, and it must contain the reason for your request.  To submit your request, please contact the facility where you received treatment, or the Privacy Office listed below.  We will make every effort to fulfill your request usually within 60 days. We may deny your request to amend your record if the information being amended was not created by us, if we believe that the information is already accurate and complete, or if the information is not contained in records that you would be permitted by law to see and copy. If we deny your request, you will be notified in writing usually within 60 days. Even if we accept your amendment, we will not delete any information already in your records.

Right to Get a List of the Disclosures We Have Made

You have the right to request a list of the disclosures that we have made of your health information.  This list is not required to include disclosures made for treatment, payment, and health care operations, and certain other disclosure exceptions.  Your request must be in writing and indicate in what form you want the list (for example, on paper, electronically). To request a list of disclosures, please contact the facility where you received treatment, or the Privacy Office listed below.  The first list you request in a 12-month period is free.  For additional lists, we may charge a fee, as permitted by law. 

Right to Request a Restriction on Certain Uses or Disclosures

You have a right to request a restriction on how we use and disclose your medical information for treatment, payment and health care operations, and to certain family members or friends identified by you who are involved in your care or the payment of your care. We are not required to agree to your request, and will notify you if we are unable to agree.  Your request must be in writing and it must (1) describe what information you want to limit, (2) whether you want to limit our use, disclosure or both, and (3) to whom you want the limits to apply.  In some instances, you may choose to pay for a healthcare item or service out of pocket rather than submit a claim to your insurance company. You may request that we not submit your medical information to a health plan or your insurance company, if you, or someone on your behalf, pays for the treatment or service out-of pocket in full. To request this restriction, you must make your request in writing prior to the treatment or service.  In your request you must tell us (1) what information you want to restrict and (2) and to what health plan the restriction applies.

Right to Breach Notification

You have the right under HIPAA, or as required by law, to be notified if there is a breach of your unsecured medical information.  If requested, this notification may be provided to you electronically.

Right to Choose a Representative

You have the right to choose someone to act on your behalf.  If you have given someone medical power of attorney or if someone is your legal guardian, that person can exercise your rights and make choices about your health information.  We will make efforts to verify the person you designate has this authority and can act for you before we take any action.

Right to Choose How You Receive Your Health Information

You have the right to request that we communicate with you in a certain way, such as by mail or fax, or at a certain location, such as a home address or post office box. We will try to honor your request if we reasonably can. Your request must be in writing, and it must specify how or where you wish to be contacted. To submit a request, please contact the facility where you received treatment, or the Privacy Office listed below. 

Contact Person

If you believe your privacy rights have been violated, you may call or file a complaint in writing with the MedStar Health Privacy Office or the Department of Health and Human Services (please reference the contact information below). We will take no retaliatory action against you if you file a complaint about our privacy practices.  

Privacy Officer
MedStar Health, Inc.
10980 Grantchester Way
Columbia, MD 21044


U.S. Department of Health and Human Services Office for Civil Rights
200 Independence Avenue, S.W., Washington, D.C. 20201
1-877-696-6775 (toll free)

If you have questions about this Notice, or would like to exercise your Privacy Rights, please contact the facility where you received treatment, or the MedStar Privacy Office. 

Changes To This Notice Of Privacy Practices

We reserve the right to change this Notice. We reserve the right to make the revised Notice effective for medical information we already have about you as well as any information we receive in the future.  We will post a copy of the current Notice in each MedStar facility and on our website. In addition, each time you register at, or are admitted to, the hospital for treatment or healthcare services as an inpatient or outpatient, we will offer you a copy of our current Notice in effect.

El Aviso sobre Prácticas de Privacidad está disponible en español.

Footnote: MedStar Health, Inc. located in Columbia, Maryland, is a non-profit community-based health care organization serving the greater Baltimore/Washington region. The health system is made up of a number of distinguished health care providers and other diversified health care entities. While these entities operate independently of one another and as separate employers, they also work toward common missions and values. The mission of MedStar Health is to serve our patients, those who care for them, and our communities and our vision is to be the trusted leader in caring for people and advancing health. In working to achieve this goal, it is the responsibility of each MedStar entity to enforce its privacy policies and to take appropriate disciplinary or other actions for employee violations. Please note that for purposes of this Notice of Privacy Practices, the MedStar Health parent company and all of its subsidiaries will be referred to collectively as “MedStar Health.” For privacy purposes only, MedStar Health is organized as an Affiliated Covered Entity, as described in 45 CFR §164.504(d)(1); legally separate entities that are affiliated may designate themselves as a single covered entity.

MedStar Health complies with applicable federal civil rights laws and does not discriminate on the basis of race, color, national origin, age, disability or sex.

top of page