Pullman Regional Hospital Notice of Privacy Practices (NPP)

Effective February 16, 2026

THIS NOTICE DESCRIBESHOW YOUR HEALTH INFORMATION MAY BE USED ANDDISCLOSED AND HOW YOU CAN GET ACCESSTO THIS INFORMATION. WE HAVE UPDATED OUR PRIVACYPRACTICES TO REFLECT NEW PROTECTIONS. THIS INCLUDES EXPANDED PATIENT RIGHTS,ENHANCED SECURITY MEASURES, NEW INFORMATIONON, AND LANGUAGETHAT ALIGNS 42 CFR PART 2 MORE CLOSELY WITH HIPAA and the HITECH ACT.

 

PLEASE REVIEW CAREFULLY.

 

The Health Insurance Portability and Accountability Act of 1996(“HIPAA”) is a law requiring Pullman Regional Hospital (PRH) to make sure your personalmedical and other treatment information is kept private. PRH is also requiredto give you this notice, so that if PRH has any of your personal healthinformation, you will know how PRH may use it, or whether and how PRH may giveyour protected health information (“PHI”) to others.

The Health Information Technology for Economic and ClinicalHealth (HITECH) Act, enacted as part of the American Recovery and ReinvestmentAct of 2009, addresses the privacy and security concerns associated with the electronictransmission of health information, through several provisions that strengthenthe civil and criminal enforcement of the HIPAA rules.

PRH programs and services are already keeping your personal medicalinformation private. HIPAA establishes the minimum standards for theseprotections.

The NPP explains how we may legally use and disclose your PHI,who can access it, where to file a complaint if you think your PHI wasmishandled, when a signed authorization is needed for certain disclosures, and otherprivacy rights you have. We are required to follow all the terms of this notice.We reserve the right to change the provisions of this notice and make iteffective for all PHI we maintain.

How We May Use and Disclose Your PHI:

PRH prioritizes the confidentiality of our clients' PHI. Ourphysicians, clinicians, and employees are mandated to uphold this confidentiality.We have established policies, procedures, and safeguards to protect your PHIfrom unauthorized use and disclosure. Below is a brief description of the usesand disclosures of your PHI, along with some examples. Please note that not everyuse or disclosure in a category is listed. The ways we use and disclosesubstance and alcohol abuse information will be separately described later inthis notice.

  1. Treatment. We may use and disclose your PHI to providetreatment, case management, and care coordination or to direct or recommendhealth care and any related services such as government services or housing. Wemay also share your health information with community resources and providersin the county who may be involved in your case or treating you.
  2. Payment. We may use or disclose your PHI topermit us to bill and collect payment for the treatment and health-related services.For example, we may include information with a bill to Medicare that identifiesyou, your diagnosis, and services provided to receive payment.
  3. Health Care Operations. We may use and discloseyour PHI to review and evaluate our treatment, or to improve the care and serviceswe offer. In addition, we may disclose your health information to other staffor business associates who perform billing, consulting, behavioral health andhealth services, auditing, licensing, accreditation, or investigatory services.
  4. Required by Law. We may use and disclose your PHIwhen required by federal, state, or local law. For example, the Secretary ofthe U.S. Department of Health and Human Services (DHHS) may review ourcompliance efforts, which may include accessing your PHI.
  5. Business Associates. We sometimes use outside companies,known as “business associates (BAs)” to provide certain services. These servicesmay include payment processing, healthcare operations, and treatment services. BAsare required to protect your PHI. We only share the minimum amount of PHInecessary for them to carry out their services. We also require these businessassociates to properly safeguard your information. Examples of BAs includesubcontractors that handle PHI on behalf of PRH billing companies,E-Prescribing Gateways, Health Information Exchanges, behavioral health serviceproviders, and Electronic and Personal Health Record Vendors.
  6. Health Oversight Activities. We may discloseyour PHI to federal or state agencies that may conduct audits, investigations,oversight activities, and inspect government health benefit programs.
  7. Public Health Activities. We may use and shareyour PHI with public health authorities or government agencies to report specificdiseases, injuries, conditions, illnesses, and events as mandated by law. Forinstance, we might share your medical information with a local governmentagency to aid in a disease outbreak in the area, or to adhere to state lawsgoverning workplace safety.
  8. Victims of Abuse, Neglect, or Domestic Violence.We may share your PHI information with government agencies to report suspectedabuse, neglect, or domestic violence. We will only disclose this information ifthe law requires us to do so, or when it is necessary to protect someone fromserious harm.
  9. Lawsuits and legal actions. We may use anddisclose your PHI in response to a court or administrative order, certainsubpoenas, or other legal processes. We may also use and disclose PHI to the extentpermitted by law without your authorization, such as in defending against alawsuit or arbitration.
  10. LawEnforcement. We may disclose your PHI to help locate or identify a missingperson, suspect, or fugitive. This may also occur when there is suspicion thatdeath has occurred because of criminal conduct, to report a crime that happens atour clinics or offices, or to report certain types of wounds, injuries, ordeaths that may be the result of a crime. This information may be disclosed toauthorized officials such as the police, sheriff, or FBI for law enforcementpurposes and in response to legal processes, such as a search warrant or courtorder.
  11. Coroners,Medical Examiners, and Funeral Directors. We may share your PHI with funeraldirectors, coroners, and medical examiners to help identify a body, determinethe cause of death, or for official duties.
  12. Organ,Eye, and Tissue Donation. We may disclose your PHI to organizations responsiblefor organ, eye, or tissue donations and transplants.
  13. Research.We may use and share your PHI for research purposes if it is approved by anInstitutional Review Board (IRB). An IRB is a committee that is responsible forreviewing and approving research involving human participants to protect their safetyand the confidentiality of their PHI by federal law.
  14. ToStop a Serious Threat to Health or Safety. We may use or disclose your PHI ifwe believe it is necessary to prevent a serious threat to your health or safetyor to someone else’s health or safety.
  15. Inmates.As an inmate of a correctional institution or in custody of a law enforcementofficial, you may not receive a notice of privacy practices. We may discloseyour PHI to the correctional institution or the law enforcement official for specificpurposes, such as protecting your health and safety or that of someone else.
  16. MilitaryActivity and National Security. We might disclose the PHI of armed forces personnelto the relevant military authorities to carry out military missions.Additionally, we may disclosed your PHI to authorized federal officials when itis necessary for national security and intelligence activities or the protectionof the president, other government officials, and dignitaries.
  17. GovernmentPrograms for Public Benefits. We may use or disclose your PHI to assist youin qualifying for government benefit programs such as Medicare, SupplementalSecurity Income, or other available benefits or services. We may also reach outto inform you about potential treatment options, health-related benefits, andservices.
  18. Workers’Compensation. We may use and share your PHI to comply with workers’compensation laws or similar programs that provide benefits for work-relatedinjuries or illnesses. For instance, we may disclose your medical information abouta work-related injury or illness to claims administrators, insurance carriers, andother parties assessing your claim for workers’ compensation benefits.
  19. Familyand Friends Involved in or Paying for Your Care. We may share your PHI witha friend, family member, or anyone else involved in your care or responsiblefor payment.
  20. Disclosuresin Case of Disaster Relief. We may share your name, city of residence, age,gender, and overall condition with a public or private disaster relief organizationfor necessary medical assistance or to aid in reuniting you with familymembers.
  21. Disclosuresto Parents as Personal Representatives of Minors. In most cases, we maydisclose your minor child’s PHI to you. In some situations, however, we arepermitted and sometimes required by law to deny you access to your minor child’sPHI. An example of when we must deny such access, based on the type of healthcare,is when a minor who is 12 years old or older seeks care for a communicabledisease or condition. Another situation when we must deny access to parents iswhen minors have adult rights to make their own healthcare decisions. Theseminors include, for example, married minors or who have a declaration ofemancipation from a court.
  22. AppointmentReminders. We may use the PHI to remind you of your upcoming appointmentsfor treatment or other necessary health care.
  23. ImmunizationRecords. With written or verbal authorization from a parent, guardian, or otherperson acting in place of a parent, or from an emancipated minor, we maydisclose proof of your child’s immunization to a school and provide informationabout a child who is or will be a student at the school as required by state orother laws.
  24. IdentityVerification. We may take a photograph of you for identification purposes andstore it in your medical record.
  25. ElectronicHealth Records (EHR). We may use an electronic health record to store andretrieve your health information. One of the advantages of the EHR is theability to share and exchange health information among personnel and othercommunity healthcare providers involved in your care. When we enter yourinformation into the EHR, we may share that information by using sharedclinical databases or health information exchanges. We may also receive informationabout you from other healthcare providers involved with your care by usingshared databases or health information exchanges. If you have any questions orconcerns about the sharing or exchange of your PHI discuss with your provider.
  26. Communicationswith Family, Friends, and Others. In situations where you are unable togive consent due to an emergency or lack of capacity, we may need to discloseyour PHI to family members or those involved in your care. We will use ourprofessional judgment to determine if it is in your best interest to do so, andwe will only disclose the information that is directly relevant to the person’sinvolvement in your healthcare. For instance, we may share information about potentialexposure to an infectious disease if it requires immediate attention.

Uses and Disclosures of Your PHI Requiring Your WrittenAuthorization:

We are required to obtain your written authorization to use ordisclose your PHI, with limited exceptions, for the following reasons:

  1. Sale of PHI. We do not sell patient PHI.
  2. Marketing. We will request your written approval to useor disclose your PHI for marketing purposes.
  3. Psychotherapy Notes. We will request your writtenapproval to use or disclose your psychotherapy notes with limited exception. Forexample, for certain treatment, payment, or healthcare operation functions.
    1. All other uses and disclosures of your PHI not describedin this Notice will be made only with your written approval. You may take back yourapproval at any time. The request to take back approval must be in writing.Your request to take back approval will go into effect as soon as you request it.There are two cases it won’t take effect as soon as you request it. The first caseis when we have already taken actions based on past approval. The second caseis before we receive your written request to stop.

Uses and Disclosures of Your Substance and Alcohol UseDisorder Records:

Your records related to substance use disorder (SUD) areprotected by federal law under 42 CFR Part 2. This law provides extra confidentialityprotections and requires a separate patient consent for the use and disclosureof SUD counseling notes. Each disclosure made with patient consent must includea copy of the consent or a clear explanation of the scope of the consent. 42CFR Part 2 allows patients to sign a single consent form for all future usesand disclosures for SUD treatment, payment, and other health care operations. Disclosureof these records requires your explicit written consent, except in limitedcircumstances. You may revoke this consent at any time.

  • Medical Emergencies: Only to the extent needed totreat your emergency.

  • Reporting Crimes on Program Premises.

  • Child Abuse Reporting: In connection with incidentsof suspected child abuse or neglect to appropriate state or local authorities.

 

Prohibitions on Use and Disclosure of Part 2 Records

  • The new rule expands prohibitions on the use anddisclosure of Part 2 records in civil, criminal, administrative, or legislativeproceedings conducted against a patient unless the patient provides consent, ora court order is issued.
  • A separate consent is required and must specificallyaddress the use and disclosure of SUD counseling notes. Consent cannot becombined.

 

Your Rights Regarding Your PHI:

  1. Right to Access Health Information. You have theright to access and obtain a copy of your health information held by thecovered entity, including electronic records with a few exceptions. Thisincludes any information related to your care, decisions about your care, orpayment for your care. You can access your records in any format maintained byPRH and request them to be sent to a third party.
  2. Right to Request Corrections. You have the rightto request corrections to inaccurate or incomplete information. Your request mustbe in writing, and it should explain the corrections or additions you arerequesting, along with the reasons they should be made. We will respond to yourrequest within 60 days and may extend this period once by 30 days if we providea written explanation for any delay. If your request is approved, we will makethe necessary corrections or additions to your PHI.
    1. We may deny your request if it is not in writing or doesnot include a reason to support the request. We may also deny your request if:
      1. Theinformation in your record is correct and accurate.
      2. Theinformation in your record was not created by HHS, or the person who created itis no longer available to make the amendment, or
      3. Theinformation is not part of the records you are permitted to view and copy.
      4. Ifwe deny your request for a change, we will inform you why and explain yourright to submit a written statement of disagreement. Your statement should notexceed five pages. Please notify us in writing if you want us to include yourstatement of disagreement, your original request for a change, and our writtendenial in future disclosures of that part of your medical records.
  3. Right to Request Restrictions on Uses and Disclosuresof your PHI. You have the right to request restrictions on how your PHI is usedor disclosed for treatment, payment, or healthcare operations. We will comply withthese requests unless prohibited by law. For example, you can requestrestrictions on the information you share with someone involved in your care orwith your spouse. We may not be obligated to agree to your request, except ifyou have the right to limit the sharing of information with a health plan orinsurer for payment or healthcare operations or with a BA if you pay out ofpocket in full for the healthcare item or service at the time of the requestfor restriction.
  4. Right to Request Confidential Communications. Youhave the right to request how we communicate with you about your PHI and where wesend communications. For example, you can ask us to only call you at your worknumber or send mail to a specific address. Your request must be in writing andclearly state your preferred method or location for communication. We willaccommodate all reasonable requests. If your PHI is stored electronically, youcan request a copy of the records in an electronic format provided by HHS. Youcan also submit a written request for the electronic copy to be sent to adesignated third party. If fulfilling your request costs more than a reasonableamount, we may charge you for the excess costs.
  5. Right to Revoke an Authorization. You have the rightto revoke your written authorization to use and disclose your PHI at any time.You must inform us of the revocation in writing. If you revoke your writtenauthorization, we will stop sharing your PHI. However, any information alreadyused or shared while the authorization was valid cannot be taken back.
  6. Right to a Paper Copy of this Notice. Unless youare incarcerated, you have the right to request a paper copy of this notice atany time.
  7. Right to Receive Notifications. You have the rightto notifications about how your health information is used and shared.
  8. Right To Make Decisions on Information Sharing. Youhave the right to make decisions about specific uses and disclosures of yourPHI. You can request restrictions on how your information is used or disclosed,and covered entities must comply with these requests unless prohibited by law.
  9. Breach Notification. In the event of a breach ofyour unsecured PHI, you have the right to be notified without unreasonabledelay and no later than 60 days following our discovery of the breach.
  10. Rightto File a Complaint. If you have questions about this notice, your privacyrights, or believe your privacy rights have been violated, you may call the PRHHIPAA Privacy Officer at 509-336-7521. You have the right to file a complaintdirectly with the Office for Civil Rights - U.S. Department of Health and HumanServices (DHHS) via the following methods:

 

  • Email: OCRPrivacy@HHS.Gov(for health information privacy or patient safety inquiries)
  • OCRMail@HHS.Gov(for non-privacy related inquiries).
  • Phone Number: (800) 368-1019 or TDD (800) 537-7697
  • Fax Number: (202) 619-3818
  • OCR Compliant Portal: <ahref="https:>OCR Complaint Portal</ahref="https:>
  • Mailing Address:

Office for Civil Rights – U.S. DHHS
200 Independence Ave., SW Room 509F, HHS Building
Washington, D.C. 20201

The complaint must be submitted inwriting and sent by mail, fax, or electronically via email within 180 days ofdiscovering the violation. PRH respects your right to voice concerns about yourprivacy. You are protected from any form of punishment, threat, or penalty whenasking questions or filing a complaint.

Our Responsibilities:

  • We are required by law to maintain the privacy andsecurity of your protected health information.
  • We will let you know promptly if a breach occursthat may have compromised the privacy and security of your information.
  • We must follow the duties and provide a clear andconcise explanation of our privacy practices and inform you of any changes tothese practices. We must provide you a copy.
  • We will not use or share your information other thanas described here unless you tell us we can in writing. You may change yourmind at any time. Let us know in writing.

 

Material Changes to the Terms of This Notice

  • We are obligated to adhere to the terms of this noticewhile it is in effect. We maintain the right to modify this notice and ourprivacy practices at any time. Additionally, we will display and provide accessto the new notice at HHS Program/Services sites and clinics, in the waitingareas, or at the reception desk.

Notice of Nondiscrimination [AFFORDABLE CARE ACT (ACA)45 CFR 92]

  • PRH complies with applicable federal civil rightslaws and does not discriminate based on race, color, national origin, age,disability, or sex. We provide the following services:
  • Free aids and services for people with disabilitiesto help them communicate with us, such as qualified sign language interpretersand written information in alternative formats (such as large print, audio, andaccessible electronic formats).
  • Free language services for individuals whose primarylanguage is not English, including qualified interpreters and information inother languages.

Discrimination Based on Disability in HHS Programs or Activities

  • Effective May 1, 2024, PRH complies with the DiscriminationBased on Disability in Health and Human Service Programs or Activities forpeople with disabilities under Section 504
  • of the Rehabilitation Act. The “Rehab Act” protectsdisabled people from discrimination of all ages.

Genetic Information Nondiscrimination Act (GINA)

  • Section 105 of Title 1 of GINA provides enhancedprivacy protections for genetic information, ensuring individuals are notdisadvantaged based on their genetic predispositions.
  • Genetic information must be treated with thesame confidentiality as PHI, and only specific entities, such as medical researchersor law enforcement (under limited circumstances), may receive access.