Protecting Patient Privacy

What is HIPAA?

The privacy provisions of the federal law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), apply to health information created or maintained by health care providers who engage in certain electronic transactions, health plans, and health care clearinghouses.

The Department of Health and Human Services (HHS) has issued the regulation, “Standards for Privacy of Individually Identifiable Health Information,” applicable to entities covered by HIPAA, and detailed below.

The Office for Civil Rights (OCR) is the Departmental component responsible for implementing and enforcing the privacy regulation.

To view Schuyler Hospital’s Privacy Policy, click here (PDF attached)

Additionally, for the privacy of our patients, residents and staff – we ask that you do not take photos or video of other patients or residents, or of staff, without their prior permission.

Who must follow this law?

Most doctors, nurses, pharmacies, hospitals, clinics, nursing homes, and many other health care providers; Health insurance companies, HMOs, most employer group health plans; And certain government programs that pay for health care, such as Medicare and Medicaid.

What information is protected?

Information your doctors, nurses, and other health care providers put in your medical record; Conversations your doctor has about your care or treatment with nurses and others; Information about you in your health insurer’s computer system; Billing information about you at your clinic; And most other health information about you held by those who must follow this law.

Providers and health insurers who are required to follow this law must comply with your right to:

Ask to see and get a copy of your health records; Have corrections added to your health information; Receive a notice that tells you how your health information may be used and shared; Decide if you want to give your permission before your health information can be used or shared for certain purposes, such as for marketing; Get a report on when and why your health information was shared for certain purposes.

To make sure that your information is protected in a way that does not interfere with your health care, your information can be used and shared:

For your treatment and care coordination; To pay doctors and hospitals for your health care and help run their businesses; With your family, relatives, friends or others you identify who are involved with your health care; To make sure doctors give good care and nursing homes are clean and safe; To protect the public’s health, such as by reporting when the flu is in your area; To make required reports to the police, such as reporting gunshot wounds.

Your health information cannot be used or shared without your written permission unless this law allows it.

For example, without your authorization, your provider generally cannot: Give your information to your employer; Use or share your information for marketing or advertising purposes; Share private notes about your mental health counseling sessions.
Providers and health insurers who are required to follow this law must keep your information private by:

Teaching the people who work for them how your information may and may not be used and shared; And taking appropriate and reasonable steps to keep your health information secure.

Information provided by:
U.S. Department of Health & Human Services Office for Civil Rights

How to File a Health Information Privacy Complaint

If you believe that a person, agency or organization covered under the HIPAA Privacy Rule (“a covered entity”) violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy Rule, you may file a complaint with the Office for Civil Rights (OCR). OCR has authority to receive and investigate complaints against covered entities related to the Privacy Rule. A covered entity is a health plan, health care clearinghouse, and any health care provider who conducts certain health care transactions electronically.

Complaints to the Office for Civil Rights must: (1) Be filed in writing, either on paper or electronically; (2) Name the entity that is the subject of the complaint and describe the acts or omissions believed to be in violation of the applicable requirements of the Privacy Rule; and (3) Be filed within 180 days of when you knew that the act or omission complained of occurred. OCR may extend the 180-day period if you can show “good cause.” Any alleged violation must have occurred on or after April 14, 2003 (on or after April 14, 2004 for small health plans), for OCR to have authority to investigate.

Anyone can file written complaints with OCR by mail, fax, or email.
Health Information Privacy Complaint Forms, if you choose to use them, may be downloaded at

If you need help filing a complaint or have a question about the complaint form, please call this OCR toll free number: 1-800-368-1019. Complaints should be sent to the attention of the appropriate OCR Regional Manager (see contact information below).

Be sure to include the following information in your written complaint:

Your name, full address, home and work telephone numbers, email address.

If you are filing a complaint on someone’s behalf, also provide the name of the person on whose behalf you are filing.

Name, full address and phone of the person, agency or organization you believe violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy Rule.

Briefly describe what happened. How, why, and when do believe your (or someone else’s) health information privacy rights were violated, or the Privacy Rule otherwise was violated?

Any other relevant information.

Please sign your name and date your letter.

The following information is optional:

Do you need special accommodations for us to communicate with you about this complaint?

If we cannot reach you directly, is there someone else we can contact to help us reach you?

Have you filed your complaint somewhere else?

The Privacy Rule, developed under authority of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), prohibits the alleged violating party from taking retaliatory action against anyone for filing a complaint with the Office for Civil Rights. You should notify OCR immediately in the event of any retaliatory action.

Region II – NJ, NY, PR, VI
Office for Civil Rights
U.S. Department of Health & Human Services
26 Federal Plaza – Suite 3313
New York, NY 10278
(212) 264-3313; (212) 264-2355 (TDD)
(212) 264-3039 FAX

For more information, contact Schuyler Hospital at (607) 535-7121 or

Coronavirus (COVID-19) Information - What you need to knowLearn More
Skip to content