Health Center Privacy Policy - The University of Tulsa

Health Center Privacy Policy


There are two federal laws that protect the privacy of health information. These are the Family Education Rights and Privacy Act (FERPA), and the Health Insurance Portability and Accountability Act (HIPAA).

For students of The University of Tulsa (TU), the applicable federal privacy regulations are found in FERPA. However, it is our goal to comply with the standards of HIPAA. For all other individuals, the applicable federal privacy regulations are found in HIPAA. We are committed to protecting your medical information under HIPAA. Under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), we are required by law to:

1. Maintain the privacy of your medical information
2. Give you a Notice of our legal duties and privacy practices with respect to your medical information; and
3. Follow the terms of the Notice currently in effect.

We reserve the right to change our practices and to make the new provisions effective for all protected health information we maintain. Any change we make to our privacy practices will be made available to you upon request.


Although your health information is the physical property of the University of Tulsa, the information belongs to you. The following describes your rights:

1. You may request a restriction to the use and disclosure of your Personal Health Information for circumstances involving treatment, payment or health care operations. You may also restrict disclosure of any part of your PHI to family members or individuals involved in your care. Those restrictions must be in writing and specific. However, these restrictions may not be appropriate. (See Examples of Uses and Disclosures of Your Health Information).

2. You have the right to see and request a copy of your PHI. This request must be in writing and we do reserve the right to charge for the copy request. There may be circumstances in which we are not required to comply with your request. If such circumstances should arise, we will provide you, in writing, an explanation.

3. You have the right to amend your PHI. If you believe that there is a mistake or missing information in our record of your PHI, you may request, in writing, that we correct or add to the record. We will respond within 60 days of receiving your request. We may deny the request if we determine that the PHI is (1) correct and complete, (2) not created by us and/or not part of our records, or (3) not permitted to be disclosed.

4. You have the right to a listing of disclosures we have made, such as those authorized by you or made for treatment, payment or health care operations. In some circumstances, disclosure of your PHI may be required by law. (See Examples of Special Circumstances for Disclosures of PHI Without Your Authorization).

5. You have the right to receive a copy of the Notice.


We are required to place in the Notice, contact information for filing a complaint if you feel that your privacy rights have been violated. Please contact:

HIPAA Privacy Officer – Sherry Eskew
Office of Human Resources and Risk Management
The University of Tulsa
800 S. Tucker Drive
Tulsa, OK 74104

Secretary of Health and Human Services
200 Independence Avenue SW
Washington, D.C. 20201

To file a complaint with the Secretary of Health and Human Services, you must do so within 180 days of the date on which that action that caused concern happened. There will be no punishment or penalty for filing a complaint. The effective date for this Notice is April 14, 2003.


1. Providing health care treatment to you – We will use your health information for diagnosis and treatment. For example, information obtained by a nurse, physician assistant, physician or other member of the health care team will be recorded in your record and used to determine the course of treatment that would work best for you. Your health information may also be used for medical treatment/services provided by other health care providers, for example, referral to a specialist.

2. To obtain payment for services – There are some services provided in our organization through contacts with business associates. Examples include physician services, laboratory services and insurance companies. When these services are contracted, we may disclose your health information to our business associate so that they can perform the job we have asked them to do. To protect your health information, however, we require the business associate to appropriately safeguard your information.

3. Performance of health care operations – Health care operations are those functions that include utilization review, receiving and responding to complaints, compliance programs, audits, etc.

4. Individuals involved with your care – We will not communicate with a family member, other relative, close personal friend or identified other person, unless we have a signed release from you authorizing the communication. You may have someone present during your exam, if you do not object and if you agree to have your PHI disclosed to the individual. If you are unable to authorize communication due to incapacity or a life threatening medical condition, relevant PHI may be disclosed based on the professional judgment of the health care provider.

5. Appointment reminders – Unless you provide us with alternative instructions, we may send appointment reminders and other similar materials to your home or e-mail, or notify you of appointments by phone.


There may be special circumstances that require us to use and disclose your protected health information. Those circumstances may include some or all of the following:

1. Public health activities – The use and disclosure of PHI for public health activities and purposes to a public health authority that is permitted by law to collect or receive the information. The disclosure will be made for the purpose of controlling disease, injury, or disability. We may also disclose PHI if so directed by the Public Health Authority. For example, it is required by Oklahoma State law to report any positive lab reports on patients who are infected with the sexually transmitted infections of Chlamydia, gonorrhea, syphilis and HIV. There are other infectious diseases that require reporting and examples of those would be Hepatitis, Meningitis, E-coli and Salmonella.

2. Any incident relating to abuse, neglect or domestic violence – The use and disclosure of PHI to a public health authority that is authorized by law to receive reports of child abuse or neglect. We may also disclose PHI if we believe you have been a victim of abuse, neglect or domestic violence to the governmental agency authorized to receive such information.

3. Health oversight activities – Use and disclosure of PHI to a public health authority for activities authorized by law, such as audits, investigations, and inspections. These oversight agencies would include government agencies that oversee the health care system, government benefit programs, or other government regulatory programs, and civil rights laws.

4. For judicial and administrative proceedings – The use and disclosure of PHI to any judicial or administrative proceeding, in response to an order of a court or administrative tribunal, and in certain conditions, a subpoena, discovery request or other lawful process.

5. For law enforcement purposes – The use and disclosure of PHI, so long as applicable legal requirements are met. Law enforcement purposes are legal processes required by law; limited information requests for identification and location purposes; issues pertaining to victims of a crime, and suspicion that death has occurred as a result of criminal conduct.

6. For purposes relating to decedents – The use and disclosure of PHI to a coroner or medical examiner for identification purposes, determining cause of death or for the coroner or medical examiner to perform other duties authorized by law.

7. For purposes of organ, eye or tissue donation – The use and disclosure of PHI for recipients of your organs.

8. To avert a serious threat to health or safety – The use and disclosure of PHI necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.

9. For specialized government functions – Specialized government functions could involve authorized federal officials who are conducting national security and intelligence activities.

10. For purposes relating to correctional institutions and in other law enforcement custodial situations – The use and disclosure of PHI if you are an inmate of a correctional facility and your physician created or received PHI in the course of providing care to you.

11. Individual use and disclosure – The use and disclosure of PHI to you and when required by the Secretary of the Department of Health and Human Services to investigate or determine our compliance with HIPAA.