Notice of Privacy Practices | Long Island State Veterans Home

STONY BROOK ORGANIZED HEALTH CARE ARRANGEMENT - NOTICE OF PRIVACY PRACTICES

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION (OR PROTECTED HEALTH INFORMATION) ABOUT YOU MAY BE USED AND DISCLOSED (SHARED), AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

Protected Health Information (PHI) is protected under the Health Information Portability and Accountability Act (HIPAA). Some examples of PHI include your diagnosis, laboratory test results, medications, information about the health care services you have received or will receive in the future, demographic information, unique numbers that identify you (such as your Social Security number or medical record number), and information concerning your health insurance.

THE STONY BROOK ORGANIZED HEALTH CARE ARRANGEMENT

The Stony Brook Organized Health Care Arrangement (SBOHCA) was formed for the sole purpose of making sure we comply with HIPAA and creates no legal representations, warranties, obligations, or responsibilities beyond HIPAA compliance. The entities of the SBOHCA include all campus locations of Stony Brook University Hospital (SBUH), including Stony Brook Eastern Long Island Hospital (SBELIH) and Stony Brook Southampton Hospital (SBSH), the University Faculty Practice Corporations (UFPCs), Stony Brook Community Medical, P.C. (SBCM), Meeting House Lane Medical Practice, P.C.; the Long Island State Veterans Home (LISVH), Stony Brook Health Partners, LLC and several academic health sciences schools of Stony Brook University, including the School of Medicine, School of Dental Medicine, School of Nursing, School of Health Professions and School of Social Welfare, and Program in Public Health; their employees and contracted professionals and students; and the voluntary members of the SBUH Medical Staff. The entities participating in the SBOHCA agree to abide by the terms of this Notice of Privacy Practices (“Notice”) with respect to PHI. This Notice applies to all these sites, which are referred to as the “SBOHCA,” also known as “Stony Brook Medicine.”

The entities in the SBOHCA may share PHI with each other, as needed to carry out treatment, payment, and healthcare operations relating to the SBOHCA. The covered entities that make up SBOHCA may have different policies and procedures for the use and disclosure of health information created and/or kept at each of their sites. Also, while all the entities that make up the SBOHCA use this Notice, voluntary members of the SBUH Medical Staff use a Notice specific to their practice when they provide services at their private practice sites. If you have questions about any part of this Notice or if you want more information about the SBOHCA entities (herein referred to as “we” or “us” or “Stony Brook Medicine”), please contact the Privacy Office using the contact information at the end of this Notice.

THE STONY BROOK ORGANIZED HEALTH CARE ARRANGEMENT MAY USE AND DISCLOSE YOUR PHI AS FOLLOWS:

Treatment: For purposes related to your health care. This generally refers to the provision, coordination, or management of your health care and related services, among health care providers, by a health care provider with a third party, consultation between health care providers, or a referral from one health care provider to another. This means we may disclose your PHI to doctors, nurses, technicians, students, pharmacies, laboratories, accountable care organizations, or other individuals involved in your care, both within and outside the SBOHCA. For example, if your primary care doctor refers you to a cardiologist for a consult, the doctor may share your PHI with the cardiologist so that the cardiologist may use it to evaluate and treat you.

Payment: To collect payment for the services provided to you. This includes using and/or disclosing your PHI to send bills and collect payment from you, your insurance company, or other payers, such as Medicare and Medicaid. We may also inform your health insurer of a recommended treatment to decide whether your plan will cover the cost and/or obtain prior approval. Also, we may disclose your PHI to other healthcare providers so that they can collect payment for services they provided to you.

Health Care Operations: For the activities that are needed to run our business, support the treatment we provide to our patients, residents and registrants (“patients”), and the collection of payment. For example, your PHI may be used or disclosed to conduct quality improvement activities, for the review of the skills of health care professionals, and to achieve and maintain accreditations and certifications.

Facility Directory: To include your name, location in the facility, general medical status (such as fair or stable), and religion in the facility directory if you are in one of our facilities. Unless you opt out, this information may be shared with people who ask for you by name. Your religion will only be shared with clergy such as a pastor, priest, or rabbi. This is so your family, friends, and clergy can speak to you by phone or visit you and generally know how you are doing. If you do not want this information listed in the facility directory, you must request to opt out during registration or speak to a member of your care team.

Individuals Involved in Your Care or Payment for Your Care: To inform or assist in informing a family member, other relative, or a close personal friend about your condition, other information as needed to take part in your healthcare, or in the event of your death. If you are unable or not present to agree or object to these disclosures, our health care professionals will use their best judgment in sharing your PHI with your family, friends, and others. If another person has authority to make your health care decisions, we will disclose relevant PHI to that person so that they can make those decisions. Parents and legal guardians of minors generally are allowed to make medical decisions for minor patients unless the minor is allowed by law to act on their own behalf and make their own medical decisions in certain cases.

Disaster Relief: To a public or private entity allowed to assist in an emergency or disaster relief effort, such as the American Red Cross, so that your family can be informed about your condition, status, and location. If we are able to do so without affecting our response to the emergency, we will attempt to get your permission before we disclose your PHI.

Deceased Individuals: To a deceased person’s family members, other relatives, or a close friend who was involved in the health care or payment for health care received by the deceased person. We will only share the PHI that is related to their involvement with the deceased person’s health care or payment for health care, unless doing so would not be consistent with any prior expressed preference of the deceased person that we are aware of.

Public Health: To public health bodies for public health reasons, such as stopping or controlling disease, injury, or disability; reporting vital events, such as births and deaths; reporting child abuse or neglect or domestic violence, reactions to medications, or problems with medical devices; and reporting to your employer findings of work-related illness or injury.

Health Oversight: To health oversight bodies for health oversight activities such as audits, investigations, inspections, licensure, disciplinary actions, or other activities needed for appropriate oversight of the health care system.

Judicial and Administrative Proceedings: To courts, lawyers, and court employees in response to a court order, subpoena, discovery request, or other lawful requests, or to defend ourselves in a lawsuit.

Law Enforcement: To a law enforcement official, as required by law, such as to report certain types of wounds or injuries or in response to a court order, court-ordered warrant, subpoena, summons, or an administrative request, in certain cases. We may also use or disclose your PHI to a law enforcement official in special cases such as to identify or locate a suspect or missing person; in certain cases if we suspect you are a victim of a crime, a death that we suspect resulted from a crime or a crime that took place at one of our sites; or if you are in law enforcement’s custody.

Coroners, Medical Examiners, and Funeral Directors: To coroners and medical examiners, the PHI of a deceased person, for reasons such as to find out a cause of death or identification. To funeral directors, the PHI of a deceased person, or in reasonable anticipation of a death, for the funeral directors to carry out their duties.

Cadaveric Organ, Eye, or Tissue Donation: To organ procurement agencies or other entities engaged in the finding, banking, or transplanting of cadaveric organs, eyes, or tissue.

Research: To improve outcomes for patients and advance health sciences through clinical research. When approved by an Institutional Review Board (IRB) or other special approval process and allowed by state and federal laws that include HIPAA, we may use or disclose your PHI to conduct or prepare for future research studies. Our researchers may contact you to ask if you are interested in joining research studies that have been approved. While you have the option to decline joining a study when we contact you, you may also opt out of receiving such contacts during the registration process or by calling (631) 638-1801 or emailing researchcontacts@stonybrookmedicine.edu. Your decision will not affect your treatment, and your PHI will continue to be protected.

To Avert a Serious Threat to Health or Safety: To prevent or lessen a threat to the health and safety of a person or the public. Any disclosure of PHI made to attempt to stop a serious threat to health or safety would be to someone we believe would be able to prevent or lessen the threat.

Specialized Government Functions: For activities related to the military, veterans, national security and intelligence; protective services for the President and other important officials, and in law enforcement custodial situations for certain reasons, such as to provide health care and protect the health and safety of inmates.

Workers’ Compensation: For workers’ compensation or similar programs that provide benefits for work-related injuries or illness.

Fundraising: To raise funds for Stony Brook Medicine including contacting you. You may opt out of being contacted for fundraising by contacting the Privacy Office using the contact information at the end of this Notice.

Treatment Options and Other Health-Related Products and Services: To contact you about treatment or other health-related products and services that we offer that may be of interest to you. However, uses or disclosures of your PHI for marketing purposes, other than face-to-face discussions with you or promotional gifts of small value, need your authorization, such as the sale of your PHI for marketing or sending you a flyer about a product or service that is not part of the SBOHCA when the message is not for the purpose of giving treatment advice.

Appointment Reminders: To remind you of your appointments for health care services. For example, we may use the mobile number you provide to us to send you text messages to remind you of details such as the date, time, and place of your appointment with us.

Business Associates: To a business associate, which is usually a vendor that we hire to provide a service to us or perform a function or activity on our behalf, such as a billing company or legal service. Business Associates must assure us in writing that they will protect your PHI as required by law.

Change of Ownership: To a new owner/entity. If a single entity (or entities) of the SBOHCA is sold or separated, your PHI may become the property of the new owner/entity.

Required by Law: As otherwise required by federal, state, or local law.

USES AND DISCLOSURES OF YOUR PHI THAT REQUIRE YOUR WRITTEN AUTHORIZATION:

Psychotherapy Notes: Mental health professionals write notes in the medical record that describe the psychotherapy that is being provided. This information may include details such as the symptoms being treated, the plan of treatment, medications, and clinical test results. A mental health professional may also make personal notes that are kept outside the medical record that document or analyze the conversation in the psychotherapy session. These notes that are kept outside of the medical record, in most cases, will not be disclosed without your authorization.

Sale of PHI: We will not sell your PHI without your written authorization. However, there are certain limited instances in which we are allowed by law to receive payment for your PHI. For instance, we may disclose limited PHI about you to a sponsor for a clinical research study, and they may provide us with a reasonable cost-based fee to cover the cost to prepare and transmit the PHI. We will obtain their agreement that they will protect your PHI.

OTHER IMPORTANT INFORMATION

Stricter Laws: There are state and federal laws that are stricter than HIPAA. For example, New York State (NYS) law requires your general consent for use and disclosure of your information for treatment and payment purposes, which is obtained in the general consent for treatment. NYS law also does not allow the disclosure of HIV-related information and records of licensed mental health sites for certain reasons that are allowed by HIPAA. Federal law, 42 CFR Part 2, does not allow the disclosure of certain types of substance use disorder treatment records for certain purposes that are allowed under HIPAA. We will follow these stricter laws, and we will not disclose your PHI for any purpose not allowed by these laws without your consent or written authorization, as needed. For more information on how we handle certain types of substance use disorder treatment records that are protected under 42 CFR Part 2, please review the Stony Brook Medicine Notice of Privacy Practices for Substance Use Disorder Treatment Information protected by 42 CFR Part 2 at stonybrookmedicine.edu/patientcare/privacy, or you can ask for a paper copy at registration or the front desk.

Revoking an Authorization: You may revoke (cancel) a written authorization at any time, as long as the revocation is in writing. Please know that we will not be able to take back disclosures we already made with your written authorization. Also, if the written authorization was obtained as a condition of getting insurance coverage, other laws provide certain rights to the insurer for the PHI.

Redisclosure of PHI: Please be advised that once your PHI is disclosed, it may be further shared by the person or entity that receives it and may no longer be protected by HIPAA. For example, if you tell us to disclose your PHI to one of your family members, or your attorney, once disclosed, the PHI may no longer be protected under HIPAA and may be further shared.

Incidental Disclosures: We will take reasonable steps to protect your PHI; however, certain incidental uses and disclosures of your PHI may occur as a result of allowed uses and disclosures of PHI that are limited in nature and cannot reasonably be prevented. For example, other people may overhear you give your name and demographic information when you are checking in for a visit with your doctor or if a provider is speaking with you about your illness and care in a busy emergency room.

YOUR RIGHTS CONCERNING YOUR PROTECTED HEALTH INFORMATION

Right to Access Your PHI: You can look at or receive a copy of your PHI or tell us to send it to a third party. You may do so by submitting a completed Request for Access to PHI form. We have policies and procedures to provide you with proper access to your PHI as required by HIPAA and NYS law. We will arrange an easy way for you to receive the PHI. Also, we will provide the PHI to you in the form and format you request if we can easily produce the PHI in that form and format. If not, we will provide it to you as a readable hard copy or another form and format we both agree to. We may charge you a reasonable fee to cover the cost for us to prepare the records. To learn how to request access to your PHI at LISVH, visit veteranshome.stonybrookmedicine.edu/medical-record-request.

We may deny access to your PHI in very limited cases as allowed by state and federal law. If we deny your request for access to your records, we may provide you with a written summary of your record or with certain parts of your record, and you have the right to request that the denial be reviewed. A description of the process to have a denial reviewed will be included in the letter informing you of our decision to deny your request. You also may be able to access some or all of your PHI in a patient portal. You
may speak with someone at the site you visit about how to request access to your PHI and to learn more about being able to access your PHI in a patient portal.

Right to Receive Confidential Communications: You can request that you receive communications about your PHI through an alternate means or at an alternate location, and we will accept all reasonable requests. For example, you can provide us with your cell phone number as your primary number instead of your home phone number or use a P.O. Box instead of your home address as your primary address. If you want us to communicate with you in a certain way, a reason is not necessary, but we will need details about this alternate way to contact you. Your request must be made in writing by filling out a Request for Confidential Communications of Protected Health Information form and providing it to the Privacy Office using the contact information at the end of this Notice. If we are unable to contact you using the requested means or locations, please note that we may contact you using whatever contact information we have.

Right to Request Restriction on Use and Disclosure of PHI: You can submit a written request to restrict certain uses and disclosures of your PHI, including for treatment, payment, and health care operations, or to someone involved in your care or payment for your care, such as a friend or family member. Although we will review your request, we are not required to agree to the requested restriction, except for a request to restrict disclosure of your PHI to your health plan/insurance carrier or other payer, if out-of-pocket payment has been received in full at the time the service is rendered (unless such disclosure is required by law). Also, if you require follow-up care related to the undisclosed service and you decide you do not want to pay for that follow-up care at the time it is provided to you, it may be needed for us to inform your health insurer about the previously undisclosed service in order to receive payment for follow-up care. To request a restriction on disclosure of your PHI to a health plan/health insurer or other third-party payer, you must notify the SBOHCA entity site staff member at the time of registration for the applicable visit and fill out a Request to Restrict Disclosure of Health Information to a Health Plan – Pay in Full form. Other types of restriction requests must be made in writing by completing the Request to Restrict Use Disclosure of PHI form and providing it to the Privacy Office using the contact information at the end of this Notice.

Right to Request an Amendment to Your PHI: You can submit a request for an amendment (change) of your PHI. The request must be submitted by completing the Patient Request for Amendment of Protected Health Information form and submitting it to the SBOHCA entity site location or the Medical Records department at the site you are requesting the amendment from. We will review and respond to your request in writing, but we are not required to make the requested amendment. For instance, we may deny the request if we believe that the PHI is accurate and complete without the requested amendment. If your request is denied, the written response will include the reason for the denial and information about how you can appeal the denial. If the request is accepted, we will share the amended PHI with whomever you request.

Right to Receive an Accounting of Disclosures of Your PHI: You can submit a written request to receive an accounting (list) of disclosures of your PHI for the past six years. We are not required to tell you about all disclosures of your PHI. For example, we are not required and will not be able to provide you with an accounting of disclosures for disclosures related to treatment, payment, healthcare operations; disclosures that were made to you or to a third party based on your request or an authorization signed by you; or to friends or family members involved in your care or as part of a facility directory. Requests must be made in writing by completing the Request for an Accounting of Disclosures form and providing it to the Privacy Office using the contact information at the end of this Notice.

Right to Be Notified of a Breach of Your PHI: You will be notified in the event of a breach of the privacy of your unsecured PHI by the SBOHCA entity site or its business associates as soon as reasonably possible, but usually no later than 60 days after we become aware of the breach. The notice will provide you with the date(s) the incident occurred, the date we became aware of the breach, a brief description of the type of information that was involved, and the steps we took to mitigate and correct the situation, as well as contact information for you to ask questions and obtain more information.

Right to a Paper Copy of This Notice: You can request a paper copy of this Notice at registration or the front desk. If you would like a more detailed description of any of these rights, or if you would like to act on one or more of the rights and do not know how to based on the information contained in this Notice, you may contact the Privacy Office using the contact information at the end of this Notice or by visiting the Long Island State Veterans Home privacy website at veteranshome.stonybrookmedicine.edu/about/privacy-practices.

CHANGES TO THIS JOINT NOTICE OF PRIVACY PRACTICES

The individual entities of the SBOHCA are required by law to comply with this Notice. This Notice can be revised and will be made available upon verbal or written request at any SBOHCA entity site or by contacting the Privacy Office using the contact information listed at the end of this Notice or accessing it online at veteranshome.stonybrookmedicine.edu/about/privacy-practices.

COMPLAINTS

Complaints about this Notice or how we handle your PHI should be directed to the Privacy Office using the contact information at the end of this Notice or at LISVH_HIPAA@LISVH.ORG.

No one will retaliate or take action against you for filing a good-faith complaint.

If you are not satisfied with our response to your privacy complaint or otherwise wish to file a complaint outside of Stony Brook Medicine, you may file a complaint with the Department of Health and Human Services, Office for Civil Rights at hhs.gov/hipaa/filing-a-complaint/index.html, by email at OCRComplaint@hhs.gov, or in writing to: Centralized Case Management Operations, U.S. Department of Health and Human Services, 200 Independence Avenue, S.W., Room 509F HHH Bldg., Washington, D.C. 20201.

Long Island State Veterans Home Privacy Office may be contacted at:

100 Patriots Road, Stony Brook, NY 11790-3300
Telephone: (631) 444-8646
Fax: (631) 444-8645
Email: LISVH_HIPAA@LISVH.ORG

Para ver este aviso en español, puede solicitar una copia impresa en el área de registro
o en la recepción.

Amended Notice Effective Date: February 16, 2026

For accessibility-related accommodations, please call (631) 444-8646.