Notice of Privacy Practices

A. THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. This Notice of Privacy Practices (Notice) applies to all information about care that you receive from the following:

• University of Michigan Health-Sparrow includes our hospitals, doctors, home health services, pharmacy services, laboratory services, and other related health care providers
• University of Michigan Health-Sparrow participates in organized health care arrangements. These arrangements allow us to share information with other affiliated entities and providers that participate in a clinically integrated setting that allows the sharing information with each other as necessary to carry out treatment, payment, healthcare operations, and other purposes described in this Notice. We do this to provide better care and achieve value; for treatment, payment, and health care operations purposes; and, for joint activities of the participating entities and providers. Examples of current Organized Health Care Arrangements in which UM Health-Sparrow participates are available at https://www.uofmhealthsparrow.org/privacy-policy/notice-privacy-practices/health-info-organizations-exchanges

B. WE ARE REQUIRED TO SAFEGUARD YOUR PROTECTED HEALTH INFORMATION (PHI).

We are committed to protecting the privacy of your health information, called “protected health information” or “PHI”. PHI is information that can be used to identify you that we have created or received about your past, present, or future health or condition, the provision of health care to you, or payment for health care provided to you. We are required to provide you with this notice to explain our privacy practices and how, when, and why we use and disclose your PHI. In general, we may not use or disclose any more of your PHI than is necessary to accomplish the purpose of the use or disclosure, although there are some exceptions. We are legally required to follow the privacy practices described in this notice and notify you following a breach of your unsecured PHI.

C. HOW WE USE AND DISCLOSE YOUR PHI. We use and disclose PHI for different reasons, and some require your prior specific authorization. The different categories of our uses and disclosures are described below, with examples of each.

1. Uses and Disclosures Relating to Treatment, Payment or Health Care Operations Do Not Require Your Consent.

 1.1 For Treatment. We may use and disclose your PHI to physicians, nurses, medical students and other health care personnel who provide health care services to you or who are involved in your care. For example, if you are treated for a knee injury, we may disclose your PHI to the physical therapy provider to coordinate your care.

 1.2 To Obtain Payment. We may use and disclose your PHI to bill and collect payment for the health care services provided to you. For example, our billing department may use some of your PHI and disclose it to your health plan for payment.

 1.3 For Health Care Operations. We may use and disclose your PHI to operate our hospitals, clinics and other health care service facilities. For example, we may use your PHI to review the care provided to you or to evaluate the performance of the health care professionals and processes involved in your care. We may also provide your PHI to University of Michigan units and our business associates that support our health care operations, such as our accountants, attorneys, consultants and other companies. Other examples include educational programs, resolution of internal grievances, business planning, development and management, administrative activities, including data and information systems management, and consolidations with other providers.

2. Use of Artificial Intelligence (AI) Tools for Clinical, Operational and other Purposes,
We use AI technologies to assist in your care and in supporting various health care operations. These tools may help guide our providers with your care and services including clinical decision-making support, scheduling, monitoring, and other functions that support the quality, safety, and delivery of your care. AI tools we use now and, in the future, may also analyze your medical information in order to help our clinicians provide timely, accurate, and effective health care. These tools are used in accordance with applicable laws and regulations, and are used in compliance with security, privacy, and other regulatory and legal requirements.

3. Certain Other Uses and Disclosures That Do Not Require Your Consent. We may also use and disclose your PHI:

 3.1 Business Associates: There are some services provided in our organization through contracts with business associates. Examples include: attorneys, accountants, accreditation agencies and certain laboratory tests. When these services are contracted, we may disclose your health information to our business associates so that they can perform the job we have asked them to do. To protect your health information, we require the business associate to appropriately safeguard your information.

 3.2 When disclosure is required by federal, state or local law, judicial or administrative proceedings, or law enforcement. For example, we make disclosures when a law requires that we report information to government agencies and law enforcement personnel about victims of abuse, neglect or domestic violence, when dealing with gunshot and other wounds, or when ordered in a judicial or administrative proceeding. We will not disclose information to law enforcement unless we have your consent or the legally required paperwork from the law enforcement agency.

 3.3 For public health activities. For example, we must report to government officials in charge of collecting specific information related to births, deaths, and certain diseases and infections. Also, we provide coroners, medical examiners and funeral directors necessary information relating to an individual’s death. Additionally, under Michigan law we are required to report information about patients with certain conditions, such as HIV/AIDS and cancer, to central registries; we also are required to report information about immunizations. We also may disclose PHI to manufacturers of drugs, biologics, devices, and other products regulated by the federal Food and Drug Administration when the information is related to their quality, safety, or effectiveness. PHI also may be disclosed to certain people exposed to communicable diseases and to employers in connection with occupational health and safety or worker’s compensation matters.

 3.4 For health oversight activities. For example, we will provide information to government officials to conduct an investigation or inspection of a health care provider or organization.

 3.5 For purposes of organ donation. We may provide information to organ procurement organizations to assist them in organ, eye or tissue donation and transplants.

 3.6 For research purposes. In certain circumstances, we may use or provide PHI to conduct research. This research generally is subject to oversight by an institutional review board. In most cases, while PHI may be used to help prepare a research project or to contact you to ask whether you want to participate in a study, it will not be further disclosed for research without your authorization. However, where permitted under federal law, institutional policy and approved by an institutional review board or a privacy board, PHI may be further used or disclosed. In addition, PHI may be used or disclosed for research as “limited or de-identified data sets” which do not include your name, address or other direct identifiers.

 3.7 To avoid harm. To avoid a serious threat to the health or safety of a person or the public, we may provide PHI to law enforcement personnel or persons able to prevent or lessen the potential harm.

 3.8 For specific government functions. We may disclose the PHI of military personnel and veterans in certain situations. We also may disclose PHI for national security purposes, such as protecting the president of the United States or conducting intelligence operations.

 3.9 For workers’ compensation purposes. We may provide PHI to comply with workers’ compensation laws.

 3.10 To provide appointment reminders and health-related benefits or services. We may use PHI to provide appointment reminders and notifications of other health-related benefits or services. We may communicate with you through various methods, and we may use the phone numbers (including mobile) and email addresses we have on file to send you phone calls, emails, text messages, or other communications related to your care such as sending you appointment or check-up reminders, information about upcoming health screening events, information about research, or to contact you to ask for feedback regarding your care. These messages may be sent using automated dialing and/or pre-recorded messages. You have the right to opt out of receiving these messages. If you send us unencrypted emails or texts for any purpose, you understand there are security risks in doing so and you accept those risks.

 3.11 For fundraising activities. We may use PHI to raise funds for our organization. You have the right to opt out of receiving fundraising communications.

4. Re-Disclosure of Substance Use Disorder (Part 2) Records. If you receive care from a Substance Use Disorder (Part 2) treatment program, the program may send your Part 2 records to University of Michigan Health-Sparrow with your written consent. Part 2 records that are disclosed to University of Michigan Health-Sparrow pursuant to your written consent for treatment, payment and health care operations may be further disclosed by University of Michigan Health-Sparrow without your written consent, to the extent that HIPAA regulations permit such disclosure.

5. Uses and Disclosures to Which You Have an Opportunity to Object.

 5.1 Patient directories. We may include your name, general condition, location in a University of Michigan Health-Sparrow facility, and religious affiliation (if any) in our patient directory for use by clergy and others who ask for you by name, unless you object in whole or in part when you are admitted to our facilities.

 5.2 Disclosure to family, friends, or others. We may provide your PHI to a family member, friend or other persons who are involved in your care or responsible for the payment for your health care, unless you object in whole or in part.

 5.3 Electronic Records and Health Information Exchanges. Your health information will be stored in our electronic medical records systems, including Epic, and is made available to providers and hospitals across UM Health-Sparrow so your care community can provide treatment services to you. We also may make your PHI available electronically through health information exchanges (HIEs) to other health care providers, health plans and health care clearinghouses. Participation in HIEs also lets us see their information about you which helps us provide care to you. You have the right to opt out of participating in such efforts by contacting the person listed at the end of this notice.

6. Applicable Michigan Law. Our use and disclosure of PHI must comply not only with federal privacy regulations but also with applicable Federal and Michigan law. Michigan law and/or Federal Regulations place certain additional restrictions on the use and disclosure of PHI for mental health, substance abuse, HIV/AIDS conditions, and certain genetic information. In some instances, your specific authorization may be required. All Other Uses and Disclosures Require Your Prior Written Authorization. In situations that are not covered by this Notice, your written authorization is needed before using or disclosing your PHI, including most uses and disclosures of psychotherapy notes (if recorded or maintained by us), financially-supported marketing of 3rd party products or services, and the sale of PHI, unless otherwise specified by law. Your authorization can always be revoked in writing (but it would not apply to prior disclosures made based on your initial authorization).

7. Use of De-identified Information. We may use and disclose information that has been de-identified, meaning it does not include your name, address, or other individual details that could directly identify you, in accordance with federal law. De-identified data may be used for purposes such as research, quality improvement, analytics, training of computer systems (including AI and machine learning tools), and operational activities. Once your information has been de-identified, it is no longer considered protected health information under HIPAA and is not subject to the same privacy protections.

D. YOUR RIGHTS REGARDING YOUR PHI. You have the following rights with respect to your PHI:

1. The Right to Request Restrictions on Uses and Disclosures of Your PHI. You have the right to ask us to limit how we use and disclose your PHI for treatment, payment or health care operations. This request must be in writing. We are not required to agree to your restriction request, but if we do, we will honor our agreement except in cases of an emergency or in cases where we are legally required or allowed to make a use or disclosure. We are required, however, to agree to a written request to restrict disclosure of your PHI to a health plan if the disclosure is for payment or health care operations and is not otherwise required by law, and your PHI pertains solely to a health care item or service for which you have paid in full and out of pocket. Also, you may request us to limit PHI disclosures to family members, other relatives, or close friends involved in your care or payment for it.

2. The Right to Request Confidential Communications Involving Your PHI. You can ask in writing to send information to you in a certain way or location. For example, you can request we mail PHI to a Post Office Box rather than your home. We must agree to your request so long as we can easily provide it in the format you requested.

3. The Right to Receive Copies of Your PHI. In most cases you have the right to receive copies of your PHI, such as health or billing records, used by us to make decisions about you. You must make the request in writing. We will respond within 30 days after receiving your written request, and we may charge a reasonable fee. In certain situations, we may deny your request, but we will do so in writing, and we will provide our reasons for the denial and explain your right to have the denial reviewed.

4. The Right to Get a List of the Disclosures We Have Made. You have the right to get a list of instances in which we have disclosed your PHI ( an Accounting of Disclosures.) This right does not apply to certain disclosures such as those made for treatment, payment or health care operations, disclosures made to you or to others involved in your care, disclosures made with your authorization, or disclosures made for national security or intelligence purposes or to correctional institutions or law enforcement purposes. Your request for an Accounting of Disclosures must be made in writing to the person and address below. We will respond within 60 days of receiving your request by providing a list of disclosures made within the last six years from the receipt date of your request, unless a shorter time period is requested. If you make more than one request in the same year, we may charge a fee.

5. The Right to Amend or Update Your PHI. If you believe your PHI is incorrect or incomplete, you have the right to request us to add to or amend the existing information. Your request must be in writing and must include the reason for your request. We will respond within 60 days of receiving your request. We may deny your request in writing if the PHI (i) is correct and complete, (ii) was not created by us, (iii) is not allowed to be disclosed, or (iv) is not part of our records. Our denial will include the reason(s) for the denial and will explain your right to file a written statement of disagreement. If you don’t file a written statement of disagreement, you have the right to request that your amendment request and our denial be attached to your PHI. If your amendment request is approved, we will make the change to your PHI and let you know it has been completed. An amendment may take several forms, such as an explanatory statement added to your record.

6.The Right to a Copy of this Notice. You have a right to request a paper copy of this Notice be mailed to you. It is also available at https://www.uofmhealthsparrow.org/privacy-policy/notice-privacy-practic…

E. WHO YOU CAN CONTACT FOR INFORMATION ABOUT THIS NOTICE OR OUR PRIVACY PRACTICES. If you have questions about this Notice or complaints about our privacy practices, or if you would like to know how to file a complaint with the Office for Civil Rights of the U.S. Department of Health and Human Services, you can contact our Privacy Director toll free at 734-615-4400. You will not be penalized for filing your complaint. Written complaints must be submitted to:

University of Michigan Health System
Privacy Director
1500 E. Medical Center Drive
Ann Arbor, MI 48109-5729

We may change our privacy practices at any time. Before we make an important change, we will revise this Notice and post it in our facilities and on our website at: https://www.uofmhealthsparrow.org/privacy-policy/notice-privacy-practices

F. EFFECTIVE DATE OF THIS NOTICE: September 23, 2013, revised November 28, 2016, March 29, 2018, November 21, 2024, December 10, 2024, July 1, 2025, and January 9, 2026.