Employee Login

 

Privacy & HIPAA

Uses and disclosures of protected health information

Notice of Data Breach

May 2, 2023

Methodist Family Health (“MFH”) experienced a data breach on March 4, 2023, that was first detected on March 6, 2023. After a thorough investigation, we have determined that a variety of documents a business associate uses to provide pharmacy services containing protected health information (“PHI”) were accessed and copied without authorization. The types of information involved in the breach included, in some instances, full name, date of birth, date of admission or treatment, home address, account number, diagnosis, service charges, or medication information. Through our internal investigation and our consultations with and examinations by outside cybersecurity and privacy specialists, we have determined that soon after the breach was detected, unauthorized access was terminated, and additional measures were taken to strengthen privacy and data security. We continuously review and update our internal processes and procedures and will implement suggested guidance. Our additional cybersecurity measures are specifically designed to ensure the safety and security of patients’ PHI. We take safeguarding our patients’ PHI very seriously and will continue to strive to fully protect all privacy interests of our clientele.

How to Further Protect Yourself and Your Information

We understand that protecting yourself from any potential harm due to this breach is of vital importance to you, as it is to us. As a precautionary measure, we recommend that you remain vigilant by reviewing your account statements and credit reports closely. If you detect any suspicious activity on an account, you should promptly notify the financial institution or company with which the account is maintained. You also should promptly report any fraudulent activity or any suspected incidence of identity theft to proper law enforcement authorities, your state attorney general, and/or the Federal Trade Commission.

To file a complaint with the FTC, go to www.ftc.gov/idtheft or call 1-877-ID-THEFT (877-438-4338). Complaints filed with the FTC will be added to the FTC’s Identity Theft Data Clearinghouse, which is a database made available to law enforcement agencies.

You may also obtain a free copy of your credit report from each of the three major credit reporting agencies once every 12 months by visiting https://www.annualcreditreport.com, calling toll-free (877) 322-8228, or by completing an Annual Credit Report Request Form and mailing it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348. You can print a copy of the request form at:
https://www.annualcreditreport.com/cra/requestformfinal.pdf.

You can also elect to purchase a copy of your credit report by contacting one of the three national credit reporting agencies. Contact information for the three national credit reporting agencies for the purpose of requesting a copy of your credit report or for general inquiries is provided below:

Equifax
(800) 685-1111
www.equifax.com
P.O. Box 740241
Atlanta, GA 30374

Experian
(888) 397-3742
www.experian.com
535 Anton Blvd., Suite 100
Costa Mesa, CA 92626

TransUnion
(800) 916-8800
www.transunion.com
P.O. Box 6790
Fullerton, CA 92834

Other Important Information

  • You may want to put a security freeze on your credit file. A security freeze (also known as a credit freeze) makes it harder for someone to open a new account in your name. It is designed to prevent potential creditors from accessing your credit report without your consent. As a result, using a security freeze may interfere with or delay your ability to apply for a new credit card, wireless phone, or any service that requires a credit check. You must separately place a security freeze on your credit file with each credit reporting agency. To place a security freeze, you may be required to provide the consumer reporting agency with information, which identifies you including your full name, social security number, date of birth, current and previous addresses, a copy of your state-issued identification card, and a recent utility bill, bank statement or insurance statement. There is no charge to request a security freeze or to remove a security freeze.
  • File Police Report: You have the right to file or obtain a police report if you experience identity fraud. Please note that to file a crime report or incident report with law enforcement for identity theft, you will likely need to provide proof you have been a victim. A police report is often required to dispute fraudulent items. You can report suspected incidents of identity theft to local law enforcement or to the Attorney General. For Arkansas residents, the Attorney General can be contacted at 323 Center Street, Suite 200, Little Rock, Arkansas, 72201 (501) 682-2007 or (800) 482-8982 or oag@ArkansasAG.gov or https://arkansasag.gov/.
  • Federal Trade Commission and Attorney General: You can further educate yourself regarding identity theft, fraud alerts, security freezes and the steps you can take to protect yourself, by contacting the consumer reporting agencies, the Federal Trade Commission, or the Arkansas Attorney General. The Federal Trade Commission can be reached at 600 Pennsylvania Avenue NW, Washington, DC 20580, www.identitytheft.gov, 1-877-ID-THEFT (1-877-438-4338), TTY: 1-866-653-4261. The Federal Trade Commission also encourages those who discover their information has been misused to file a complaint with them. You can obtain further information on how to file such a complaint by way of the contact information listed above.

How to Contact MFH:

Our representatives are available to answer any questions or concerns that may arise. For further information and assistance, we have a toll-free number available: 1-866-813-3388—ask for the Chief Privacy Officer.

Your Privacy

Notice of Privacy Practices (NPP) describes uses and disclosures of a patients “Protected Health Information” (PHI) regarding treatment, payment or healthcare operations and for other purposes permitted or required by law and a patient’s right to access and control of PHI including demographics: identity of patient; past, present or future physical or mental health or condition and/or related healthcare services.

Methodist Children’s Home (MCH), Methodist Behavioral Hospital (MBH), Methodist Counseling Clinic (MCC), and Arkansas C.A.R.E.S. will abide by the terms of the NPP and at any time may change the terms of notice that will be effective for all PHI maintained at time of change. A revised NPP will be provided on request by mail or email.

Who Will Follow This Notice?

This Notice describes the practices of our programs associated with the Methodist Children’s Home (MCH), the Methodist Behavioral Hospital (MBH), Methodist Counseling Clinic (MCC) and Arkansas C.A.R.E.S may share medical information for treatment, payment or operations as described in this notice. Any healthcare professional associated with the Methodist Family Health system — employees, staff and other personnel authorized to enter information into the patient’s file or record — will follow the terms of the NPP.

Photo of a smiling professional woman.

The Patient’s Rights

This notice describes how medical information about you may be disclosed and how you can get access to this information. Please review it carefully. You have the right to:
  • Obtain a paper copy of this Notice
  • Inspect and copy the patient’s PHI contained in a designated record set (medical/billing records and other records used for decisions about the patient).
  • Request a restriction on certain uses and disclosures of PHI, but we are not required to agree to your restrictions. You restriction request must be in writing.
  • Request and receive confidential communications by alternative means or at an alternative location; the System will accommodate reasonable requests made in writing that may ask for the following information: (1) how payments will be handled (2) specification of alternative address or other contact methods (3) explanation for the request.
  • Amend your PHI; request for amending PHI are for as long as the System maintains the information. If denied due to certain situations, you have the right to file a statement of disagreement and prepare a rebuttal.
  • Accounting of disclosures; specific disclosure information may be received (after April 14, 2003) with certain exceptions, restrictions and limitations.
  • Revoke your authorization to use or disclose protected health information except to the extent that action has already been taken.
To inspect or obtain a copy of your records, complete an authorization/release form and send the request to the Health Information Management Department. All other requests must be sent to the Chief Privacy Officer.

Uses and Disclosures of PHI

Uses and Disclosures of Protected Health Information Based upon Written Consent:

  • Treatment: Coordinate or manage the patient’s healthcare and related services including a third party with prior permission to access patient’s PHI. Examples: home health agencies, other treating and referral physicians, healthcare providers, specialists or laboratories.
  • Payment: Obtain payment for healthcare services. Examples: eligibility and utilization review procedures for health insurance plans and hospital admission’s process
  • Healthcare Operations:
    (1) Support business activities of patient’s physician’s practice. Examples: quality assessment activities, employee review activities, training of medical students, licensing, marketing and fundraising activities, and conducting or arranging for other activities such as appointment reminders and calling patient’s name in waiting room on admittance or discharge.
    (2) Share with third party “business associates” who perform billing, transcription services and other activities.
    (3) Provide as necessary alternative treatment information or other health-related benefits and services.
    (4) Provide the System marketing procedures: name, address used for newsletter notifying of practices and services; information about beneficial products and services; demographics and patient treatment dates used to contact patients for fundraising activities; Chief Privacy Officer (CPO) contact information provided to request these materials not be sent to you. MCH, MCC, AR C.A.R.E.S. and MBH may use or disclose PHI with its subsidiaries within the applicable Continuum of Care.
  • Business Associates: We may share some of your PHI with outside people or companies who provide services for Methodist, such as off-site storage of PHI.
  • Based Upon Your Written Authorization: Written authorization required, unless otherwise permitted or required by law as described below. You may revoke authorization, at any time, in writing, except to the extent that the patient’s physician or physician’s practice has taken an action in reliance on the use or disclosure indicated in the authorization.
  • Other Permitted and Required Uses and Disclosures That May Be Made With Your Consent, Authorization or Opportunity to Object: If parent/guardian is not present or able to agree or object to the use or disclosure of the PHI, then physician may use professional judgment to determine whether the disclosure is in the patient’s best interest and only PHI that is relevant to the patient’s healthcare will be disclosed.
  • Others Involved in The Patient’s Healthcare: Without parental/guardian objection, family members, close friends and other designated by parent/guardian may be placed on Authorization Contact List to assist
    (1) with notification to family, personal representatives or others responsible for the patient’s care of the patient’s location, general condition or death.
    (2) in disaster relief efforts and coordination to family or other individuals involved in patient’s healthcare. If parent/guardian is not present or able to agree or object to the use or disclosure of the PHI, then physician may use professional judgment to determine whether the disclosure is in the patient’s best interest and only PHI that is relevant to the patient’s healthcare will be disclosed.
  • Emergencies: The patient’s physician during emergency treatment situations shall try to obtain consent as soon as reasonably practicable after the delivery of treatment. If physician is required by law to treat the patient and an attempt to obtain consent was made but unable to obtain, the physician may use PHI to treat the patient.
  • Communication Barriers: If attempts to obtain consent are unsuccessful due to substantial communication barriers, the physician, using professional judgment, will determine parent/guardian’s intentions concerning PHI.
  • Other Permitted and Required Uses and Disclosures That May Be Made Without Your Consent, Authorization or Opportunity to Object
  • Required By Law: PHI will be in compliance with the law and limited to the relevant requirements of the law.
  • Public Health: PHI may be disclosed for public health activities/authorities that are permitted by law to collect or receive the information for the purpose of controlling disease, injury or disability or if directed by the public health authority, to a foreign government agency that is collaborating with the public health authority.
  • Communicable Diseases: PHI disclosures are made if authorized by law, to a person possibly exposed to a communicable disease or at risk of contracting or spreading the disease or condition.
  • Health Oversight: PHI may be disclosed to oversight agency (healthcare systems, government benefit programs, governmental regulatory programs and civil rights laws) for activities authorized by law, such as audits, investigations, and inspections.
  • Abuse or Neglect: PHI disclosures authorized by law allow a public health authority to receive reports of child abuse or neglect. The System, in accordance with federal and state laws, may disclose to a governmental entity or authorized agency the patient’s PHI if abuse, neglect or domestic violence is suspected.
  • Food and Drug Administration: PHI may be disclosed to a person or company required by the Food and Drug Administration to report adverse events, product defects or problems, biologic product deviations and to track products, enable product recalls, repairs or replacements, and/or to conduct post marketing surveillance.
  • Legal Proceedings: PHI may be disclosed in the course of any judicial or administrative proceeding, in response to an order of a court or administrative tribunal (to the extent such disclosure is expressly authorized), in response to a subpoena, discovery request or other lawful process.
  • Law Enforcement: PHI may be disclosed if applicable legal requirements are met:
    (1) legal processes,
    (2) limited information requests for identification and location purposes,
    (3) pertaining to victims of a crime,
    (4) suspicion that death has occurred as a result of criminal conduct,
    (5) crime occurs on the premises of the System, and
    (6) medical emergency not on the System premises that demonstrate a crime has occurred.
  • Coroners, Funeral Directors, and Organ Donation: PHI may be disclosed for identification purposes, determining cause of death or for the coroner or medical examiner to perform other duties authorized by law. PHI may be disclosed to permit the funeral director to carry out their duties. The System may disclose such information in reasonable anticipation of death and for cadaveric organ, eye or tissue donation purposes.
  • Research: The System may provide PHI to researchers when an institutional review board has evaluated the research proposal and ensured the patient’s privacy through established protocols.
  • Criminal Activity: Under federal and state laws, the System may disclose the patient’s PHI to prevent or lessen a serious and imminent threat to the health or safety of a person or the public and to assist law enforcement authorities to identify or apprehend an individual
  • Military Activity and National Security: PHI may be disclosed to Armed Forces personnel:
    (1) activities deemed necessary by appropriate military command authorities;
    (2) the purpose of a determination by the Department of Veterans Affairs of the patient’s eligibility for benefits,
    (3) foreign military authority if patient is member of foreign military services,
    (4) authorized federal officials for conducting national security and intelligence activities, including for the provision of protective services to the President or others legally authorized.
  • Workers’ Compensation: PHI may be disclosed to comply with workers’ compensation laws and other similar legally established programs.
  • Inmates: PHI may be disclosed if the patient has been an inmate in a correctional facility and the patient’s physician created or received the patient’s PHI in the course of providing care.
  • Required Uses and Disclosures: Under the law, the System must make disclosures to you and when required by the Secretary of the Department of Health and Human Services to investigate or determine our compliance with the requirements of Section 164.500 et. Seq.

Complaints

If you believe your privacy rights have been violated, please contact the Methodist Children’s Home, Arkansas C.A.R.E.S., Methodist Counseling Clinic and Methodist Behavioral Hospital and/or the Office for Civil Rights, Region VI (U.S. Department of Health & Human Services):

Office for Civil Rights
U.S. Department of HHS
1301 Young Street, Suite 1169
Dallas, TX 75202
(214) 767-4056; (214) 767-8940
(214) 767-0432 Fax

You may contact our Chief Privacy Officer or Chief Security Officer for further information about the complaint process.

Jennifer Horner, RHIA
Chief Privacy Officer
Methodist Behavioral Hospital
1601 Murphy Drive
Maumelle, AR 72113
(501) 803-3388 Ext. 8129
Toll free 866-813-3388
jhorner@methodistfamily.org

Keven Burress
Chief Security Officer
Methodist Family Health
1600 Aldersgate Road, Suite 200
Little Rock, AR 72205
(501) 661-0720, Ext. 7312
Toll free 800-756-3709
kburress@methodistfamily.org

To receive a full copy of the notice you may request it from Methodist Family Health via paper or electronic version.

This notice was published and effective on April 14, 2003.

Updated March 2012.

Visit Request Medical Records to obtain yours.

SHINE: Methodist Family Health