Notice of Privacy Practices

Last updated: 01/03/2024

Effective Date: April 14, 2003

If you have any questions about this notice, please contact the hospital’s Privacy Officer at 954-771-8000.

Holy Cross Hospital, Inc. is required by the Health Insurance Portability and Accountability Act of 1996, and the Health Information Technology for Economic and Clinical Health Act (found in Title XIII of the American Recovery and Reinvestment Act of 2009) (collectively referred to as “HIPAA”), as amended from time to time, to maintain the privacy of individually identifiable patient health information (this information is “protected health information” and is referred to herein as “PHI”). We are also required to provide patients with a Notice of Privacy Practices regarding PHI. We will only use or disclose your PHI as permitted or required by applicable state law. This Notice applies to your PHI in our possession including the medical records generated by us.

Holy Cross Hospital, Inc. understands that your health information is highly personal, and we are committed to safeguarding your privacy. Please read this Notice of Privacy Practices thoroughly. It describes how we will use and disclose your PHI.

This Notice applies to the delivery of health care by all Holy Cross Hospital subsidiaries. It applies to:

  • Any healthcare professional authorized to enter information into your medical record.
  • All departments and units of the hospitals and other subsidiaries.
  • Any member of a volunteer group we allow to help you.
  • All employees, staff, students and other Holy Cross Hospital personnel.

Holy Cross Hospital, Inc. and Trinity Health, a Catholic healthcare system with facilities located in multiple states throughout the United States, follow the terms of this notice. In addition, the above persons, entities, sites, and locations may share PHI with each other for treatment, payment, or health care operations purposes as described in this notice.


The following categories describe different ways that we use and disclose medical information. For each category of uses or disclosures we will explain what we mean and try to give some examples. Not every use or disclosure in a category will be listed. However, all of the ways we are permitted to use and disclose information will fall within one of these categories.

For Treatment | We may use and disclose your PHI to provide you with medical treatment or services. We may disclose your PHI to doctors, nurses, technicians, students, pastoral care representatives, or other personnel who are involved in your care. For example, a doctor treating you for a broken hip may need to know if you have diabetes because diabetes may slow the healing process. In addition, the doctor may need to tell the dietitian if you have diabetes so that we can arrange for appropriate meals. If you are hospitalized, we also may disclose your PHI to people outside the hospital who may be involved in your medical care after you leave the hospital, such as family members, clergy and pastoral care, nursing homes, home health agencies or others we use to provide services that are part of your care, such as therapists or physicians. We may also use and/or disclose your PHI to tell you about treatment alternatives or other health-related benefits or services that may be of interest to you.

For Payment| We may use and disclose your PHI so that the treatment and services you receive from the health system may be billed to and payment may be collected from you, an insurance company, or a third party. For example, we may need to give your health plan information about the treatment you received or will receive so your health plan will pay us or reimburse you for the treatment. We may also disclose your PHI to another provider, such as a physician, for payment purposes.

For Healthcare Operations | We use and disclose your PHI for our health care operations, which at Holy Cross Hospital, Inc. includes internal administration and planning and various activities that improve the quality and cost-effectiveness of the care that we deliver to you. For example, we may use your PHI to review our treatment and services and to evaluate the performance of our staff in caring for you. We may also combine medical information about many patients to decide what additional services we should offer, what services are not needed, and whether certain new treatments are effective. We may also disclose information to doctors, nurses, technicians, students, and other personnel for review and learning purposes. We may also disclose your PHI to other providers that have a relationship with you for purposes of quality improvement, peer review and other activities. We may also call you by name in a waiting room. We may use or disclose your information, as necessary, to contact you to remind you of an appointment. We will share your information with third party “business associates” that perform various activities (e.g. billing, transcription, software assistance) for the health system.

Fundraising Activities | We may use information about you to contact you in an effort to raise money for the hospitals and other subsidiaries. We may disclose information to a foundation related to the hospitals or health system so that the foundation may contact you in raising money. We may disclose your demographic information, the dates you received treatment or services, your treating physician, department of service and outcome information. Any fundraising communication sent to you will let you know how you can exercise your right to opt out of receiving similar communications in the future.

Hospital Directory | Unless you tell us otherwise, we will include certain limited information about you in the hospital directory while you are an inpatient at the hospital. This information may include your name, location in the hospital, your general condition (e.g., fair, stable, etc.), and your religious affiliation. The directory information, except for your religious affiliation, may also be released to people who ask for you by name. Your religious affiliation may be given to a member of the clergy, such as a priest or rabbi, even if they don’t ask for you by name. This is so your family, friends, and clergy can visit you in the hospital and generally know how you are doing. You have the right to request that your name not be included in the directory by indicating your preference on the Patient Consent Form or notifying the Privacy Officer in writing. If you opt-out of the facility directory, we cannot inform visitors of your presence, location or general condition. We may also disclose facility directory information to the media (excluding religious affiliation) if the media requests information about you using your name and after we have given you an opportunity to agree or object.

Individuals Involved in Your Care or Payment for Your Care | We may disclose your PHI to a friend or family member who is involved in or paying for your medical care. This would include persons named in any durable health care power of attorney or similar document provided to us. You have a right to request that your information not be shared with some or all of your family or friends. In addition, we may disclose your PHI to an entity assisting in a disaster relief effort so that your family can be notified about your condition, status, and location. More Stringent State and Federal Laws. The state of Florida is more stringent than HIPAA in several areas. Certain federal laws also are more stringent than HIPAA. Holy Cross Hospital, Inc. will continue to abide by these more stringent state and federal laws.

A. More Stringent Federal Laws. The federal laws include applicable internet privacy laws, such as the Children’s Online Privacy Protection Act and the federal laws and regulations governing the confidentiality of health information regarding substance abuse treatment.

B. More Stringent State Laws | State law is more stringent when the individual is entitled to greater access to records than under HIPAA. State law also is more restrictive when the records are more protected from disclosure by state law than under HIPAA. In cases where we provide treatment to a patient who resides in a neighboring state, we will abide by the more stringent applicable state law.

Health Information Exchange. If a statewide or regional health information exchange (“HIE”) operates in this state we will share your health records electronically with the exchange for the purposes of improving the overall quality of health care services provided to you (e.g., avoids unnecessary duplicate testing). The electronic health records will include sensitive diagnoses such as HIV/ AIDS, sexually transmitted diseases, genetic information, and mental health substance abuse, etc. The HIE is functioning as our business associate and, in acting on our behalf, the HIE will transmit, maintain and store your PHI for treatment, payment and health care operation purposes. The HIE has a duty to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality and integrity of your medical information. State law may provide you rights to restrict, opt-in or opt-out of the exchange. For more information please contact our Privacy Officer.

Marketing Subject to certain limited exceptions, your written authorization is required in cases where we receive any direct or indirect financial remuneration in exchange for making the communication to you which encourages you to purchase a product or service or for a disclosure to a third party who wants to market their products or services to you.

Research | We will obtain your written authorization to use or disclose your PHI for research purposes when required by HIPAA. However, we may use or disclose your PHI without your specific authorization if the research approval process of our Institutional Review Board (“IRB”) has waived the authorization requirement. The IRB is a committee that oversees and approves research involving living humans. Sensitive PHI | Federal and state laws require special privacy protections for certain highly confidential information about you.

This includes PHI: (1) maintained in psychotherapy notes; (2) documenting mental health and developmental disabilities services; (3) regarding drug and alcohol abuse, prevention, treatment and referral; (4) relating to HIV/AIDS testing, diagnosis or treatment and other sexually transmitted diseases; and (5) genetic testing. Generally, we must obtain your written authorization to release this type of information. However, there are limited circumstances under the law when this information may be released without your consent. For example, certain sexually transmitted diseases must be reported to the Department of Health.

Sale of PHI | Subject to certain limited exceptions, disclosures that constitute a sale of PHI require your written authorization.

Other Uses and Disclosures | Any other uses and disclosures of PHI not covered by this notice or the laws that apply to us will be made only with your written authorization. You may revoke that authorization in writing, at any time. You understand that we are unable to take back any disclosures we have already made with your authorization.

Organ and Tissue Donation | We will disclose PHI to an organ procurement organization or entity for organ, eye or tissue donation purposes.

Public Health Oversight or Safety | We may use and disclose PHI for public health activities or to avert a serious threat to health and safety of a person or the public. Examples include disclosures of PHI to state investigators regarding the quality of care or to public health agencies regarding immunizations, communicable diseases, etc. We will use and disclose PHI for activities related to the quality, safety or effectiveness of FDA-regulated products or activities, including collecting and reporting adverse events, tracking and facilitating product recalls, etc.

Law Enforcement Purposes | We will disclose your PHI to the police or other law enforcement officials as required by law, such as identifying a criminal suspect or a missing person, or providing information about a crime victim or criminal conduct.

Required by Law | We will disclose PHI about you when required by federal, state or local law. Examples include disclosures in response to a court order/subpoena, mandatory state reporting (e.g. gunshot wounds, victims of child abuse or neglect), or information necessary to comply with other laws such as workers’ compensation or similar laws. We will report drug diversion and information related to fraudulent prescription activity to law enforcement and regulatory agencies.

Coroners, Medical Examiners, and Funeral Directors | We may disclose PHI to a coroner or medical examiner, for example, to identify a deceased person or determine the cause of death. We may also disclose PHI about deceased patients to funeral directors, consistent with applicable law and as necessary to carry out their duties.

Aversion of a Serious Threat to Health or Safety | We may, consistent with applicable law and standards of ethical conduct, use or disclose protected health information, if we, in good faith, believe the use or disclosure is necessary to prevent or lessen a serious or imminent threat to the health or safety of anyone or is necessary for law enforcement authorities to identify or apprehend an individual who was involved in a violent crime or who has escaped from a correctional institution or from lawful custody.

Specialized Government Functions | We will disclose your PHI regarding government functions such as military, national security and intelligence activities, as authorized by law. We will use and disclose PHI to the Department of Veterans Affairs to determine whether you are eligible for certain benefits.

Immunizations | We will disclose proof of immunization to a school where the state or other similar law requires it prior to admitting a student.

Inmates | If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may disclose your PHI to the correctional institution or law enforcement official.

You have the following rights regarding the medical information we maintain about you:

Right to Inspect and Copy | You have the right to access, inspect and copy your PHI as long as we maintain the data. Usually, this includes medical and billing records, but does not include psychotherapy notes and other mental health records under certain circumstances.

To inspect and copy your PHI, you must submit your request in writing to the Health Information Management Department of the hospital or other entity. You will be charged a reasonable copying fee in accordance with applicable federal or state law. You also have the right to request your PHI in electronic format in cases where we utilize electronic health records. You may also access information via the patient portal if made available by Holy Cross Hospital, Inc.

We may deny your request to inspect and copy your PHI in certain very limited circumstances such as when your physician determines that for medical reasons this is not advisable. If you are denied access to your PHI, you may request that the denial be reviewed.

Right to Amend | If you feel that the PHI we have about you is incorrect or incomplete, you may ask us to amend the information. You have the right to request an amendment. Your request must be made in writing and submitted to the Health Information Management Department. We will comply with your request unless we believe that the information to be amended is accurate and complete or other special circumstances apply.

Right to an Accounting of Disclosures | You have a right to receive an accounting of the disclosures of your PHI that we have made, except for the following disclosures:

  • To carry out treatment, payment or health care operations
  • To you
  • To persons involved in your care
  • For national security or intelligence purposes or
  • To correctional institutions or law enforcement officials

You must submit your request for an accounting of disclosures in writing to the Health Information Management Department. Your request must state a time period that may not be longer than six years. In any given 12-month period, we will provide you with an accounting of the disclosures of your PHI at no charge. Any additional requests for an accounting within that time period will be subject to a reasonable fee for preparing the accounting.

Right to Request Restrictions | You have the right to request a restriction on the PHI we use or disclose about you for treatment, payment, or healthcare operations. You also have the right to request a limit on the PHI we disclose about you to someone who is involved in your care or the payment for your care, like a family member or friend.

We are not required to agree to your request. If we do agree, we will comply with your request unless the information is needed to provide you with emergency treatment. To request restrictions, you must make your request in writing to the Privacy Officer. In your request, you must tell us (1) what information you want to limit; (2) whether you want to limit our use, disclosure, or both; and (3) to whom you want the limits to apply, for example, disclosures to your spouse.

Right to Request Restrictions to a Health Plan | You have the right to request a restriction on disclosure of your PHI to a health plan (for purposes of payment or health care operations) in cases where you paid out of pocket, in full, for the items received or services rendered.

Right to Confidential Communications | You may request and we will accommodate any reasonable written request for you to receive your PHI by alternative means of communication or at alternative locations. Contact the Privacy Officer if you require such confidential information.

Right to a Paper Copy of This Notice | You have the right to a paper copy of this Notice of Privacy Practices upon request.

If a breach of unsecured PHI affecting you occurs, Holy Cross Hospital, Inc. is required to notify you of the breach.

In the course of providing care to you and in furtherance of Holy Cross Hospital’s mission to improve the health of the community, we will share your PHI with other organizations as described below who have agreed to abide by the terms described below:

Medical Staff | The medical staff and Holy Cross Hospital, Inc. participate together in an organized health care arrangement to deliver health care to you. Both Holy Cross Hospital, Inc. and medical staff have agreed to abide by the terms of this Notice with respect to PHI created or received as part of delivery of health care to you by Holy Cross Hospital Physicians and allied health care professionals who are members of Holy Cross Hospital medical staff will have access to and use your PHI for treatment, payment and health care operations purposes related to your care within Holy Cross Hospital, Inc. We will disclose your PHI to the medical staff and allied health professionals for treatment, payment and health care operations.

Membership in Trinity Health | Holy Cross Hospital, Inc. and members of Trinity Health participate together in an organized health care arrangement for utilization review and quality assessment activities. We have agreed to abide by the terms of this Notice with respect to PHI created or received as part of utilization review and quality assessment activities of Trinity Health and its members.

Members of Trinity Health will abide by the terms of their own Notice of Privacy Practices in using your PHI for treatment, payment or healthcare operations. As a part of Trinity Health, a national Catholic health care system, Holy Cross Hospital, Inc. and other hospitals, nursing homes, and health care providers in Trinity Health share your PHI for utilization review and quality assessment activities of Trinity Health, the parent company, and its members. Members of Trinity Health also use your PHI for your treatment, payment to Holy Cross Hospital, Inc. and/or for the health care operations permitted by HIPAA with respect to our mutual patients. Please go to Trinity Health’s websites for a listing of member organizations at Or you can all our Privacy Official to request the same.

Business Associates | We will share your PHI with business associates and their Subcontractors contracted to perform business functions on Holy Cross Hospital’s behalf, including Trinity Health which performs certain business functions for Holy Cross Hospital.

We reserve the right to change this notice. We reserve the right to make the revised or changed notice effective for the PHI we already have about you as well as any information we receive in the future. We will post a copy of the current notice in the hospitals and other subsidiaries and on our website at www.

If you believe your privacy rights have been violated, you may file a complaint with the Holy Cross Hospital, Inc. Privacy Officer by calling 954-771-8000 and/or Florida Department of Health’s Inspector General by calling 850-245-4141 and/or with the U.S. Department of Health and Human Services at 877-696-6775.

The complaint must be in writing, describe the acts or omissions that you believe violate your privacy rights, and be filed within 180 days of when you knew or should have known that the act or omission occurred. Holy Cross Hospital, Inc. and The Florida Department of Health will not retaliate against you for filing a complaint.

You will not be retaliated against for filing a complaint.