Health Insurance Portability and Accountability Act

Student Health Services San Francisco State University

Effective Date: July 23, 2007

Amended July 11, 2012

Amended September 13, 2013

Amended April 20, 2015

Amended June 1, 2016


This Notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.

San Francisco State University Student Health Services is committed to preserving the privacy and confidentiality of protected health information (PHI). California and Federal laws and regulations require the SHS safeguard the privacy of your protected health information (PHI). PHI is any information in the medical record or that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service.

We are also required by law to provide you with this Notice of Privacy Practices. This Notice provides you with information regarding our privacy practices and applies to all of your health information created and/or maintained at the SHS, including any information that we receive from other health care providers or facilities. This Notice describes the ways in which we may use or disclose your health information and also describes your rights and our obligations concerning such uses or disclosures.

We are required to abide by the terms of this Notice, including any future revisions that the SHS may make as required or authorized by law. We reserve the right to change this Notice and to make the revised or changed Notice effective for health information we already have about you as well as any information we receive in the future. The SHS posts a copy of the most current Notice, identified by its effective date and any amended dates, in our clinic and on the SHS website The SHS also has hard copies of the current Notice available upon request.

The privacy practices described in this Notice will be adhered to by:

  1. Any health care professional authorized to enter information into your medical record created and/or maintained at our clinic;
  2. All employees, independent contractors, students, residents, and other service providers who have access to your health information at our clinic; and
  3. Any member of a volunteer group that is allowed to assist you while receiving services at our clinic.

The individuals identified above may share your health information for purposes of treatment, payment, and health care operations, as further described in the Notice.

Student Health Services collects health information about you and stores it in paper records, on SHS computers and back up hardware. The medical record (paper and electronic data) is the property of the SHS medical practice, but the information in the medical record belongs to the patient. The law permits the SHS to use or disclose your health information for the following purposes:


  1. Treatment. The SHS uses medical information about you to provide your medical care. We disclose medical information to our employees and others who are involved in providing the care you need. For example, we may share your medical information with other physicians, health care providers or health facilities to assist, coordinate or manage your treatment or health care management. We may also share your medical information with the staff of a pharmacy or a clinical laboratory so that they may dispense your medicines or perform diagnostic tests.
  2. Payment. We use and disclose medical information about you to obtain payment for the services we provide. For example, we may give your health plan, e.g. Family PACT, the information it requires before it will reimburse the SHS for services, supplies and medicines. We may also disclose information to other health care providers to assist them in obtaining payment for services they have provided to you.
  3. Health Care Operations. We may use or disclose your health information in order to perform the necessary administrative, educational, quality assurance, accreditation and business functions of the SHS. For example, we may use your health information to evaluate the performance of our staff in caring for you or to evaluate medical errors and other patient safety events so as to improve patient safety and the provisions of quality health care. We may also share your information with other health care providers, health care clearinghouses or health plans that have a relationship with you, when they request this information to help them with their quality improvement activities, training programs, accreditation, certification or licensing activities, or with their health care fraud and abuse detection and compliance efforts.
  4. Appointment Reminders. We may use and disclose medical information to contact and remind you about appointments. We will send appointment reminders to your designated SF State email account which will usually be an email address.
  5. Sign in sheet. We may use and disclose medical information about you by having you sign in when you arrive at our office. We may also call out your name when we are ready to see you.
  6. Notification and Communication With Persons Involved In Your Care. As a general rule, we do not disclose your visits to the SHS, or the reasons for your visits, to others, including spouses, parents, friends or officials of the University. We may disclose your health information to individuals, such as family members and friends, who are involved in your care. We may make such disclosures when: (a) we have your verbal agreement to do so; (b) or when you are given the opportunity you do not object; or (c) we can infer from the circumstances that you would not object to such disclosures. For example, if your roommate comes into the exam room with you, we will assume that you agree to our disclosure of your information while your roommate is present in the room. We also may disclose your health information to family members or friends in instances when you are unable to agree or object to such disclosures, provided that in our professional judgment it is in your best interest to make such disclosures and the disclosures relate to that family member or friend's involvement in your care. For example, if you are brought to the SHS in an emergency and you are unable to communicate your wishes, we may share information with the family member or friend that comes with you to our clinic. We may also disclose medical information about a minor to a parent, guardian or other person responsible for the minor except in limited circumstances when such information is protected by law.
  7. Required by law. We will use and disclose your health information whenever we are required by law to do so, but we will limit our use or disclosure to the relevant requirements of the law. When the law requires us to report abuse, neglect, or domestic violence, or respond to judicial or administrative proceedings, or to law enforcement officials, we will further comply with the requirement set forth below concerning those activities. For example we will disclose information when the law requires us to report an assault, abuse, neglect or domestic violence, or respond to court or administrative agency orders including subpoenas.
    • Public health. We may and are sometimes required by law, to disclose your health information to public health authorities for purposes related to: preventing or controlling disease, injury, or disability; reporting child, elder or dependent adult abuse or neglect; reporting domestic violence; reporting to the Food and Drug Administration problems with products and reactions to medications; and reporting a disease or infection exposure. For example we may report exposure to a communicable disease such as an STD or TB to the Public Health Department to help prevent the spread of the disease.
    • Health Oversight Activities. We may and are sometimes required by law, to disclose your health information to health oversight agencies responsible for oversight of the health care system or certain government programs during the course of audits, investigations, inspections licensure and other proceedings, subject to the limitations imposed by Federal and California law. For example we may disclose a client's health information to Family PACT (a California State reproductive services program) to help them complete their audits, investigations or inspections.
    • Judicial and Administrative Proceedings. We may and are sometimes required by law, to disclose your health information in the course of any administrative or judicial proceedings to the extent expressly authorized by a court or administrative order. We may also disclose your health information in response to a subpoena, a discovery request, or other lawful process if reasonable efforts have been made to notify you of the request for disclosure and you have not objected or if your objections have been resolved by a court or administrative order.
    • Law enforcement. We may and are sometimes required by law, to disclose certain specific health information to a law enforcement official for purposes such as identifying or locating a suspect, fugitive, material witness or missing person, complying with a court order, warrant grand jury subpoena and other law enforcement purposes. For example we may disclose limited medical information about you to a police officer if expressly authorized by law if you have suffered a violent injury such as stabbing or gunshot wound.
    • Public Safety. We may and are sometimes required by law, to disclose your health information to appropriate persons in order to prevent or lessen a serious and imminent threat to the health or safety of a particular person or the general public. For example we may disclose your health information to law enforcement or health professionals if your physical or mental health poses a risk to yourself or others.
    • Coroners or Medical Examiners. We may and are sometimes required by law, to disclose your health information to a coroner or medical examiner in connection with their investigation of deaths.
    • Specialized government functions. We may disclose your health information for military or national security purposes or to correctional institutions or law enforcement officers that have you in their lawful custody.
    • Worker's compensation. We may disclose your health information as necessary to comply with workers' compensation laws. For example we will file a Doctors First Report of Occupational Injury or Illness with your employer's workers' compensation insurance carrier or the insured employer when you are examined in the SHS for a work-related illness or injury. To the extent your care is covered by worker's compensation we will make periodic reports to your employer about your condition.
    • Change of Ownership. In the event that this medical practice is sold or merged with another organization, your health information/record will become the property of the new owner, although you will maintain the right to request that copies of your health information be transferred to another physician or medical group.

Except as described in this Notice of Privacy Practices, Student Health Services will not use, sell or disclose health information which identifies you without your written authorization. If you do authorize the Student Health Service to use or disclose your health information for another purpose, you may revoke your authorization in writing at any time.

  1. Right to Request Special Privacy Protections. You have the right to request restrictions on certain uses and disclosures of your health information by a written request specifying what information you want to limit, and what limitations on our use or disclosure of that information you wish to have imposed. We reserve the right to accept or reject your request, and will notify you of our decision. For example, you could ask that we not use or disclose information regarding a particular treatment that you received.     You have a right to restrict disclosures of protected health information to a health plan with respect to health care for which you have paid out of pocket in full.
  2. Right to Request Confidential Communications. You have the right to request that you receive your health information in a specific way or at a specific location. For example, you may ask that we send information to your work address. We will comply with all reasonable requests submitted in writing which specify how or where you wish to receive these communications.
  3. Right to Inspect and Copy. You have the right to inspect and copy your health information, with limited exceptions. To access your medical information, you must submit a written request detailing what information you want access to and whether you want to inspect it or get a copy of it. We will charge a reasonable fee, as allowed by California and Federal law. We may deny your request under limited circumstances including legal restrictions and/or California and Federal law. If you are denied access to your health information, you may request that the denial be reviewed.  You have a right to request a copy of your electronic medical record in an electronic form.
  4. Right to Amend or Supplement. You have the right to request an amendment of your health information that you believe is incorrect or incomplete. You must make a request to amend in writing, and include the reasons you believe the information is incorrect or incomplete. We are not required to change your health information, and will provide you with information about this practice's denial and how you can disagree with the denial . We may deny your request if we do not have the information, if we did not create the information (unless the person or entity that created the information is no longer available to make the amendment), if you would not be permitted to inspect or copy the information at issue, or the information is accurate and complete as is. You also have the right to request that we add to your record a statement of up to 250 words concerning any statement or item you believe to be incomplete or incorrect.
  5. Right to an Accounting of Disclosures. You have a right to receive an accounting of disclosures of your health information made by this medical practice, except that this medical practice does not have to account for the disclosures provided to you or pursuant to your written authorization , or as described in paragraphs 1 (treatment), 2 (payment), 3 (health care operations), 6 (notification and communication with family)and 16 (specialized government functions) of Section A of this Notice of Privacy Practices or disclosures for purposes of research or public health which exclude direct patient identifiers or which are incident to a use or disclosure otherwise permitted or authorized by law, or the disclosures to a health oversight agency or law enforcement official to the extent this medical practice has received notice from that agency or official that providing this accounting would be reasonably likely to impede their activities.
  6. Right to a Paper Copy of this Notice. You have a right to a paper copy of this Notice of Privacy Practices, even if you have previously requested its receipt by e-mail.
  7. In the event that a breach occurs, you have the right to receive notification of any unauthorized disclosure of your protected health information.

We reserve the right to amend this Notice of Privacy Practices at any time in the future. Until such amendment is made, we are required by law to comply with this Notice. After an amendment is made, the revised Notice of Privacy Protections will apply to all protected health information that we maintain, regardless of when it was created or received. We will keep a copy of the current notice posted in our reception area, and a copy will be available at each appointment.

Within the CSU, the HIPAA Privacy Rule is enforced by the CSU HIPAA Privacy Official within Human Resources Management (HRM), in the Chancellor's Office.

If you have any questions regarding this Notice of Privacy Practices or wish to receive additional information about this medical practice's privacy practices, please contact the Privacy Official.

The HIPAA Privacy rule requires appropriate safeguards to protect the privacy of personal health information (PHI), including individual medical records and sets limits and conditions on the uses and disclosures that may be made of such information.  At the CSU, the HIPAA Privacy Rule is enforced by the CSU HIPAA Privacy Official within Human Resources Management (HRM), in the Chancellor's Office:

CSU HIPAA Privacy Official
Brenda Glasco
CSU Office of the Chancellor, Human Resources Management
401 Golden Shore, Long Beach, CA 90802
Phone: (562) 951-4413
Facsimile: (562) 951-4954


If you believe your privacy rights have been violated, you may file a formal complaint with the Privacy Official or with the Secretary of the Department of Health and Human Services:

Department of Health and Human Services

Office of Civil Rights

Hubert H. Humphrey Bldg.

200 Independence Avenue, S.W.

Room 509F HHH Building

Washington, DC 20201

You will not be penalized for filing a complaint.