Privacy Practices



Hannibal Regional Healthcare System is dedicated to protecting your medical information. The Health Insurance Portability & Accountability Act “HIPAA” contains a Privacy Regulation “HIPAA Privacy Rule,” which requires that we provide detailed notice in writing of our privacy practices. Your Protected Health Information (“PHI”) is information that identifies you and that relates to your past, present, or future health or condition, the provision of health care to you, or payment for that health care. We are required by law to maintain the privacy of your PHI and to give you this Notice about our privacy practices that explains your rights as our patient and how, when, and why we may use or disclose your PHI.

We are required by law to follow the privacy practices described in this Notice, though we reserve the right to change our privacy practices and the terms of this Notice at any time and to apply those changes to all PHI in our possession. If we change our privacy practices and the terms of this Notice, we will post a copy in our office in a prominent location, have copies of the revised Notice available at our offices, and provide you with a copy of the revised Notice upon your request.


This Notice describes Hannibal Regional Healthcare System’s practices regarding the use of your PHI (Protected Health Information) and that of:

Any health care professional authorized to enter information into your hospital chart or medical record, including without limitation, the members of the Hannibal Regional Healthcare System Medical Staff.

All entities, sites, departments and locations of Hannibal Regional Healthcare System, including Hannibal Regional Hospital, Hannibal Regional Medical Group, Clinics, and services provided by Hannibal Regional Hospital received at the James E. Cary Cancer center, you may visit.

All Hannibal Regional Healthcare System entities may share medical information with each other for treatment, payment or healthcare purposes described in this Notice.

Any member of a volunteer group we allow to help you while you are in the hospital.

All employees, staff and other personnel who may need access to your information.


1. Treatment, Payment and Health Care Operations
As described below, we will use or disclose your protected health information for treatment, payment, fundraising or health care operations. The examples below do not list every possible use or disclosure in a category.

Treatment. We may use and disclose PHI about you to provide, coordinate or manage your health care and related services. We may consult with other health care providers regarding your treatment and coordinate and manage your health care with others. For example, we may use and disclose PHI when you need a prescription, lab work, x-ray or other health care services. We may also use and disclose PHI about you when referring you to another health care provider. For example, if you are referred to a physician for treatment after your discharge, we may disclose PHI to your new physician regarding whether you are allergic to any medications. We may also disclose PHI about you for the treatment activities of another health care provider. For example, we may send a report about your care from us to an outside physician so that the other physician may treat you.

Payment. We may use and disclose PHI so that we can bill and collect payment for the treatment and services provided to you. For example, we may send your insurance company a bill for services or release certain medical information to your health insurance company so that it can determine whether your treatment is covered under the terms of your health insurance policy. We also may use and disclose PHI for billing, claims management, and collection activities. We may also disclose PHI to another health care provider or to a company or health plan required to comply with the HIPAA Privacy Rule for the payment activities of that health care provider, company, or health plan. For example, we may allow a health insurance company to review PHI relating to their enrollees to determine the insurance benefits to be paid for their enrollees’ care.

Health Care Operations. We may use and disclose PHI in performing certain business activities which are called health care operations. Some examples of these operations include our business, accounting and management activities. These health care operations also may include quality assurance, utilization review, and internal auditing, such as reviewing and evaluating the skills, qualifications, and performance of health care providers taking care of you and our other patients and providing training programs to help students develop or improve their skills. If another health care provider, company, or health plan that is required to comply with the HIPAA Privacy Rule has or once had a relationship with you, we may disclose PHI about you for certain health care operations of that health care provider or company. For example, such health care operations may include assisting with legal compliance activities of that health care provider or company.

Business Associates. We may use or disclose your PHI to an outside company that assists us in operating our health system. They perform various services for us. This includes, but is not limited to, auditing, accreditation, legal services, and consulting services. These outside companies are called “business associates” and they contract with us to keep any PHI received from us confidential in the same way we do. These companies may create or receive PHI on our behalf.

Fundraising. We may use your PHI in order to raise money for Hannibal Regional Healthcare System. We may provide your PHI to the Hannibal Regional Hospital Foundation for this purpose. We would release contact information only, such as your name, address, phone number, gender, age, dates of service, health insurance status, treating provider, department of service and outcome information. If you do not want Hannibal Regional Hospital Foundation to contact you for fundraising efforts, you must notify our Privacy Officer in writing at the address listed at the end of this notice.

2. Communications to You From Our Office.
We may use or disclose PHI in order to contact you as a reminder that you have an appointment for treatment or medical care, to tell you about or recommend possible treatment options or alternatives that may be of interest to you, or to inform you about health-related benefits or services that may be of interest to you.

3. Communications to Others if You Agree or Do Not Object. We may also use or disclose your PHI in the following circumstances. However, except in emergency situations, we will inform you of our intended action prior to making any such uses and disclosures and will, at that time, offer you the opportunity to object.

Directories. We may maintain a directory of patients that includes your name and location within the facility, your religious designation, and information about your condition in general terms that will not communicate specific medical information about you (e.g., fair, stable, etc.). The directory information, except for your religious affiliation, may also be released to people who ask for you by name. Your religious affiliation may be given to a member of the clergy, such as a priest or rabbi, even if they don’t ask for you by name. This is so that your family, friends and clergy may visit you in the hospital and know your general condition.

Notifications to Family/Friends. We may disclose PHI to your relatives, close friends or any other person identified by you if the PHI is directly related to that person’s involvement in your care or payment for your care. If you are unable to agree or object to such a disclosure, we may disclose such information as necessary if we determine that it is in your best interest based on our professional judgment. We may also use and disclose your health information for the purpose of locating and notifying your relatives or close personal friends of your location, general condition or death, and to organizations that are involved in those tasks during disaster situations.

4.   Right to receive an electronic copy of electronic medical records and/or access to your electronic medical records. You have the right to request an electronic copy of your medical records be given to you or have the records transmitted to another individual or entity, if the records are maintained in an electronic format. We will attempt to provide the electronic copy of your records in the form and format you request, including the patient portal, if it is readily producible. If the record is not readily producible in the form or format requested, it will be provided in a readable electronic form and format or in hard copy form. You may be charged a reasonable, cost-based fee for labor and materials used in making the electronic copy.

5. Other Uses And Disclosures Authorized by the HIPAA Privacy Rule. We may use and disclose PHI about you in the following circumstances, provided that we comply with certain legal conditions set forth in the HIPAA Privacy Rule.

Required By Law. We may use or disclose PHI as required by federal, state, or local law if the disclosure complies with the law and is limited to the requirements of the law.

Public Health Activities. We may disclose PHI to public health authorities or other authorized persons to carry out certain activities related to public health, including to:

Public Health Activities.  We may disclose PHI to public health authorities or authorized persons to carry out certain activities related to public health, including to:

Prevent or control disease, injury or disability or report disease, injury, birth, or death; Report child abuse or neglect;
Report information regarding the quality, safety, or effectiveness of products or activities regulated by the federal Food and Drug Administration;
Notify a person who may have been exposed to a communicable disease in order to control who may be at risk of contracting or spreading the disease; or
Report to employers, under limited circumstances, information related primarily to workplace injuries or illness or workplace medical surveillance.

Abuse, Neglect, or Domestic Violence. We may disclose PHI to proper government authorities if we reasonably believe that a patient has been a victim of domestic violence, abuse, or neglect.

Health Oversight. We may disclose PHI to a health oversight agency for oversight activities including, for example, audits, investigations, inspections, licensure and disciplinary activities and other activities conducted by health oversight agencies to monitor the health care system, government health care programs, and compliance with certain laws.

Legal Proceedings. We may disclose PHI as expressly required by a court or administrative tribunal order or in compliance with state law in response to subpoenas, discovery requests or other legal process when we receive satisfactory assurances that efforts have been made to advise you of the request or to obtain an order protecting the information requested.

Law Enforcement. We may disclose PHI to law enforcement officials under certain specific conditions where the disclosure is:

About a suspected crime victim if the person agrees or, under limited circumstances, we are unable to obtain the person’s agreement because of incapacity or emergency;

To alert law enforcement of a death that we suspect was the result of criminal conduct;

In response to authorized legal process or required by law;

To identify or locate a suspect, fugitive, material witness, or missing person;

About a crime or suspected crime committed on our premises; or

In response to a medical emergency not occurring on our premises, if necessary to report a crime.

Coroners, Medical Examiners or Funeral Directors. We may disclose PHI regarding a deceased patient to a coroner, medical examiner or funeral director so that they may carry out their jobs. We also may disclose such information to a funeral director in reasonable anticipation of a patient’s death.

Organ Donation. We may disclose PHI to organizations that help procure, locate, and transplant organs in order to facilitate organ, eye, or tissue donation and transplantation.

Threat to Health or Safety. In limited circumstances, we may disclose PHI when we have a good faith belief that the disclosure is necessary to prevent a serious and imminent threat to the health or safety of a person or the public.

Specialized Government Functions. We may disclose PHI for certain specialized government functions, such as military and veteran activities, national security and intelligence activities, protective services for the president and others, medical suitability determinations, and for certain correctional institutions or in other law enforcement custodial purposes.

Compliance Review. We are required to disclose PHI to the Secretary of the United States Department of Health and Human Services when requested by the Secretary to review our compliance with the HIPAA Privacy Rule.

Workers’ Compensation. We may disclose PHI in order to comply with laws relating to workers’ compensation or other similar programs.

Shared Medical Record/Health Information Exchanges. HRHS maintains Protected Health Information (PHI) about our patients in shared electronic medical records that allow the HRHS associates to share PHI. We may also participate in various electronic information exchanges that facilitate access to PHI by other health care provides who provide you care. For example, if you are admitted on an emergency basis to another hospital that participates in the health information exchange, the exchange will allow us to make our PHI available electronically to those who need it to treat you.

HRHS participates in an electronic Health Information Exchange (HIE) provided through the Tiger Institute Health Alliance. The HIE facilitates the transmission of your PHI among providers, health plans, or other organizational members of the HIE that are involved in the treatment or payment of your care. The HIE stores your data in a secured repository for members. The health care professionals that access your PHI have established a treatment relationship with you. In order for health care providers to provide the most comprehensive care for patients, the HRHS/Tiger Institute Health Alliance HIE will join other HIEs and Health Networks that may store and contain your PHI. The HIE contains information such as illnesses, injuries, medical history (including hospitalizations), test results, immunizations and medications. Also included are diagnosis, genetic testing, mental and behavioral health treatment records, and drug/alcohol treatment notes.

  • As our patient, your health information is automatically available in the HIE. If you do not wish to have your information shared in the HIE, you must opt-out of the HIE in writing by requesting, completing and signing a form available at any HRHS Patient Registration area.
  • The HIE may also provide critical information about you for other lawful purposes, such as educating providers about who manages the care of others like you.
  • When your specific consent or authorization is required by law to disclose your medical record to others, HRHS will not disclose that information through the HIE without first obtaining your written consent.

Research. We may disclose PHI for research purposes under certain limited circumstances for research projects that have been evaluated and approved through an approval process that takes into account patients’ need for privacy. We must obtain a written authorization to use and disclose PHI about you for research purposes except in situations where a research project meets specific, detailed criteria established by the HIPAA Privacy Rule to ensure the privacy of PHI.

5. Emergencies. We may use or disclose your PHI in an emergency treatment situation in compliance with applicable laws and regulations.

6. With Your Written Authorization. All other uses and disclosures of your PHI will be made only with your written authorization. In addition, most uses and disclosures of psychotherapy notes (where appropriate), uses and disclosures of PHI for marketing purposes, and disclosures that constitute a sale of PHI will require your authorization prior to disclosure. If you have authorized us to use or disclose PHI about you, you may revoke your authorization at any time, except to the extent we have taken action based on the authorization. Most uses and disclosures of psychotherapy notes, uses and disclosures of PHI for marketing purposes and disclosures that constitute the sale of PHI require your written authorization.


The HIPAA Privacy Rule gives you several rights with regard to your PHI. These rights include:

1. Right to Request Restrictions. You have the right to request a restriction or limitation on the PHI we use or disclose about you for treatment, payment or health care operations, or that we disclose to those who may be involved in your care or payment for your care. While we will consider your request, we are not required to agree to it. If we do agree to your request, we will comply with your request except as required by law or for emergency treatment. To request restrictions, you must make your request in writing to our Privacy Officer at the address listed on the last page of this Notice and state the specific restriction requested and to whom you want the restriction to apply. You may request a restriction that your health insurance company not be billed and that no health information be provided to the insurance company. You will then be responsible for payment of those services.

2. Right to Receive Confidential Communications.  You have the right to request that you receive communications regarding PHI in a certain manner or at a certain location. For example, you may request that we contact you at home, rather than at work. You must make your request in writing to our Privacy Officer and specify how you would like to be contacted (for example, by regular mail to your post office box and not your home). We will accommodate all reasonable requests.

3. Right to Inspect and Copy. You have the right to inspect and receive a copy of your PHI contained in records we maintain that may be used to make decisions about your care. These records usually include your medical and billing records but do not include psychotherapy notes; information gathered or prepared for a civil, criminal, or administrative proceeding; or PHI that is subject to law that prohibits access. To inspect and copy your PHI, please contact our Health Information Services Department. If you request a copy of PHI about you, we may charge you a reasonable fee for the copying, postage, labor and supplies used in meeting your request. We may deny your request to inspect and copy PHI only under limited circumstances, and in some cases, a denial of access may be reviewable.

4. Right to Amend. If you feel that medical information we have about you is incorrect or incomplete, you may ask us to amend the information for as long as such information is kept by or for us. You must submit your request to amend in writing to our Health Information Services Department and give us a reason for your request. We may deny your request in certain cases. If your request is denied, you may submit a written statement disagreeing with the denial, which we will keep on file and distribute with all future disclosures of the information to which it relates.

5. Right to Receive an Accounting of Disclosures. You have the right to request a list of certain disclosures of PHI made by us during a specified period of up to six years prior to the request, except disclosures for treatment, payment or health care operations; made to you; for our facility directory; to persons involved in your care or for the purpose of notifying your family or friends of your whereabouts; for national security or intelligence purposes; made pursuant to your written authorization; incidental to another permissible use or disclosure; for certain notification purposes (including national security, intelligence, correctional, and law enforcement purposes); or made before April 14, 2003. If you wish to make such a request, please contact our Health Information Services Department. The first accounting that you request in a 12-month period will be free, but we may charge you for our reasonable costs of providing additional lists in the same 12-month period. We will tell you about these costs, and you may choose to cancel your request at any time before costs are incurred.

6. Right to a Paper Copy of this Notice. You have a right to receive a paper copy of this Notice at any time. You are entitled to a paper copy of this Notice even if you have previously agreed to receive this Notice electronically. To obtain a paper copy of this Notice, please contact our Privacy Officer.

7. Right to be Notified of a Breach. You have the right to be notified in the event that we (or one of our Business Associates) discovers a breach of unsecured protected health information involving your medical information.


If you believe your privacy rights have been violated, you may file a complaint with us, or the Secretary of the United States, Department of Health and Human Services. To file a complaint with our office, please contact our Privacy Officer. We will not take action against you or retaliate against you in any way for filing a complaint.

If you have any questions or need additional information about this Notice, please contact our Privacy Officer.

You may contact our Privacy Officer at the following address and phone number:

Privacy Officer
Hannibal Regional Healthcare System
PO Box 551
Hannibal, MO 63401

This Notice was published and first became effective on April 14, 2003, and was revised effective April 5, 2021.