Notice of Privacy Practices

This notice describes how medical information about you may be used and disclosed, and how you can get access to this information. Please review it carefully.

Effective Date: January 1, 2025

Who We Are

St. Luke Clinic is a volunteer-operated free clinic. We are committed to maintaining the privacy of your Protected Health Information (PHI) as required by the Health Insurance Portability and Accountability Act (HIPAA), 45 C.F.R. Parts 160 and 164.

We are required by law to maintain the privacy of your health information, provide you with this notice of our legal duties and privacy practices, and notify you in the event of a breach of your unsecured protected health information.

How We Use and Disclose Your Information

We may use or disclose your PHI for the following purposes without your written authorization:

  • Treatment — sharing information with physicians, nurses, and other care providers involved in your treatment.
  • Care coordination — coordinating referrals and care with other health care providers or social service agencies.
  • Healthcare operations — quality improvement, staff training, and auditing activities.
  • Required by law — reporting to public health authorities, law enforcement when legally required, or to comply with court orders.
  • Research — only in a de-identified or limited data set form as permitted by HIPAA.

All other uses and disclosures require your written authorization, which you may revoke at any time.

Your Rights as a Patient

You have the following rights with respect to your health information:

  • Right to access — You may inspect and obtain a copy of your health records, with limited exceptions. We will respond within 30 days.
  • Right to amend — You may request a correction to your information if you believe it is inaccurate or incomplete.
  • Right to an accounting of disclosures — You may request a list of certain disclosures of your information made in the last six years.
  • Right to restrict uses — You may ask us to limit how we use or share your information. We are not always required to agree, but will consider all requests.
  • Right to confidential communications — You may request that we contact you only in certain ways or at certain locations.
  • Right to a paper copy of this notice — You may request a paper copy of this notice at any time.

To exercise any of these rights, contact us using the information at the bottom of this page.

Minimum Necessary Standard

We apply the minimum necessary standard for uses and disclosures of PHI, meaning we make reasonable efforts to limit access to only the information needed to accomplish the intended purpose. Access to patient records is role-based, and the application maintains metadata-only audit records for patient-care access and submission events.

Clinic staff access PHI only through the secure admin portal. PHI is never transmitted in unencrypted email.

Security Safeguards

We maintain the following administrative, physical, and technical safeguards:

  • Secure authentication — Clinic staff must authenticate before accessing any PHI. Sessions automatically expire after 15 minutes of inactivity.
  • Role-based access control — Each staff member is granted the minimum access needed for their role.
  • Audit logging — Patient-care access and submission events are recorded with a timestamp and user identity without copying message bodies or clinical text into the audit record.
  • Encryption in transit — All data is transmitted over HTTPS/TLS.
  • Database security — Patient records are stored in a secured database with row-level security policies enforced at the database level.
  • No PHI in email — Clinic notification emails contain only a secure link to the admin portal; no clinical information is transmitted by email.
Breach Notification

We will notify you if we discover a breach of your unsecured protected health information. Notification will be provided without unreasonable delay and in no case later than 60 days after discovery of the breach, as required by the HITECH Act.

Complaints and Contact

If you believe your privacy rights have been violated, you may file a complaint with St. Luke Clinic or with the U.S. Department of Health and Human Services Office for Civil Rights. We will not retaliate against you for filing a complaint.

To contact us: Use the Contact page or speak with a clinic staff member at your next visit.

U.S. Department of Health and Human Services — Office for Civil Rights: hhs.gov/ocr/complaints

This notice was last revised on January 1, 2025. St. Luke Clinic reserves the right to change this notice and make the new notice provisions effective for all protected health information maintained by the clinic. A revised notice will be posted on this page and made available upon request.