Joint Notice of Privacy Practices

Joint Notice of Privacy Practices

Effective Date: February 16, 2026

This notice describes how medical information about you may be used and disclosed, and how you can get access to this information. Please review this carefully.

Our Responsibilities

UMass Memorial is required by law to maintain the privacy and security of your medical information, provide this notice of our duties and privacy practices, and abide by the terms of the notice currently in effect.

We reserve the right to change privacy practices and make the new practices effective for all the information we maintain. Revised notices will be posted in our facilities, made available by your health care provider, and linked on our website. 

We will notify you if your medical information is breached in accordance with the Health Insurance Portability and Accountability Act (HIPAA).

Organized Health Care Arrangement (OHCA)

UMass Memorial participates in an Organized Health Care Arrangement (OHCA) under HIPAA. An OHCA is an arrangement that allows multiple health care organizations and providers to share medical information with one another to support joint activities and improve patient care. Through this arrangement, the UMass Memorial member organizations and physicians listed below are able to share your medical information for purposes of treatment, payment, and health care operations. This joint notice describes the privacy practices that apply to all participating entities within the OHCA, reflecting our commitment to delivering high-quality, coordinated, and efficient care.

These members of our OHCA include, but may not be limited to:

• UMass Memorial Accountable Care Organization, Inc.
• Community Healthlink, Inc.
• UMass Memorial Health – Harrington Hospital, Inc.
• UMass Memorial HealthAlliance-Clinton Hospital, Inc.
• HealthAlliance Home Health and Hospice
• UMass Memorial Medical Center, Inc.
• UMass Memorial Medical Group, Inc.
• UMass Memorial Health - Milford Regional Medical Center, Inc.
• Private physicians, hospital-based
• Private physicians, not hospital-based, but working at our facilities

Use and Disclosure of Medical Information

We may use and disclose your medical information in the following ways:

• Treatment: We document each visit and/or admission. Documentation may include your test results, diagnoses, and medications, and your response to medications or other therapies. This allows your doctors, nurses and other clinical staff to provide the best care to meet your needs.
• Payment: We document the services and supplies you receive at each visit or admission so that you, your insurance company or another third party can pay us. We may tell your health plan about upcoming treatment or services that requires its prior approval.
• Health Care Operations: Medical information is used to improve the services we provide, to train workforce members, and for business management, performance improvement and customer service.
• Business Associates: We may also share medical information with a contracted business associate to perform certain functions or activities on our behalf, such as payment and heath care operations.
• Health Information Exchanges: UMass Memorial may share your Electronic Medical Record (EMR) with health care providers involved in your care who are not part of UMass Memorial. The EMR system used by UMass Memorial is also used by non-UMass Memorial providers, including certain other hospitals, community physicians, and physician groups (collectively, “External Providers”). Using this EMR system enables UMass Memorial to share your medical information via a Health Information Exchange (HIE) platform. The system enables External Providers to receive your medical information when those External Providers need your UMass Memorial medical information to take care of you or to coordinate your care. Additionally, UMass Memorial participates in TEFCA (Trusted Exchange Framework and Common Agreement) and may share your medical information through national and state HIEs to support your care. You may opt-out of HIE sharing by submitting a written request. Opting out will not affect prior disclosures. Certain reporting, such as immunization data to the Massachusetts Immunization Information System (MIIS), will continue as required by law even if you opt-out of HIE sharing.

We may also use your medical information to:

• Recommend treatment alternatives.
• Tell you about health-related products and services.
• Communicate with family or friends involved in your care.
• Include certain limited information about you in the hospital facility directory if you are hospitalized at one of our facilities. This information includes your name, your location in the hospital, and general condition (like “stable” or “fair”). This information may be disclosed to a person who asks for you by name. Also, we may provide your religious preference, if any, to clergy.
• Contact you about support for fundraising.

You have the right to object to these uses and disclosures. 

Additional ways we may use and disclosure your medical information: 

• For public health activities such as tracking diseases or medical devices.
• To protect victims of abuse or neglect.
• For federal and state health oversight activities such as fraud investigations.
• To governmental licensing/auditing/accrediting agencies.
• For judicial or administrative proceedings.
• If required by law or for law enforcement.
• To coroners, medical examiners, and funeral directors.
• To respond to organ and tissue donation requests.
• To avert a serious threat to public health or safety.
• For disaster relief.
• For specialized government functions such as national security and intelligence.
• To the military if authorized.
• To address workers’ compensation requests.
• To a correctional institution if you are in custody.
• For research. We may tell you about research studies in which you might be interested. You are able to choose whether or not you want to hear more details about any research study.

We may be permitted or required by law to use and disclose your medical information for these purposes.

Other uses and disclosures not described in this notice may be made with your signed authorization. You may revoke this authorization, in writing, at any time.

Use of Artificial Intelligence (AI) in Care and Operations

We may use AI-enabled tools, products and devices to support the delivery of clinical care (e.g., imaging analysis), in patient communications, quality improvement and business operations. AI outputs do not replace clinician judgment; we use human oversight for clinical decision-making. We may use de-identified or limited data sets to develop, validate, or monitor AI tools.

De-Identification

We may de-identify your medical information in accordance with applicable laws. This process removes your name and other direct identifiers, ensuring the information cannot be linked back to you. Deidentified data is no longer considered medical information and is not subject to HIPAA or this notice.

Limited Data Sets

We may create a limited data set by removing certain identifying details from your medical information. Limited data sets may be used or disclosed only for research, public health purposes, or health care operations. Any third party receiving a limited data set from us must sign an agreement to safeguard your medical information and use it only for the permitted purposes.

Unsecure Communications

If you choose to communicate with us using unsecure methods—such as regular email (e.g., gmail) or text message—we may respond using the same method and the contact information you provided. Your health care provider may also use these email addresses or phone numbers to send appointment reminders, surveys, or other general information. For your convenience, these messages may be sent without encryption. 

Unsecure communications carry risks, including the possibility of interception, misdelivery, access by others sharing your device or account, forwarding, or storage on unsecured devices. We therefore take steps to limit the amount of information contained in these messages. If you do not wish to receive these types of text or email messages, please let us know and we will honor your request. You may also request an alternative, more secure method of communication.

How We May Contact You (Phone, Text, Email)

We may contact you about your health care using the phone numbers and email addresses you provide to us. This may include phone calls, including those made using automated dialing systems, pre recorded or synthetic voice messages, text messages, or emails. Our communications may include, but are not limited to, appointment reminders, discharge planning, billing matters, prescription reminders, research opportunities, information about our products and services, treatment alternatives, general health information, and regulatory notices provided in lieu of first class mail.

When we contact you in this manner, you will be given the opportunity to opt out of receiving similar communications going forward. If you prefer not to receive these types of calls, texts, or emails, please notify us and we will honor your request.

Your Rights

You have the right to:

• Inspect and request either a paper or electronic copy of your medical records (fees may apply).*
• Request a correction to your medical information (reason required).*
• Request that we use a specific telephone number or address to communicate with you.
• Request that we limit certain disclosures of your medical information (we are not required to agree to your request).
• Request that we limit certain disclosures of your medical information to your health plan if an item or service is paid in full out of pocket.*
• Receive a list (an accounting) of how your medical information was disclosed (excludes disclosures for treatment, payment, health care operations and some required disclosures; fees may apply).*
• Obtain a paper copy of this notice even if you receive it electronically.
• Register a complaint — see “To Contact Us” section of this notice.
• Opt-Out of our hospital facility directory or fundraising requests.
• Decline (Opt-Out) to share your EMR with health care providers who are not part of UMass Memorial.* Opting-Out will not have any effect on actions taken prior to the date of receipt by UMass Memorial of a signed Opt-Out form.

*Request must be in writing

To Contact Us

If you have questions about this notice, contact the Privacy Office or visit www.ummhealth.org. If you would like to exercise your rights or if you feel your privacy rights have been violated, contact the Privacy Office at:

UMass Memorial Health Care, Inc.
One Biotech 365 Plantation Street 
Worcester, MA 01605
Tel: 508-334-5551
Email: privacy@umassmemorial.org

All complaints will be investigated, and you will not suffer retaliation for filing a complaint. You may file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights by sending a letter or visiting https://www.hhs.gov/hipaa/filing-a-complaint/index.html.

Additional Privacy Protections for Substance Use Disorder (SUD) Records (42 C.F.R. PART 2)

We follow federal confidentiality rules for SUD program records. We may rely on one consent that permits future uses and disclosures of your Part 2 records for treatment, payment, and health care operations (TPO). HIPAA-covered entities (and their business associates) that receive your Part 2 records under this consent may redisclose the records as permitted by HIPAA. We will provide a copy of your consent, or an explanation of its scope, with any disclosure made pursuant to your consent. Certain SUD counseling notes require a separate consent similar to HIPAA protections for psychotherapy notes. You may revoke your consent at any time in writing; revocation does not affect prior uses/disclosures made in reliance on your consent. We will not use or disclose Part 2 records, nor testimony describing those records, in any civil, criminal, administrative, or legislative proceeding against you by any federal, state, or local authority, unless specifically authorized by you or by a court order that provides you notice and an opportunity to be heard. 

We may disclose Part 2 records without your consent in limited circumstances permitted by law (e.g., medical emergencies; reports of child abuse/neglect; crimes on program premises/against personnel; to qualified service organizations; audits/program evaluations; certain research; and disclosure of de-identified medical information to public health authorities). Breach notification and penalties for Part 2 records are aligned with HIPAA.