If you have any questions about this Notice of Privacy Practices, contact Mahaska Health Privacy Officer at 1229 C Avenue East, Oskaloosa, Iowa 52577. Phone: 641.672.3375, ext. 2111, or email compliance@mahaskahealth.org.

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

Mahaska Health is required by the Health Insurance Portability and Accountability Act, as amended, (“HIPAA”) to maintain the privacy of your Protected Health Information (“PHI”), to provide you with this Notice of our legal duties and privacy practices, and to abide by the terms of this Notice currently in effect.

Protected Health Information (PHI) includes information about your past, present, or future physical or mental health condition, the provision of health care to you, and payment for that care. PHI may include information related to mental health diagnosis and treatment, substance use disorder (SUD) services that we provide or coordinate, and HIV/AIDS testing and treatment.

PERMITTED USES AND DISCLOSURES OF PHI

Mahaska Health may use and disclose your PHI for the purposes of treatment, payment, and health care operations as described below.

The following categories describe ways that Mahaska Health is permitted to use and disclose health care information. Not every use or disclosure is listed; however, all uses and disclosures will fall within one of these categories.

1) Treatment

Mahaska Health may use and disclose your PHI to provide, coordinate, or manage your health care and related services.

This includes coordination or management of your care with another health care provider. For example:

  • Disclosing PHI to a home health agency providing services to you.
  • Providing information to a specialist or facility to which you have been referred.
  • Sharing relevant SUD-related PHI with other treating providers to ensure safe and appropriate care.

2) Payment

Mahaska Health may use and disclose your PHI so that the treatment and services you receive may be billed and payment collected from you, an insurance company, or a third party.

For example:

  • Determining eligibility or coverage.
  • Obtaining prior authorization.
  • Conducting utilization review.
  • Billing and collection activities.

This may include disclosure of SUD-related PHI as necessary to obtain payment or authorization, as permitted by HIPAA and other applicable laws.

3) Health Care Operations

Mahaska Health may use or disclose your PHI to support our business activities. These activities include, but are not limited to:

  • Quality assessment and improvement activities
  • Licensing and accreditation
  • Employee review and training
  • Compliance and auditing activities
  • Business planning and development

We may contact you to remind you of appointments or provide information about treatment alternatives or health-related benefits and services that may be of interest to you.

Mahaska Health may share your PHI with third-party “business associates” that perform services for us (such as billing or transcription). We maintain written agreements requiring business associates to protect your PHI.

Any use or disclosure of your PHI for treatment, payment or health care operations as described above must also be consistent with, and allowed by, applicable law, including any more stringent state law and 42 C.F.R. part 2. 

USES AND DISCLOSURES REQUIRING YOUR WRITTEN AUTHORIZATION

Other uses and disclosures of your PHI will be made only with your written authorization unless otherwise permitted or required by law.

You may revoke your authorization at any time in writing, except to the extent Mahaska Health has already acted in reliance upon it.

We will not:

  • Use or disclose your PHI for marketing purposes without your written authorization (except for face-to-face communications or promotional gifts of nominal value).
  • Sell your PHI without your written authorization. Sale of PHI is defined by law and does not include payment for your treatment.
  • Disclose psychotherapy notes without your express written authorization, except as permitted by law.

Psychotherapy notes receive special protection under HIPAA and may not be disclosed without specific authorization, except for limited treatment, training, defense in legal proceedings, or other legally permitted uses.

USES AND DISCLOSURES WHERE YOU MAY AGREE OR OBJECT

1) Individuals Involved in Your Care

Unless you object, Mahaska Health may disclose relevant PHI to a family member, relative, close friend, or other person you identify as involved in your care or payment for your care.

If you are unable to agree or object, we may disclose relevant information if we determine, using professional judgment, that it is in your best interest.

We may also:

  • Notify family or responsible parties of your location, general condition, or death.
  • Disclose information to disaster relief organizations.

2) Emergencies

Mahaska Health may use or disclose your PHI in emergency treatment situations. We will attempt to obtain your acknowledgment of receipt of this Notice as soon as reasonably practicable.

 

OTHER PERMITTED OR REQUIRED USES AND DISCLOSURES WITHOUT AUTHORIZATION

Mahaska Health may use or disclose your PHI without your authorization in the following circumstances:

  1. Required by Law – When required by federal or state law.
  2. Public Health Activities – To public health authorities to control disease, injury, or disability.
  3. Communicable Diseases – To individuals at risk of exposure, as authorized by law.
  4. Health Oversight Activities – For audits, inspections, investigations, and licensure.
  5. Abuse or Neglect – To appropriate governmental authorities.
  6. Food and Drug Administration – For product recalls or adverse event reporting.
  7. Legal Proceedings – In response to court orders or lawful processes.
  8. Law Enforcement – For specified law enforcement purposes.
  9. Coroners, Medical Examiners, Funeral Directors, and Organ Donation – As authorized by law.
  10. Research – When approved by an Institutional Review Board with privacy protections in place.
  11. Serious Threat to Health or Safety – To prevent or lessen a serious and imminent threat.
  12. Military and National Security – As authorized by law.
  13. Workers’ Compensation – As required to comply with applicable laws.
  14. Compliance Investigations – To the Secretary of the Department of Health and Human Services as required.

These permitted disclosures may include SUD-related PHI where allowed by HIPAA and other applicable laws, including 42 C.F.R. Part 2 and Iowa law.

MORE STRINGENT LAWS

Some of your PHI may be subject to other laws and regulations and afforded greater protection than what is outlined in this Notice. For instance, HIV/AIDS, mental health, and substance use records are given more protection under Iowa law. In the event your PHI is afforded greater protection under federal or state law, we will comply with the more stringent law.

  • SUD Records. SUD treatment records received from programs subject to 42 C.F.R. part 2, or testimony relaying the content of such records (referred to herein as “Part 2 Covered Records”) are subject to additional protections and requirements under 42 C.F.R part 2. Part 2 Covered Records will not be used or disclosed in civil, criminal, administrative or legislative proceedings against you unless: (a) you authorize the use or disclosure by signing a valid authorization or (b) we receive a court order after notice and an opportunity to be heard is provided to you or the holder of the record as provided in 42 C.F.R. part 2. A court order authorizing use or disclosure must be accompanied by a subpoena or other legal requirement compelling disclosure before the requested record is used or disclosed.

 

Mahaska Health is not itself a Part 2 covered program; however, it may receive Part 2 Covered Records in the care and treatment of patients. To the extent Mahaska Health receives Part 2 Covered Records, any use or disclosure of the Part 2 Covered Record will be consistent with 42 C.F.R part 2.

FUNDRAISING

We may use your Protected Health Information for the purpose of contacting you as part of a hospital based fundraising effort. Such contact could come from Mahaska Health, an affiliated organization such as a foundation or a business associate. Information used as part of this fundraising activity may include demographic information such as name, address, age, gender, date of birth, department of service, your treating physician, outcome information and your health insurance status. If you do not wish to be contacted for fundraising activities, you may contact Amanda Doud, Foundation Director at 641.676.7420 to have your name removed from our fundraising list. Part 2 Covered Records will not be used or disclosed by Mahaska Health for fundraising activities unless you are first provided with a clear and conspicuous opportunity to elect not to receive fundraising communications.

REDISCLOSURE

Information disclosed by Mahaska Health may be subject to redisclosure by the recipient and may no longer be protected by HIPAA unless the recipient is also required to comply with HIPAA or other applicable confidentiality laws.

YOUR RIGHTS

You have the following rights regarding your PHI:

Right to Inspect and Copy

You may inspect and obtain a copy of your PHI in a designated record set, except for:

  • Psychotherapy notes
  • Information compiled in anticipation of litigation
  • Information restricted by law

Right to Request Restrictions

You may request restrictions on the use or disclosure of your PHI. We are not required to agree except when:

  • You request restriction of disclosure to a health plan for payment or operations purposes, and
  • The item or service has been paid in full out-of-pocket.

Right to Confidential Communications

You may request communications by alternative means or locations.

Right to Amend

You may request amendment of your PHI if you believe it is incorrect or incomplete.

Right to an Accounting of Disclosures

You may request a list of certain disclosures made for purposes other than treatment, payment, or health care operations.

Right to a Paper Copy

You may request a paper copy of this Notice at any time.

MAHASKA HEALTH’S DUTIES

Mahaska Health is required by law to:

  • Maintain the privacy of your PHI
  • Provide this Notice
  • Abide by the terms of this Notice
  • Notify you following a breach of unsecured PHI within 60 days of discovery

We reserve the right to revise this Notice and make changes effective for all PHI we maintain. Revised Notices will be posted and available at our service locations.

COMPLAINTS

If you believe your privacy rights have been violated, you may file a complaint with:

Mahaska Health Privacy Officer
1229 C Avenue East
Oskaloosa, Iowa
641.672.3375 ext. 2111 or by emailing compliance@mahaskahealth.org

You may also file a complaint with the Secretary of the U.S. Department of Health and Human Services, by calling 1-877-696-6775 or sending a letter to 200 Independence Avenue SW, Washington, D.C. 20201.

Mahaska Health will not retaliate against you for filing a complaint.

Revised 02/15/2026