Skip to main content

For Wistar Employees

Notice of Privacy Practices



The Wistar Institute Benefits Program (the “Plan”) is committed to protecting the privacy of your Protected Health Information (“PHI”). PHI is information collected, maintained, used and/or disclosed by the Plan, including demographic information, that may identify you and that relates to health care services provided to you, the payment of health care services provided to you, or your physical or mental health or condition, in the past, present or future. The Plan also pledges to provide you with certain rights related to your PHI.

By this Notice of Privacy Practices (“Notice”), the Plan informs you that it has the following legal obligations under the federal health privacy provisions contained in the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act and the related regulations collectively “HIPAA”:

  • to maintain the privacy of your PHI;
  • to provide you with this Notice of its legal duties and privacy practices with respect to your PHI; and
  • to follow the terms of this Notice currently in effect.

This Notice also informs you how the Plan uses and discloses your PHI and explains the rights that you have with regard to your PHI maintained by the Plan. For purposes of this Notice, “you” and “yours” refers to participants and dependents who are eligible for benefits described under the Plan.

Information Subject to this Notice

The Plan collects certain PHI about you to help provide health benefits to you, as well as to fulfill legal requirements. The Plan may collect this information, which identifies you, from applications and other forms that you complete, through conversations you may have with the Plan’s administrative staff and health care providers, and from reports and data provided to the Plan by health care service providers or other employee benefit plans. The PHI that the Plan has about you includes, among other things, your name, address, phone number, birth date, social security number, and medical and health claims information. This is the information that is subject to the privacy practices described in this Notice.

This Notice does not apply to health information collected or maintained by The Wistar Institute (the “Company”) on behalf of the non-health employee benefits that it sponsors, including disability benefits, life insurance, accidental death and dismemberment insurance, and workers’ compensation insurance.

This Notice also does not apply to health information that the Company requests, receives, and maintains about you for employment purposes, such as employment testing, or determining your eligibility for medical leave benefits under the Family and Medical Leave Act or disability accommodations under the Americans With Disabilities Act.


Except as described in this section, as provided for by federal, state or local law, or as you have otherwise authorized, the Plan only uses and discloses your PHI for the administration of the Plan and for processing claims. The uses and disclosures that do not require your written authorization are described below.


  1. For Treatment. The Plan may use and disclose your PHI to a health care provider, such as a hospital or physician, to assist the provider in treating you. For example, if the Plan maintains information about interactions between your prescription medications, the Plan may disclose this information to your health care provider for your treatment purposes.
  2. For Payment. The Plan may use and disclose your PHI so that your claims for health care services can be paid according to its terms. For example, if the Plan has a question about payment for health care services that you received, the Plan may contact your health care provider for additional information.
  3. For Health Care Operations. The Plan may use or disclose your PHI so it can operate efficiently and in the best interests of its participants. For example, the Plan may disclose PHI to its auditors to conduct an audit involving the accuracy of claim payments.


The Plan may disclose your PHI to third parties that assist the Plan in its operations. For example, the Plan may share your PHI with a business associate if the business associate is responsible for paying medical claims for the Plan. The Plan’s business associates have the same obligation to keep your PHI confidential as the Plan does. The Plan must require its business associates to ensure that your PHI is protected from unauthorized use or disclosure.


The Plan may disclose your PHI, without your consent, to the Company for administration purposes, such as determining the amount of benefits you or your eligible dependent is entitled to from the Plan, determining or investigating facts that are relevant to a benefit claim, determining whether your benefits should be terminated or suspended, performing duties that relate to the establishment, maintenance, administration and/or amendment of the Plan, communicating with you about the status of claims, recovering any overpayment or mistaken payments made to you, and handling issues related to subrogation and third party claims.

The Company has designated an employee to represent the Plan. This employee is the Privacy Officer. Any PHI that you discuss with this Company employee while s/he is performing duties that are related to the Plan is subject to the privacy practices described in this Notice.


HIPAA provides for specific uses or disclosures of your PHI that the Plan may make without your authorization, as follows:

  1. Required by Law. The Plan may use and disclose PHI about you as required by federal, state or local law. For example, the Plan may disclose your PHI for the following purposes:
    • For judicial and administrative proceedings pursuant to court or administrative order, legal process and authority.
    • To report information related to victims of abuse, neglect, or domestic violence.
    • To assist law enforcement officials in their law enforcement duties.
  2. Health and Safety. Your PHI may be disclosed to avert a threat to the health or safety of you, any other person, or the public, pursuant to applicable law. Your PHI also may be disclosed for public health activities, such as preventing or controlling disease or disability.
  3. Government Functions. Your PHI may be disclosed to the government for specialized government functions, such as intelligence, national security activities, and protection of public officials. Your PHI also may be disclosed to health oversight agencies that monitor the health care system for audits, investigation, licensure, and other oversight activities.
  4. Active Members of the Military and Veterans. Your PHI may be used or disclosed to comply with laws related to military service or veterans’ affairs.
  5. Workers Compensation. Your PHI may be used or disclosed in order to comply with laws related to Workers’ Compensation.
  6. Emergency Situations. Your PHI may be used or disclosed to a family member or close personal friend involved in your care in the event of an emergency, or to a disaster relief entity in the event of a disaster.
  7. Others Involved In Your Care. In limited instances, your PHI may be used or disclosed to a family member, close personal friend, or others who the Plan has verified are involved in your care or payment for your care. For example, if you are seriously injured and unable to discuss your case with the Plan, the Plan may so disclose your PHI. Also, upon request, the Plan may advise a family member or close personal friend about your general condition, location (such as in the hospital) or death. If you do not want this information to be shared, you may request that these disclosures be restricted as outlined later in this Notice.
  8. Personal Representatives. Your PHI may be disclosed to people you have authorized or people who have the right to act on your behalf. Examples of personal representatives are parents for minors, and those who have Power of Attorney for adults.
  9. Treatment and Health-Related Benefits Information. The Plan and its business associates may contact you to provide information about treatment alternatives or other health-related benefits and services that may interest you, including, for example, alternative treatment, services or medication.
  10. Research. Under certain circumstances, the Plan may use or disclose your PHI for research purposes, as long as the procedures required by law to protect the privacy of the research data are followed.
  11. Organ and Tissue Donation. If you are an organ donor, your PHI may be used or disclosed to an organ donor, eye, or procurement organization to facilitate an organ or tissue donation or transplantation.
  12. Deceased Individuals. The PHI of a deceased individual may be disclosed to coroners, medical examiners, and funeral directors so that those professionals can perform their duties.


The Plan is prohibited from using or disclosing your genetic information for underwriting purposes.


Most uses or disclosures of psychotherapy notes (where applicable), uses and disclosures of PHI for marketing purposes and disclosures that constitute the sale of PHI require an authorization. Uses and disclosures of your PHI other than those described above will be made only with your express written authorization. You may revoke your authorization in writing. If you do so, the Plan will not use or disclose your PHI subject to the revoked authorization, except to the extent that the Plan already has relied on your authorization.

Once your PHI has been disclosed pursuant to your authorization, HIPAA protections may no longer apply to the disclosed health information, and that information may be re-disclosed by the recipient without your or the Plan’s knowledge or authorization.

Your Health Information Rights

You have the following rights regarding your PHI that the Plan collects and maintains. You are required to submit a written request related to these rights, as described below, and you should address such requests to HIPAA Privacy Officer, The Wistar Institute, 3601 Spruce Street, Philadelphia, PA 19104, 215-898-3765.


You have the right to inspect and obtain a copy of your health record. This includes, among other things, PHI about your plan coverages, claim records, and billing records. To inspect and copy your health record maintained by the Plan, submit your request in writing to the Privacy Officer at the address above. The Plan charges a fee of $1.00 per page for the cost of copying your health record, and charges you the cost of mailing your health record to you. If your health record is maintained electronically, you have the right to receive such electronic PHI in the electronic form and format you request if it is readily producible or, if not, in a readable electronic form and format agreed to by you and the Plan. The Plan may charge you for the cost of any electronic media (other than email) used to provide your electronic PHI. In certain limited circumstances, the Plan may deny your request to inspect and copy your health record. If the Plan does so, it will inform you in writing. In certain instances, if you are denied access to your health record, you may request a review of the denial.


You have the right to request that the Plan communicate your PHI to you in confidence by alternative means or in an alternative location. For example, you can ask that the Plan only contact you at work or by mail, or that the Plan provide you with access to your PHI at a specific location. To request confidential communications by alternative means or at an alternative location, submit your request in writing to the Privacy Officer at the address above. Your written request should state the reason(s) for your request and the alternative means by or location at which you would like to receive your PHI. If appropriate, your request should state that the disclosure of all or part of your PHI by non-confidential communications could endanger you. The Plan will accommodate reasonable requests and will notify you appropriately.


You have the right to request that the Plan amend your PHI if you believe the information is incorrect or incomplete. To request an amendment, submit a detailed request in writing to the Privacy Officer at the address above and provide the reason(s) that support your request. The Plan may deny your request if you have asked to amend information that:

  • Was not created by the Plan, unless you provide the Plan with information that the person or entity that created the information is no longer available to make the amendment;
  • Is not part of your PHI maintained by or for the Plan;
  • Is not part of the information which you would be permitted to inspect and copy; or
  • Is accurate and complete.

The Plan will notify you in writing as to whether it accepts or denies your request for an amendment to your PHI. If the Plan denies your request, it will explain the reason(s) for the denial, and describe how you can continue to pursue the denied amendment.


You have the right to receive a written accounting of disclosures. The accounting is a list of disclosures of your PHI by the Plan to others, except that disclosures for treatment, payment or health care operations, disclosures made to or authorized by you, and certain other disclosures are not part of the accounting. The accounting covers up to six years prior to the date of your request.

To request an accounting of disclosures, submit your request in writing to the Privacy Officer at the address above. If you want an accounting that covers a time period of less than six years, please state that in your request. The first accounting that you request within a twelve month period will be free. For additional accountings in a twelve month period, the Plan will charge you for the cost of providing the accounting, but the Plan will notify you of the cost involved before processing the accounting so that you can decide whether to withdraw your request before any costs are incurred.


You have the right to request restrictions on your PHI that the Plan uses or discloses about you to carry out treatment, payment or health care operations. Also, you have the right to request restrictions on your PHI that the Plan discloses to someone who is involved in your care or the payment for your care, such as a family member or friend. The Plan is not required to agree to your request for such restrictions, and the Plan may terminate its agreement to the restrictions you requested. To request restrictions, submit your request in writing to the Privacy Officer at the address above, and advise the Plan as to what information you seek to limit, and how and/or to whom you would like the limit(s) to apply. The Plan will notify you in writing as to whether it agrees to your request for restrictions. The Plan will also notify you in writing if it terminates an agreement to the restrictions that you requested.


You have the right to, and will receive, notification if a breach of your unsecured PHI requiring notification occurs.


You have the right to complain to the Plan and/or to the Department of Health and Human Services if you believe your privacy rights have been violated. To file a complaint with the Plan, submit your complaint in writing to the Privacy Officer, as detailed above.

You will not be retaliated or discriminated against and no services, payment, or privileges will be withheld from you because you file a complaint with the Plan or with the Department of Health and Human Services.


You have the right to a paper copy of this Notice. To make such a request, submit a written request to the Privacy Officer, at the address above.


The Plan reserves the right to change its privacy practices and make the new practices effective for all PHI that it maintains, including your PHI that it created or received prior to the effective date of the change and your PHI it may receive in the future.

If the Plan materially changes any of its privacy practices covered by this Notice, it will revise this Notice, and provide you with the revised Notice within 60 days of the revision (or within such other time frame required under the regulations), or if the Plan posts the Notice on its website it shall prominently post the material change or the revised Notice on its website by the effective date of the material change to the notice and provide the revised notice, or information about the material change and how to obtain the revised notice during the next annual enrollment or at the beginning of the plan year if there is no annual enrollment process. In addition, copies of the revised Notice will be made available to you upon your written request, and any revised Notice will also be available on the Plan’s website:

Contact Information

If you have any questions, concerns or would like more information about the Plan’s privacy practices or this Notice, please contact the HIPAA Privacy Officer, The Wistar Institute, 3601 Spruce Street, Philadelphia, PA 19104, 215-898-3765.


This Notice is effective as of September 23, 2013 and will remain in effect unless and until the Plan publishes a revised Notice.

Fragrance-Free Value Statement


The ingredients in many fragrances and scents are known to irritate the respiratory tract, nervous system, and eyes; lower immunity to disease; and trigger allergies and other severe health reactions. In the case of asthma and epilepsy, reactions triggered by exposure to scented products can be life-threatening.


The Wistar Institute supports sustaining healthy indoor air quality. In the interest of promoting the health and safety of the Institute’s faculty, staff, and visitors, the Institute community is encouraged to limit use of perfumes, colognes, after-shave lotions and other such similar scented products in the workplace. Employees should discontinue use of any scented product that causes someone else in the workplace to experience an adverse health reaction. Accommodating the needs of others in this manner will help to create a safe and comfortable environment for every person at the Institute.