toggle search inbox
search
search
  1. Home
  2. About
  3. Notice Of Privacy Practices

Notice Of Privacy Practices

Notice of Privacy Practices Your Information. Your Rights. Our Responsibilities. This notice describes how health and financial information about you may be used and shared and how you can get access to this information. Please review it carefully. 

Our responsibilities

At Allegheny Health Network, including its wholly-owned health care provider subsidiaries and affiliates (AHN), we value your privacy. When it comes to managing your information, we are required by law to maintain the privacy and security of your health and financial information and to provide you with notice of your rights and our duties to keep your information safe and confidential.

In the normal course of doing business, we collect information as necessary to deliver treatment and care-related services and to run our business. The information we collect is called Protected Health Information (“PHI”). PHI is health and financial information that identifies you, or could be used to identify you, and was created or received by a health care provider, a health plan, a health care clearinghouse, or a vendor performing activities on behalf of one of these organizations, and is related to one of the following:

  • Your past, present, or future physical or mental health or condition;
  • Providing you with health care; and,
  • The past, present, or future payment for providing you with health care.

This Notice of Privacy Practices (“Notice”) describes our privacy practices, which includes how we use, disclose (share), collect, manage, and protect your PHI. This Notice applies to all electronic and paper records we create, obtain, or maintain about you as a patient, as well as all forms of communication (oral, written, and electronic) of this information.

Who will follow this Notice

The privacy practices described in this Notice will be followed by all health care professionals, employees, trainees, students, and volunteers supporting AHN. As part of an Organized Health Care Arrangement (OHCA), AHN and its affiliated providers and entities may share your PHI with each other for health care operations of our joint activities. This Notice does not apply to AHN in the context of being an employer.

How we protect your privacy

We understand the importance of protecting the confidentiality of your information. We restrict access to your PHI to those employees, agents, consultants, and health care providers who need to know the information to provide health products and services. We maintain physical, electronic, and procedural safeguards that comply with state and federal regulations to protect your information against unauthorized use, access, and disclosure. We will let you know promptly if a breach occurs that may have compromised the privacy or security of your PHI. 

Understanding your health record and information

Each time you visit a hospital, physician, or other health care provider seeking clinical services, a record of your visit is made. This record contains, among other things, your symptoms, examination, test results, diagnoses, and treatment. This information, often referred to as your health or medical record, serves as a:

  • basis for planning your care and treatment;
  • means of communication among the many health professionals who contribute to your care;
  • legal document describing the care you received; 
  • means by which you or a third-party payer can verify that services billed were actually provided;
  • tool in educating health professionals;
  • potential source of data for medical research;
  • source of information for public health and health oversight purposes/activities; and
  • tool with which we can assess and continually work to improve the care we render, the outcomes we achieve, and the cost of your care.

How we use and share your PHI

We use and share PHI we collect only as necessary to deliver products and services to our patients, to operate our business, or to comply with legal requirements. For example, we may use your PHI internally to manage your health, submit claims, or audit our operations. We share PHI with our affiliated companies and non-affiliated third parties, as permitted by law, who assist us in administering our programs, coordinating care, and delivering products and services to our patients. We may also share PHI with other third-party service providers that cooperate with us to jointly promote or administer health products or services. Our contracts with all such service providers require them to protect the confidentiality of our patients’ information.

Please be advised that once information is shared with a third party other than a health care provider, health plan, or other person subject to federal privacy laws – for example, if you fill out an authorization form directing us to share your PHI with a life insurance carrier – the information may no longer be subject to privacy and security protections, and the recipient may use or share that information for other purposes.

Uses of PHI without your authorization.

  • Help manage the health care you receive: To manage the health care you receive, we can use your PHI and share it with health care professionals that are treating you. For example, a doctor treating you for a broken leg may need to know if you have diabetes because diabetes may slow the healing process. 
  • Bill for your services: We may use and share your PHI to bill and receive payment from health plans or other entities for the services delivered to you. For example, we may give information about you to your insurance plan so it can pay for your services.
  • Run our business: We may use and share your PHI to run our business, improve your care, and contact you when necessary. For example, we use information about you to develop and enhance products and services offered to our patients, and we may share your information among our subsidiaries and affiliated entities for purposes permitted by applicable law. 

We may collect, use, and share your information in other ways without your authorization. We must meet certain conditions in the law before we can share your information for these purposes. The following are some of those examples.

  • As required by law: We may share your PHI if federal or state law requires the use or disclosure. For example, we must share your PHI with the U.S. Department of Health and Human Services if they want to see that we are following federal privacy laws.
  • Help with public health and safety issues: We can share your PHI for certain situations such as:
    • Preventing or controlling disease, injury, or disability;
    • Reporting abuse, neglect, or domestic violence;
    • Helping with product recalls;
    • Reporting adverse reactions to medications;
    • Preventing or reducing a serious threat to anyone’s health or safety. 
  • Respond to lawsuits and legal actions: We may share your PHI in response to certain legal requests. For example, we may share your PHI in response to a court order, administrative order, or subpoena that complies with applicable law. 
  • Respond to requests from coroners, medical examiners, funeral directors, and organ donation agencies: We may share PHI with a coroner or medical examiner to identify deceased persons and the cause of death. If necessary, we will share PHI with funeral directors. Further, we may share PHI with organizations that handle organ, eye, or tissue donation and transplantation.
  • Do research: We can use or share your information for health research purposes, subject to certain criteria.
  • Address workers’ compensation, law enforcement, health oversight activities, and other government requests: We can use or share your PHI when needed:
    • For workers’ compensation claims;
    • For law enforcement purposes or with a law enforcement official; 
    • With health oversight agencies for activities authorized by law;
    • For special government functions such as military, national security, and presidential protective services.
  • Cookies and Online Services: We may collect information obtained when you visit and utilize AHN websites (including the MyChart patient portal or other online care sites) or mobile device applications. Through the use of cookies, pixels, and other digital tracking technologies we may collect and share information about your use of these digital services, pursuant to applicable laws, to operate our business and improve our product and service offerings. 
  • Business Associates: We may contract with outside entities that perform business services for us that may require them to use or access your PHI. These entities are called business associates. We will have a written contract in place with the business associate requiring protection of the privacy and security of your health information. For example, we may share your PHI with a business associate to analyze your use of our websites and mobile device applications including, but not limited to, access times, pages viewed, etc. We may also use your PHI to develop, operate, and improve machine learning and other artificial intelligence solutions, for example, to support transcription of customer service calls or dictation of clinical notes. You should review our Digital Privacy Policy (available on our website) and any applicable Terms of Use for supplemental details regarding our online services, the information we collect, and the terms associated with a particular website or application.
  • Health Information Exchange (HIE): We may participate in certain Health Information Exchanges (HIEs), which may be an opt-in or opt-out model. An HIE is a secure electronic data sharing network which allows us to share health information electronically with other health care entities, such as insurers, health systems, hospitals, and physicians participating in your care for the purposes of treatment, payment, and health care operations. The health information we may share includes your medical history, diagnosis, notes, test results, current medications, allergies, immunizations, and other vital information needed for your care. All providers who participate in an HIE have agreed to privacy and security rules to protect your health information from unauthorized access, use, or disclosure.

You cannot choose to have only certain providers access your information. If you do not want your health information to be accessed through an HIE, you may choose not to participate or “opt-out” where applicable. Even if you opt-out, this will not prevent your health information from being shared in other ways as authorized or allowed by law for purposes such as managing your health care or payment of services you received, or administering our business.

  • Organized Health Care Arrangement (OHCA): AHN and its affiliated health plan, Highmark, participate in an OHCA to conduct analysis for quality assessment and improvement activities, utilization review, and related activities to facilitate more effective and efficient health care services for our members and patients. Individual PHI may be accessed, used and/or disclosed as necessary to carry out treatment, payment, or health care operations relating to the OHCA.
  • Inmates. If you are an inmate of a correctional institution, we may share your PHI with the correctional institution to provide you with health care, or to protect your health and safety or the health and safety of others.

Uses of PHI that require your authorization

Sometimes we are required to obtain your written authorization for the use and disclosure of your PHI. For example, we would need your authorization:

  • To use your PHI for certain marketing purposes;
  • To sell your information;
  • To share your substance use disorder counseling notes; and
  • To share your psychotherapy notes.

Withdrawal

We will not use or share your information other than as described in this Notice, or as permitted or required by applicable law, unless you tell us we can in writing. You may change your mind at any time by letting us know in writing. Any change or withdrawal of authorization will be effective for future uses and disclosures of PHI. It will not impact use of information or disclosures that we have already made while your previous authorization was in effect.

Compliance with State and Federal laws

We are required to comply with federal and state laws when they offer greater privacy protection for certain types of PHI. Where such laws apply, we will follow the stricter laws related to the use and sharing of sensitive PHI, such as:

  • Genetic information;
  • HIV/AIDS testing, diagnosis, or treatment;
  • Venereal or communicable disease testing, diagnosis, or treatment;
  • Alcohol or drug abuse prevention, treatment and referral;
  • Psychotherapy notes.

Your choices

For certain health information, you can tell us your choices about what we share. We may use and share your information in the situations described below, but you have the right to limit or object to sharing information for these reasons.

  • Under certain circumstances, we may share your PHI with your family or close friends that you have identified as being involved in your health care or payment for your health care, unless you tell us not to do so. If you are unable to provide us permission, then we may provide the information we determine is in your best interest based on our professional judgement.
  • We may share your information in a disaster relief situation.
  • We may place your name, the location at which you are receiving inpatient care, phone number, room number (if applicable), general health condition or status (for example, stable, critical, etc.), and religious affiliation in our facility directory. This information may be provided to others who ask for you by name, including inquiries from the media. You have the right to ask that all or part of your information not be given out. If you do so, we will not be able to tell your family or friends your room number or that you are in our facility.
  • We may use or share your name, address, phone number, and the dates you received services to contact you to support our fundraising efforts, consistent with applicable laws. 

Your individual rights

When it comes to your health information, you have certain rights. The following is a description of those rights. Any request must be in writing and signed by you or your authorized representative. You can obtain more information, or submit your request in writing, by using the contact listed at the end of this Notice.

  • Get a copy of your medical record: You can ask to review or receive copies of your medical and billing records that we have about you in a designated record set. We will provide a copy or summary of your health information. We may charge a reasonable cost-based fee.
  • Get a list of those with whom we have shared information: You can ask for a list (an “accounting”) of the times we have shared your PHI that are for reasons other than treatment, payment, health care operations, or those which you authorized. You may request the date range you want to review; however, this is limited to 6 years before the date of your request.
  • Ask us to limit what we use or share: You can ask us not to use or share certain health information about you for treatment, payment, or our operations. We are not required to agree to your request, and we may say “no” if it is not consistent with the law, our policies, or our business operations. If you pay for a health care service out-of-pocket in full at the time of the encounter, you can ask us not to share information about that service with your health insurer. We will not share details of that health encounter, unless a law requires us to share that information.
  • Request confidential communications: You can ask us to contact you in a specific way, or at a different address, if you believe that sharing your PHI could place you in danger. For example, you may ask that we contact you only at your work address or your work email.
  • Ask us to correct or amend your medical record: You can ask us to correct, or amend, your health information if you believe it is incorrect or incomplete. Your request must explain why you believe the information needs to be corrected. We may say “no” to your request, but we will tell you why in writing.
  • Choose someone to act for you: If you have given someone medical power of attorney or if someone is your legal guardian or other authorized representative, that person can exercise your rights and make choices about your health information. We will make sure the person has this authority and can act for you before we take any action.
  • Get a paper copy of this Notice: You can ask for a paper copy of this Notice, even if you have agreed to receive the Notice electronically.

Changes to the terms of this Notice

On an ongoing basis, it may become necessary to revise the terms of this Notice. Any changes will apply to all information we have about you. If the Notice significantly changes, the new Notice will be available upon request, on our website, and at our care locations.

Complaints

If you want more information about our privacy practices or are concerned that we may have violated your privacy rights, you can complain to us using the following contact information:

Privacy Operations
120 Fifth Avenue Place, Suite 2114
Pittsburgh, PA 15222
Toll free: 1-800-985-2050
HighmarkHealthPrivacy@highmarkhealth.org

You may also file a complaint with the U.S. Department of Health and Human Services by using the following contact information:

U.S. Department of Health and Human Services
Office for Civil Rights
200 Independence Avenue, S.W.
Washington D.C. 20201
Toll free: 1-877-696-6775
www.hhs.gov/ocr/privacy/hipaa/complaints

We support your right to protect the privacy of your PHI. We will not retaliate in any way if you choose to file a complaint with us or with the U.S. Department of Health and Human Services.

Effective date

We must follow the privacy practices described in this Notice while it is in effect. This Notice is revised and effective as of February 2026 and will remain in effect unless we replace it.

Additional provisions: privacy practices related to substance use disorder (SUD) records

These additional provisions to this Notice apply only to those AHN entities and AHN affiliates that create or receive federally regulated SUD treatment records, for example, our Center for Inclusion Health and Perinatal Hope Program. Your SUD records will be protected by federal and state privacy laws. Unless specifically indicated in these additional provisions, your SUD records will have the same protections and you will have the same rights as described elsewhere in this Notice. The following provisions identify added protections for SUD records, as required by law.

When we can use and share your SUD records

For PHI collected by a SUD program governed by federal regulations, your consent will be obtained for all future uses or disclosures for treatment, payment, and health care operations before sharing such information consistent with applicable privacy laws. We may also obtain your consent to disclose SUD records to prevent multiple enrollments in withdrawal management or maintenance treatment programs, or to persons within the criminal justice system who have made participation in the substance use disorder program a condition of the disposition of any criminal proceedings against you or of your parole or other release from custody, provided the disclosure is permitted by applicable privacy laws. In most cases, we collect your consent for these purposes when you begin treatment with one of our SUD programs. Except as described in these additional provisions, any other uses or disclosures of your SUD records will require your written consent.

Records that we share with your consent to a third party regulated by federal privacy laws may be further disclosed, without your written consent, by the third party, to the extent permitted by federal privacy laws.

We may use and share SUD records without your consent for the following reasons when all conditions required by federal law are met: medical emergencies, scientific research, management audits, financial audits, program evaluation, and disclosures to public health authorities when the health records are de-identified.

Prohibition on sharing records in civil, criminal, administrative or legislative proceedings

We will not use or share your SUD records (or provide testimony based on such information) in any civil, criminal, administrative, or legislative proceedings against you, unless you have provided your written consent, or a special type of court order has been obtained and you have had the opportunity to object.

Opt-out for fundraising

We will only use or share records to fundraise for the benefit of a SUD treatment program if you are first provided with an option to elect not to receive fundraising communications.

You can request to no longer receive fundraising communications following your participation in a SUD program, even if you initially permitted us to send such communications. 

*Revised: February 2026