Chestnut Health Systems’ Notice of Privacy Practices
(Chestnut Health Systems and Chestnut Family Health Center)


This Notice of Privacy Practices (this “Notice”) describes how Chestnut Health Systems, Inc. and all of its programs, including Chestnut Family Health Center (collectively, “Chestnut” or “we”) may use and disclose your protected health information (“PHI”), as well as your rights regarding your PHI. We are required by law to protect your PHI, to comply with this Notice, and to give you a copy of this Notice. We reserve the right to change the terms of this Notice at any time. Any new Notice will be effective for all PHI that we maintain at that time. We will make available a revised Notice by posting a copy on our website or by posting at our facilities. You may request a copy of the Notice at any time.

We must also comply with separate Federal laws that protect the confidentiality of alcohol and drug abuse patient records, as well as State laws that protect the confidentiality of mental health treatment records. Violation of these laws is a crime. You may report a suspected violation to the proper authorities. Additionally, individual Chestnut programs will share PHI with each other, as necessary, to carry out treatment, payment and health care operations.

How We May Use and Disclose Health Information about You

Listed below are some examples of the uses and disclosures that Chestnut may make of your PHI. The disclosure may be made verbally, in writing, or electronically, such as by email or text message.

Treatment. We may use or disclose your PHI to provide, coordinate, or manage your care or any related services, including sharing information with others outside Chestnut that we are consulting with or referring you to for your care, such as a specialist or a laboratory.

Payment. We may use or disclose your PHI for purposes related to payment, such as determining if you have insurance benefits, and if your insurance company will cover the cost of your treatment; processing claims with your insurance company; and reviewing services provided to you to determine medical necessity. We may use your PHI to obtain payment for your health care services without your written authorization.

Health Care Operations. We may use or disclose, as needed, your PHI in order to coordinate our business activities, for patient safety activities, or to share your PHI with third parties that provide services to us, such as billing or typing, who have entered into agreements with Chestnut to maintain the confidentiality of your PHI. This may include reviewing your care, training students and staff, or setting up your appointments. We may use a sign-in sheet at the registration desk or call you by name in the waiting room when it is time to be seen. We may also contact you concerning Chestnut’s fundraising activities. If we contact you about fundraising activities, we will only use your name, address, phone number, gender, date of birth, treatment dates, health insurance status, health outcome, and in certain limited cases not involving substance abuse or mental health treatment your treating physician and department of service. You can choose not to receive any communications or only certain communications about fundraising by notifying the Privacy Officer in writing or by telephone. You may choose to opt back into future fundraising communications by notifying the Privacy Officer, as well.

Chestnut also participates with other behavioral health services agencies (each, a “Participating Covered Entity”) in the IPA Network established by Illinois Health Practice Alliance, LLC (“Company”). Through Company, the Participating Covered Entities have formed one or more organized systems of health care, in which the Participating Covered Entities participate in joint quality assurance activities and/or share financial risk for the delivery of health care with other Participating Covered Entities, and as such qualify to participate in an Organized Health Care Arrangement (“OHCA”), as defined by the HIPAA Privacy Rule. As OHCA participants, all the Participating Covered Entities may share the PHI of their patients for the treatment, payment, and health care operations purposes of all the OHCA participants.

Information That Can Be Disclosed Without Your Authorization

Required by Law. We may use or disclose your PHI if it is required by law. For example, we must make disclosures of your PHI to you upon your request, and we must make disclosures to the Secretary of the Department of Health and Human Services for the purpose of determining our compliance with the HIPAA Privacy Rule. We may also disclose your PHI if a court issues a subpoena and appropriate order and follows required procedures. Mental health information may also be disclosed to coordinate services between government agencies that have entered into an interagency agreement.

Health Oversight. We may disclose PHI to a health oversight agency for activities authorized by law, such as audits, investigations, inspections, and licensure, and for accreditation purposes.

Medical Emergencies. We may use or disclose your PHI in a medical emergency situation to medical personnel only.

Child Abuse or Neglect. We may disclose your PHI to a state or local agency as authorized by law. We only disclose necessary information to make the initial mandated report.

Deceased Patients. We may disclose PHI regarding deceased patients as required by law and certain limited PHI to family members or others who were involved in the deceased patient’s care or payment for care prior to death, but only such PHI as is relevant to the family member’s or other’s involvement in the deceased’s care or payment. In addition, PHI of persons who have been deceased more than 50 years is no longer protected and may be disclosed without an authorization.

Research. If you are in a research study or future research studies, we may disclose PHI to researchers if our Institutional Review Board reviews and approves the research and either (a) you have signed an authorization, or (b) the Institutional Review Board reviews and approves a waiver to the authorization requirement.

Criminal Activity on Program Premises/Against Program Personnel. We may disclose your PHI to law enforcement officials if you have committed a crime on our premises or against our personnel.

Public Safety. We may disclose PHI to avert a serious threat to health or safety, such as physical or mental injury being inflicted on you or someone else. Chestnut is also required by State law to provide information concerning mental health recipients who pose an imminent threat to themselves or others to the Illinois Department of Human Services for the purposes of determining whether the individual holds a Firearm Owner Identification (“FOID”) Card. Any person who holds a FOID card, or who has applied for a FOID card, may have their FOID card revoked if that person is deemed a threat to themselves or others.

Public Health. We may use or disclose your PHI to a public health authority authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability. In certain limited circumstances, we may also disclose your PHI to a person that may have been exposed to a communicable disease or may otherwise be at risk of spreading or contracting such disease, if such disclosure is authorized by law. We may disclose proof of immunization to a school where the school must have such information prior to admitting a student. Before doing so, we will obtain verbal or written agreement from you.

Uses and Disclosures of PHI With Your Written Authorization

Other uses and disclosures of your PHI will be made only with your written authorization. Examples of such situations include the disclosure of psychotherapy notes, marketing communications, or certain situations where your PHI may be transferred to another covered entity.

You may revoke this authorization at any time. Although Chestnut will honor your revocation going forward, Chestnut may have already made a use or disclosure based on your authorization.

Your Rights Regarding Your Protected Health Information

You have the following rights, which we describe below. Please contact our Privacy Officer in writing if you have any questions:

Inspect and Copy Your PHI. You can view and get a copy of your PHI for as long as we maintain the record. If we maintain a copy of your PHI in electronic format then we will provide that PHI to you in the electronic format that is readily producible. Upon your request, we will provide a copy of your PHI to another person. Your request must be in writing and signed by you. We may charge you a reasonable cost-based fee for the copies. We can deny you access to your PHI in certain circumstances. In some of those cases, you will have a right to appeal the denial of access.

Amend Your PHI. You may request, in writing, that we amend your PHI in our records. We may deny your request in certain cases. If we deny your request, you have the right to file a statement that you disagree with us. We will respond to your statement and will provide you with a copy.

Accounting of PHI Disclosures. You may request an accounting of our disclosures of your PHI for a period of up to six years (excluding disclosures made to you, made for treatment purposes, made with your authorization, and certain other disclosures). We may charge you a reasonable fee if you request more than one accounting in any 12-month period.

Notice of Breach of Unsecured PHI. You have the right to receive notification from Chestnut in the event of a breach of unsecured PHI that relates to you. A breach generally involves the acquisition, use, or disclosure of PHI in a manner that is not allowed under HIPAA, which compromises the security or privacy of the PHI.

Copy of Notice. You have the right to obtain a copy of this notice from us.

Restrictions on Disclosures and Uses of Your PHI. You have the right to ask us not to use or disclose your PHI for treatment, payment or health care operations or to family members involved in your care.
Your request for restrictions must be in writing and we are not required to agree to such restrictions, unless you paid in full and out of pocket for a health care item or service and you do not want us to tell your health plan. In that case, we must comply with your request for restriction. You can request a restriction by completing a Request for Confidential Communications form available from reception staff.

Confidential Communications. You have the right to request that we communicate with you about your PHI or medical care in a certain way or at a certain location. We will accommodate reasonable, written requests. We may also condition this accommodation by asking you for information regarding how payment will be handled or specification of an alternative address or other method of contact. We will not ask you why you are making the request. Please contact your clinician if you would like to make this request.

Complaints. If you believe we have violated your privacy rights, you may file a complaint in writing by contacting us at or by contacting our office and speaking to one of our Privacy Officers. We will not retaliate against you for filing a complaint.

You may also file a complaint with the U.S. Secretary of Health and Human Services as follows:

200 Independence Avenue S.W.
Washington, D.C. 20201
1 (202) 619-0257

The effective date of this Notice is May 6, 2019.


Click here to download a copy of the Chestnut Health Systems' Notice of Privacy Practices.