Healthcare Access San Antonio Notice of Privacy Practices
Effective Date: March 11, 2014 (Updated December, 2017)

Healthcare Access San Antonio (HASA) is a nonprofit, community health information exchange that facilitates electronic exchange of patient information between physicians, hospitals, labs, pharmacies, patients and other providers. Sharing this information helps hospitals and physicians save patients’ time and provide better treatment.

How can HASA use and disclose protected health information about an individual?

HASA is not a healthcare provider. Rather, HASA helps doctors in the community share medical records so that each patient gets the best quality of care available. HASA values your privacy and meets all the same standards your doctor does to protect your health information while it is in our care. HASA does not create or change your protected health information. As a community health information exchange (HIE), we only supply protected health information to those individuals and organizations that are already allowed to have access under federal and state law. Doctors are responsible for obtaining signed or electronic opt-out, revocation and authorization forms from their patients that comply with the requirements under federal and state privacy laws. Situations in which we may share your medical record include, but are not limited to:

  • Treatment. HASA provides access to your protected health information (PHI) to those who provide your medical care. We disclose medical information to your primary healthcare provider and others who are involved in providing the care you need. For example, if your doctor sends you to see a specialist, HASA can make your medical record available to that specialist on their computer. Or the HASA network may share this information with a pharmacist who needs it to dispense a prescription to you, or a laboratory that performs a test.
  • Payment. Your physician may use HASA to access medical information about you to obtain payment for the services they provide. For example, your physicians may give your health plan the information it requires before it will pay them.
  • Health Care Operations. Healthcare providers that are partnered with HASA may use and disclose medical information about you to operate their medical practice. For example, a hospital can look at medical records to improve the quality of care they provide, or to measure the performance of their staff.
  • Public Health. Your healthcare providers may, and are sometimes required by law to, disclose your health information to public health or other authorities. For example, your doctor may report all flu cases to the Department of Health and Human Services to help them decide where the flu vaccine is most needed. As a community health information exchange, HASA may assist doctors in accessing the information which they are obligated to report.

Breach Notification. In the case of a breach of unsecured PHI, you will be notified as required by law. In some circumstances HASA’s provider members may provide the notification. HASA may also provide notification by other methods as appropriate. 

Sale of Health Information. HASA does not sell PHI. In accordance with HIPAA regulations, HASA cannot sell your information without your express permission.

What are HASA’s legal duties with regard to protected health information?

HASA is held to the same legal standards as your doctors when it comes to protecting your medical records. While this notice focuses on privacy requirements, HASA is also required to meet federal and state standards for protecting the security of  your information. HASA understands that this information is private and only supplies the minimum information necessary to ensure you receive quality care. HASA is required by law to maintain the privacy of this PHI. In certain instances, HASA does provide information to organizations to determine community health needs, provide trending reports, or assist health care providers in identifying patients with particular health needs. Please note that once entities have received your information through HASA, they can redisclose this information as allowed by federal and state law.

HASA has a responsibility to ensure that the information shared through the system is the same as the information received from your providers. In other words, HASA must protect data integrity, so that the accuracy and consistency of your information is maintained.

HASA must keep a record of who sees your PHI and why they looked at it. HASA checks its records and investigates any unusual use of the network. HASA uses a system that only lets people who have the legal right to view your information see your medical record, and only when they need to see it. What rights do I have with regard to my protected health information? HASA keeps accurate and up-to-date records on file for your doctor. While the physical medical records belong to doctors, the information in them belongs to the individual patient. Due to this ownership, patient rights with regard to HASA include, but are not limited to:

  • Right to Opt Out of Information Sharing. HASA is dedicated to protecting your information and improving the overall quality of healthcare in our region through effective exchange of information among our members. While this information exchange is an important tool for physicians and hospitals to coordinate your care, you can deny HASA the right to share your health information with those who provide you healthcare services. In order to do this, you simply need to complete an opt-out form available from your provider or the website. If your provider shares information with HASA, they are responsible to give you information about HASA and how to opt-out if you wish. Opting out of information sharing means your information will not be shared by HASA, even in the case of an emergency. It will not impact your ability to receive care from your providers, just their ability to get information through the HASA system from your other providers.
  • Right to Request Special Privacy Protections. You have the right to request restrictions on certain uses and disclosures of your health information by a written request to your doctor saying what information you want to limit, and what limits you want to set. We reserve the right to accept or reject any other request, and will notify you of our decision.
  • Right to Inspect and Copy. You have the right to inspect and ask for a copy your health information, with limited exceptions through HASA’s patient portal. HASA wants everyone to be able to view and manage their health records. To access your medical information, you need to write your doctor and tell him what information you want, whether you want to just look at it or get a copy of it, and if you want a copy, your preferred form and format.
  • Right to an Accounting of Disclosures. You have the right to know who has had access to your PHI through HASA. HASA does not have to account for when you access your own information or when you specifically say someone can see your information. We don’t have to tell you every time someone uses your record for treatment, payment, health care operations, or specialized government functions. We don’t tell you when we give information for purposes of public health that cannot be traced back to you, or which are incident to a use or disclosure otherwise permitted or authorized by law, or the disclosures to a health oversight agency or law enforcement official if HASA has received notice from that agency or official that says we have to by law. In order to see who else viewed your records, you may either submit a request through the website or ask your doctor, who will request the information from us for you.
  • You have a right to have a copy of this Notice of Privacy Practices. You have a right to a notice of our legal duties and privacy practices with respect to your health information, including a right to a paper copy of this Notice of Privacy Practices, even if you have received it through email or can see the information on our website.

If you would like to have a more detailed explanation of these rights or if you would like to exercise one or more of these rights, contact our Privacy Officer listed at the top of this Notice of Privacy Practices.

Complaints about this Notice of Privacy Practices or how HASA handles your health information should be directed to our Privacy Officer listed at the top of this Notice of Privacy Practices. If you are not satisfied with the manner in which this office handles a complaint, you may submit a formal complaint to the federal Office of Civil Rights, which enforces federal privacy and security compliance:

Civil Rights Office
Health and Human Services Commission
701 West 51st St., mail code W206
Austin, Texas 78751

Or Call (512) 438-4313

If you have any questions, you can contact HASA’s Privacy Officer at the following address:

HASA Privacy Officer
5535 Fredericksburg Road, Suite 220
San Antonio, TX 78229
(210) 918-1357


*Revised on October 2017




*Revised on March 2016