Notice of Privacy Practices

Effective Date: October 1, 2025

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

If you have any questions about this notice, you may contact the Chief Privacy Ofﬁcer by telephone at 888-464-6767, by email to PrivacyandInformationSecurity@OrlandoHealth.com, online at OrlandoHealth. EthicsPoint.com, or by mail to: Orlando Health, MP 29, 1414 Kuhl Ave., Orlando, FL 32806.

WHO WILL FOLLOW THIS NOTICE

This notice describes Baptist Health’s practices regarding the use and disclosure of your medical information, including use and disclosure by (a) any healthcare professional authorized to enter information into your medical record, (b) all departments and units of the system, (c) volunteers we allow to help you while you are in the facility, (d) all contracted services, and (e) all members of Baptist Health’s workforce.

All Baptist Health entities and locations follow the terms of this notice, which includes but is not limited to hospitals, outpatient services and centers, physician practices, skilled nursing facilities, home health services, ambulance and transport services, and philanthropic foundations. Also included are staff and contracted physician services such as, but not limited to, emergency department physicians, pathologists, anesthesiologists, radiologists, hospitalists, physicians who interpret tests, and all other members of the medical staff when seeing patients in our facilities. These individuals, entities and facilities may share medical information with each other for treatment, payment or hospital operations purposes described in this notice.

OUR PLEDGE REGARDING MEDICAL INFORMATION

We understand that information about you and your health is personal. We are committed to protecting that medical information. We create a record of the care and services you receive to provide you with quality care and to comply with certain legal requirements.

This notice applies to all the records of your care generated by Baptist Health, whether made by our employees or your personal physician. Your personal physician may have different policies or notices regarding use and disclosure of medical information created in their ofﬁce or clinic. This notice tells you about the ways in which we may use and disclose information about you. It also describes your rights and certain obligations we have regarding the use and disclosure of medical information.

We are required by law to: make sure that health-related information that identiﬁes you is kept private; give you this notice of our legal duties and privacy practices with respect to medical information about you; follow the terms of the notice that is currently in effect and notify you following a breach of unsecured protected health information.

HOW WE MAY USE AND DISCLOSE MEDICAL INFORMATION ABOUT YOU

The following categories describe the ways that we use and disclose health-related information. For each category of use or disclosure, we will explain what we mean and try to give some examples. Not every use or disclosure in a category will be listed. However, all the ways we are permitted to use and disclose information will fall within one of the categories.

For Treatment
We may use and disclose your information to provide you with medical treatment and to coordinate or manage your healthcare and related services. (For example, we may use and disclose information about you to physicians, nurses, technicians, medical students, family members, clergy, or others who are involved in your care.) We may use and disclose medical information about you when you need prescription(s), lab work, X-rays or other healthcare services, or when referring you to another healthcare provider.

For Payment
We may use and disclose information about you so the treatment and services you receive can be billed to and payment may be collected from you, an insurance company or a third party. (For example, we may need to give your health plan information about surgery you received so your health plan will pay us or reimburse you for the surgery.) We may also tell your health plan about a treatment you are going to receive to obtain prior approval or to determine whether your plan will cover the treatment.

For Healthcare Operations
We may use and disclose information about you for normal hospital operations. These uses and disclosures are necessary to run the facility and make sure that all our patients receive quality care. (For example, in the course of quality assurance and utilization review activities, we may use medical information to review our treatment and services and to evaluate the performance of our staff in caring for you. Some of these reviews may be conducted by independent physicians who are members of the medical staff but not Baptist Health employees.) We may disclose medical information to business associates who provide contracted services such as accounting, legal representation, claims processing, quality assurance, accreditation, and consulting. If we do disclose medical information to a business associate, we will do so subject to a contract that provides that the information will be kept conﬁdential.

We may also combine medical information about patients to decide what additional services we should offer, what services are not needed, and whether certain new treatments are effective. We may also disclose information to physicians, nurses, technicians, medical students, and other personnel for review and learning purposes. We may also combine the medical information we have with medical information from other facilities to compare how we are doing and see where we can make improvements in the care and services we offer. We may remove information that identiﬁes you from this set of medical information so others may use it to study healthcare and healthcare delivery without learning who the speciﬁc patients are.

Health Information Exchange (HIE)
Your protected health information (PHI) may be used and disclosed with other healthcare providers or other healthcare entities for treatment, payment and healthcare operations purposes, as permitted by law, through an HIE. For example, information about your past medical care and current medical conditions and medications can be available to other primary care physicians if they participate in the HIE. Exchange of health information can provide faster access, better coordination of care and assist providers and public health ofﬁ cials in making more informed treatment decisions. You may opt out of the HIE and prevent providers from being able to search for your information through the exchange. You may opt out and prevent your medical information from being searched through the HIE by completing and submitting an Opt-Out Form to registration personnel.

Hospital Directory
We will include certain limited information about you in the hospital directory if you are assigned a bed in one of our hospitals. This information may include your name, location in the hospital, general condition (fair, good, etc.) and religious afﬁliation. The directory information, except for your religious afﬁliation, may be released to people who ask for you by name. This is so your family, friends and clergy can visit you in the hospital and generally know how you are doing. (This does not apply to behavioral health patients.) Your religious afﬁliation may be given to a member of the clergy, such as a priest or rabbi, even if they don’t ask for you by name. If you do not wish to have this information included in the hospital directory, notify registration personnel. (A request not to be included in the hospital directory must be made for each visit.)

Individuals Involved in Your Care or Payment for Your Care
Unless you object, we may release information about you to a friend or family member who is involved in or helps pay for your medical care. We may also tell your family or friends your general condition and that you are in the hospital. In addition, we may disclose medical information about you to an entity assisting in a disaster relief effort so that your family can be notiﬁed about your condition, status, and location.

Public Health Activities
Your PHI may be disclosed for the following public health activities: (1) to report health information to public health authorities for the purpose of preventing or controlling disease, injury or disability; (2) to report child abuse and neglect to public health authorities or other government authorities authorized by law to receive such reports; (3) to report information about products and services under the jurisdiction of the U.S. Food and Drug Administration; (4) to alert a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition; and (5) to report information to your employer as required under laws addressing work-related illnesses and injuries or workplace medical surveillance.

Victims of Abuse, Neglect or Domestic Violence
Your PHI may be disclosed to a governmental authority, including a social service or protective services agency, authorized by law to receive reports of such abuse, neglect, or domestic violence if there is a reasonable belief that you are a victim of abuse, neglect or domestic violence.

Health Oversight Activities
Your PHI may be disclosed to a health oversight agency that oversees the healthcare system and is charged with responsibility for ensuring compliance with the rules of government health programs such as Medicare or Medicaid.

Judicial and Administrative Proceedings
Your PHI may be disclosed in the course of a judicial or administrative proceeding in response to a legal order or other lawful process.

Law Enforcement Officials
Your PHI may be disclosed to the police or other law enforcement ofﬁcials as required or permitted by law or in compliance with a court order or a grand jury or administrative subpoena. (For example, your PHI may be disclosed to identify or locate a suspect, fugitive, material witness, or missing person, or to report a crime or criminal conduct at the facility.)

Correctional Institution
Your PHI may be disclosed to a correctional institution if you are an inmate in a correctional institution and if the correctional institution or law enforcement authority makes certain requests to us.

Organ and Tissue Procurement
Your PHI may be disclosed to organizations that facilitate organ, eye or tissue procurement, banking or transplantation.

Research
Your PHI may be used or disclosed without your consent or authorization if an Institutional Review Board approves a waiver of authorization for disclosure.

Health or Safety
Your PHI may be used or disclosed to prevent or lessen a serious and imminent threat to a person’s or the public’s health or safety.

U.S. Military
Your PHI may be used or disclosed to U.S. Military Commanders for assuring proper execution of the military mission. Military command authorities receiving protected health information are not covered entities subject to the HIPAA Privacy Rule, but they are subject to the Privacy Act of 1974 and DoD 5400.11-R, “DoD Privacy Program,” May 14, 2007.

Other Specialized Government Functions
Your PHI may be disclosed to units of the government with special functions, such as the U.S. Department of State under certain circumstances for example the Secret Service or National Security Agency to protect the country or the President.

Workers’ Compensation
Your PHI may be disclosed as authorized by and to the extent necessary to comply with state law relating to workers’ compensation or other similar programs.

As Required by Law
Your PHI may be used and disclosed when required to do so by any other law not already referred to in the preceding categories; such as required by the FDA, to monitor the safety of a medical device.

Appointment Reminders
Your PHI may be used to tell or remind you about appointments.

Fundraising
Your PHI may be used to contact you as a part of fundraising efforts, unless you elect not to receive this type of information. You have the right to opt out of receiving such communications. To opt out, send an email to OrlandoHealthGiving@OrlandoHealth.com

USES AND DISCLOSURES REQUIRING YOUR WRITTEN AUTHORIZATION

Use or Disclosure with Your Authorization
For any purpose other than the ones described above, your PHI may be used or disclosed only when you provide your written authorization on an authorization form (“Your Authorization”). (For instance, you will need to execute an authorization form before your PHI can be sent to your life insurance company or to the attorney representing the other party in litigation in which you are involved.)

Uses and Disclosures of Your Highly Conﬁdential Information
Federal and state law require special privacy protections for certain highly conﬁ dential information about you (“Highly Conﬁdential Information”), including the subset of your PHI that: (1) is maintained in psychotherapy notes; (2) is about mental illness, intellectual disability and developmental disabilities; (3) is about alcohol or drug abuse or addiction; (4) is about HIV/AIDS testing, diagnosis or treatment; (5) is about communicable disease(s), including venereal disease(s); (6) is about genetic testing; (7) is about child abuse and neglect; (8) is about domestic abuse of an adult; or (9) is about sexual assault. In order for your Highly Conﬁ dential Information to be disclosed for a purpose other than those permitted by law, your written authorization is required.

YOUR RIGHTS REGARDING YOUR PROTECTED HEALTH INFORMATION

Right to Request Additional Restrictions
You may request restrictions on the use and disclosure of your PHI (1) for treatment, payment and healthcare operations, (2) to individuals (such as a family member, other relative, close personal friend or any other person identiﬁed by you) involved with your care or with payment related to your care, or (3) to notify or assist in the notiﬁcation of such individuals regarding your location and general condition. While all requests for additional restrictions will be carefully considered, we are not required to agree to these requested restrictions.

You may also request to restrict disclosures of your PHI to your health plan for payment and healthcare operations purposes (and not for treatment) if the disclosure pertains to a healthcare item or service for which you paid out-of-pocket in full. We will agree to abide by the restriction to your health plan except when the disclosure is required by law.

If you wish to request additional restrictions, please obtain a request form from the Health Information Management Ofﬁce via email at BaptistMedicalRecords@orlandohealth.com, and return the completed form back to the Health Information Management Ofﬁce. A written response will be sent to you.

Right to Receive Conﬁdential Communications
You may request, and we will accommodate, any reasonable written request for you to receive your PHI by alternative means of communication, or at alternative locations.

Right to Revoke Your Authorization
You may revoke Your Authorization, Your Marketing Authorization or any written authorization obtained in connection with your PHI, except to the extent that we have taken action in reliance upon it, by delivering a written revocation statement to the Health Information Management Ofﬁce identiﬁed below.

Right to Inspect and Copy Your Health Information
You may request access to your medical record ﬁle and billing records maintained by Baptist Health to inspect and request copies of the records. Under limited circumstances, you may be denied access to a portion of your records. To inspect and obtain a copy of medical information that may be used to make decisions about you, submit your request in writing to: Baptist Health Brookwood Hospital, Health Information Management, 2nd Floor, 2010 Brookwood Medical Center Drive, Birmingham, AL 35209 or email to BaptistMedicalRecords@ orlandohealth.com. If you request copies of paper records, you may be charged in accordance with federal and state law. To the extent the request for records includes portions of records which are not in paper form (e.g., x-ray ﬁ lms), you will be charged the reasonable cost of the copies. You also will be charged for the postage costs, if you request that the copies be mailed to you. However, you will not be charged for copies that are requested in order to make or complete an application for a federal or state disability beneﬁts program.

Right to Amend Your Records
You have the right to request that PHI maintained in your medical record ﬁ le or billing records be amended. If you desire to amend your records, please obtain an amendment request form from the Health Information Management Ofﬁce via email at BaptistMedicalRecords@orlandohealth.com, and return the completed form back to the Health Information Management Ofﬁce. Your request will be accommodated unless we believe that the information that would be amended is accurate and complete or other special circumstances apply.

Right to Receive an Accounting of Disclosures Upon request, you may obtain an accounting of certain disclosures of your PHI made during any period of time prior to the date of your request provided such period does not exceed six years and does not apply to disclosures that occurred prior to April 14, 2003. If you request an accounting more than once during a twelve (12) month period, you will be charged for the accounting statement.

Right to Receive a Paper Copy of this Notice
Upon request, you may obtain a paper copy of this Notice, even if you have agreed to receive such notice electronically.

For Further Information or Complaints
If you desire further information about your privacy rights, are concerned that your privacy rights have been violated or disagree with a decision made about access to your PHI, you may contact the Chief Privacy Ofﬁcer at the contact information above. You may also ﬁ le written complaints with the Secretary of the U.S. Department of Health and Human Services, 200 Independence Avenue, S.W., Room 509F HHH Bldg., Washington, DC 20201 or online at https://ocrportal.hhs.gov/. You will not be penalized for ﬁ ling a complaint.

Right to Change Terms of this Notice
We reserve the right to change this notice at any time. We reserve the right to make the revised or changed notice effective for medical information we already have about you as well as any information we receive in the future. We will post a copy of the current notice in various locations indicating the effective date. Revised copies of this notice will be provided upon request.

Facility Contact

Orlando Health, Attn: Chief Privacy Officer,
1414 Kuhl Ave., MP 29
Orlando, FL 32806

E-mail: PrivacyandInformationSecurity@OrlandoHealth.com

Phone: (321) 843-3333

Distance(Use My Location)		Wait Time
Orlando Health - Health Central Hospital	Directions	16 min
Orlando Health Arnold Palmer Hospital for Children	Directions	38 min
Orlando Health Bayfront Hospital Emergency Room	Directions	115 min
Orlando Health Dr. P. Phillips Hospital	Directions	29 min
Orlando Health Emergency Room - Blue Cedar	Directions	4 min
Orlando Health Emergency Room - Crossroads	Directions	0 min
Orlando Health Emergency Room - Four Corners	Directions	2 min
Orlando Health Emergency Room - Lake Mary	Directions	4 min
Orlando Health Emergency Room - Longwood	Directions	0 min
Orlando Health Emergency Room - Osceola	Directions	7 min
Orlando Health Emergency Room - Pinellas Park	Directions	5 min
Orlando Health Emergency Room - Randal Park	Directions	0 min
Orlando Health Emergency Room - Reunion Village	Directions	3 min
Orlando Health Emergency Room - Waterford Lakes	Directions	110 min
Orlando Health Horizon West Hospital	Directions	4 min
Orlando Health Melbourne Hospital	Directions	7 min
Orlando Health Orlando Regional Medical Center	Directions	318 min
Orlando Health Sebastian River Hospital	Directions	15 min
Orlando Health South Lake Hospital	Directions	64 min
Orlando Health St. Cloud Hospital	Directions	7 min