NOTICE OF PRIVACY PRACTICES

This notice describes how information about you may be used and disclosed and how you can get access to this information. Please review it carefully.

Effective Date: January 1, 2026
Last Revised: January 1, 2026

Introduction

This Notice of Privacy Practices explains how Catholic Charities of the Diocese of St. Cloud (“Catholic Charities,” “we,” “our,” or “us”) may use and disclose PHI about you, your rights regarding your PHI, and our legal obligations under the Health Insurance Portability and Accountability Act (HIPAA) and Minnesota Health Records Act (Minn. Stat. §§ 144.291–144.298.

This Notice applies to all PHI created, received, maintained, or transmitted by Catholic Charities in the course of providing services to you.

Understanding Your Health Information

While receiving services from Catholic Charities programs, we may collect health and related information about you. This information may include symptoms, assessments, diagnoses, treatment plans, services provided, and information necessary for care coordination and program administration.

Health information may be protected by both federal and state laws. Where rules are different Catholic Charities will follow the rules providing greater protection of health information.

How We May Use and Disclose Your PHI Without Authorization

We may use and disclose your PHI without your written authorization as permitted or required by law.

Treatment, Care Coordination, and Integrated Programs: Catholic Charities may operate integrated programs that provide health, mental health, substance use, and social services. When permitted by law, we may share PHI within Catholic Charities among staff involved in your care or services to coordinate treatment, reduce duplication, and support continuity of care.

Information subject to heightened protections—such as mental health records, minor-consented services, or substance use disorder records protected by 42 CFR Part 2—will only be shared within integrated programs as allowed by law or with your specific written consent.

Payment: To obtain payment for services provided to you, including billing health plans or other payers and determining eligibility or coverage.

Health Care Operations: For activities necessary to operate our programs, such as quality improvement, training, licensing, audits, compliance, business planning, and administrative functions.

Public Health and Safety: For public health activities and reporting as required or permitted by Minnesota or federal law, including reporting abuse, neglect, or threats to health or safety.

Health Information Exchanges: We may participate in secure health information exchanges that allow providers to share necessary clinical information for treatment, coordination, and continuity of care in compliance with applicable privacy laws.

Fundraising: We may contact you about supporting our fundraising efforts, programs, and events to support our mission. We do not sell or rent names or contact information to organizations outside of Catholic Charities without your authorization. If you wish to opt-out from receiving further fundraising communications, please refer to the instructions provided on the communications sent to you.

Health Oversight Activities: To Minnesota or federal oversight agencies authorized by law for audits, investigations, inspections, and licensure.

Legal Proceedings and Law Enforcement: As required or permitted by Minnesota or federal law, including in response to court orders, subpoenas, or other lawful processes. Disclosures will be limited to what the law allows and, when applicable, to the minimum necessary.

Medical Examiners, Coroners, and Funeral Directors: To carry out their duties as allowed by law.

Worker’s Compensation: To comply with workers' compensation laws or other government benefit programs.

Required by Law: When disclosure is required by Minnesota or federal law.

Research: We may use or disclose information for approved research purposes, provided all applicable federal and state laws and safeguards are met.

Special Protections for Mental Health and Substance Use Disorder Information

Mental Health Information
Mental health records, including diagnostic assessments, therapy notes, and treatment information, are afforded heightened protections under Minnesota law. Disclosures of mental health information may require your specific written authorization unless disclosure is otherwise permitted or required by Minnesota or federal law.

Psychotherapy notes receive special protection under HIPAA and Minnesota law and will not be used or disclosed without your written authorization, except as permitted by law.

Substance Use Disorder Records (42 CFR Part 2)

Records that identify a person as having, having had, or being treated for a substance use disorder in a federally assisted program are protected by 42 CFR Part 2.

These records generally may not be used or disclosed without your specific written consent, except as permitted by Part 2 or other applicable law. Consent must meet strict federal requirements and may be revoked at any time, except to the extent that action has already been taken in reliance on the consent.

Disclosures made with your consent will be limited to the information necessary for the stated purpose and may include restrictions on redisclosure, as required by law.

Uses and Disclosures Requiring Your Written Authorization

We will obtain your written authorization before using or disclosing your PHI for:

·  Marketing purposes

·   Sale of PHI

·  Most uses and disclosures of psychotherapy notes

You may revoke an authorization at any time in writing, except to the extent we have already relied on it.

Your Rights Regarding Your Health Information

You have the following rights regarding your PHI:

  • Right to View and Copy: You have the right to request, in writing, to view and get a copy of your health record in electronic or paper format within 30 days. A reasonable, cost-based fee may apply for copies, postage, or media.

  • Right to Request an Amendment: If you believe your PHI is incorrect or incomplete you can request us to change it. We may deny your request if the information is accurate and complete and you will receive an explanation in writing.

  • Right to a list of Certain Disclosures: You may request a list of certain disclosures we have made about your health information. The list will not include uses and disclosures for treatment, payment, or operations and is limited to the previous six years.

  • Right to Receive a Copy of this Notice: You may request a paper or electronic copy of this notice at any time.

  • Right to Request Restrictions: You may request restrictions on certain uses or disclosures of your PHI (we are not required to agree to all requests, except as required by law).

  • Right to Request Confidential Communications: You have the right to ask, in writing, that confidential communications be made by alternative means or at alternative locations. We will accommodate all reasonable requests.

  • Right to Authorize or Refuse Authorization: We may only use or disclose your health information with your written permission except as described in this Notice or specifically required or permitted by law.

  • Right to File a Complaint: If you believe your privacy rights have been violated, you may file a complaint with the Catholic Charities Privacy Officer or with the U.S. Department of Health and Human Services. Catholic Charities will not retaliate against you for filing a complaint.

Rights of Minors and Parents

Minnesota law allows minors to consent to certain health and mental health services without parental consent. When a minor legally consents to their own care, the minor controls access to their health information related to that care, and parents or guardians may not have the right to access those records without the minor’s authorization, except as permitted or required by law.

When parents or guardians are legally authorized to consent to a minor’s care, they generally have the right to access the minor’s health information, subject to limitations under Minnesota or federal law.

Minnesota law may provide additional rights or shorter response timeframes than HIPAA in certain circumstances. You will not be retaliated against for exercising any of these rights.

Our Responsibilities

Catholic Charities is required by law to:

·  Maintain the privacy and security of your PHI

·  Provide you with this Notice of our legal duties and privacy practices

·  Abide by the terms of this Notice currently in effect

·  Notify you following a breach of unsecured PHI as required by law

·  Limit uses, disclosures, and requests for PHI to the minimum necessary, when applicable

We reserve the right to change this Notice and make the revised Notice effective for all PHI we maintain. Updated Notices will be posted at our locations and on our website and will be made available upon request. We may also provide the revised Notice by mail or electronically, consistent with Minnesota and federal law.

Complaints and Contact Information

If you have questions about this Notice, wish to exercise your rights, or want additional information, please contact:

Privacy Officer
Catholic Charities of the Diocese of St. Cloud, Minnesota
911 18th Street North
St. Cloud, MN 56303
Phone: (320) 240-3345

If you believe your privacy rights have been violated, you may file a complaint with our Privacy Officer or with the Office for Civil Rights, U.S. Department of Health and Human Services. Filing a complaint will not result in retaliation.

Office for Civil Rights
U.S. Department of Health and Human Services
200 Independence Avenue SW
Room 509F, HHH Building
Washington, DC 20201
Phone: 1-800-368-1019
Web: www.hhs.gov/gipaa/filing-a-complaint