Skip to Content

Privacy Policy

HIPAA Joint Notice of Privacy Practices

This statement outlines the policy and procedure of Rush Copley Medical Center regarding the collection and use of your personal information from your visit(s) to our website.

We collect no information about you, other than information automatically collected and stored (see below), when you visit our Web site unless you choose to provide that information to us.

Rush Copley Medical Center (“Rush Copley”) is committed to protecting the privacy of all visitors to our website. It is our goal to maintain compliance with the highest standards of website privacy so our visitors may use the site for healthcare information needs. Rush Copley is committed to making certain that our Web site is used as a resource to fulfill our mission by working to serve your healthcare needs through excellence in education and technology.

Information gathered on our website is used to monitor effectiveness in providing relevant and credible health information, in answering questions, and in improving our website.

Information collected

We gather general information to monitor site usage and improve the quality of the website that is not linked to any personal identifying information.

The website recognizes and collects the domain name of a visitor’s server (for example, We do not automatically collect personally identifiable, such as, name, e-mail address, physical address, unless you specifically provide that information to us. Examples of how you might provide us with such personal information include:

  • Completing a survey or feedback form;
  • Emailing us with a comment;
  • Subscribing to our email notification service;
  • Establishing a personalized homepage via our website.

Using collected information

  • Rush Copley does not sell, share, or release personal information about its website visitors to any third parties, unless compelled by law.
  • Personal information provided by you may be used to distribute materials related to your areas of interest.
  • The information we collect about the domain name of the server from which you are visiting is aggregated and used solely to determine the number of visitors to our site each day, and sources of traffic.
  • Email addresses provided by visitors are used to respond to comments submitted through our feedback and surveys forms, when indicated. Email addresses provided when subscribing to email bulletins are used to distribute the bulletins via email to subscribers. Information provided by visitors who choose to establish a personal homepage is used to furnish that page with the data requested by the visitor and to send information requested by the visitor.
  • If a website visitor asks us to send material that cannot be transmitted electronically, we will need to know the visitor's name, email address and mailing address. We will use that information only to fulfill the visitor's request.
  • Web site visitors who complete a website survey and indicate a willingness to participate in future surveys are asked to provide their name, email address and telephone number. That information is shared with carefully screened market research firms with which Rush Copley has business relationships.

Who has access to the information

Only Rush Copley web team employees have access to information collected from our website. If a visitor submits additional identifying information, that information is available only to the staff who are involved in implementing the requested activity.


“Cookies” are small pieces of information that are stored by your web browser on your computer’s hard drive. Cookies are used by most Web sites. Cookies can contain information about your use of our site, but they are not used to identify or track you personally. Rush Copley uses cookies to monitor the number of visitors from certain Web sites.

Most web browsers automatically accept cookies, but you can change your browser setting to prevent acceptance of cookies. Check with your Internet Service Provider for assistance in changing this setting. You should be aware that significant portions of our Web site will not function properly if you do not accept cookies.

Your consent

By using our website, you consent to the collection and use of the information discussed above. Changes in this policy will be posted on this page so that you may always be aware of what information is being collected, how it is being used, and under what circumstances it is being disclosed.

Accessing other websites through links on this website

Our website provides links to websites of agencies and organizations when we believe that the other websites may be of interest to our visitors. This does not constitute an endorsement of those websites. Once you link to another site, you are subject to the privacy policy and the “cookie” policy of that site

Email Security

We offer the opportunity to communicate to health care providers and programs via email. Because normal email is not encrypted, the possibility exists that unauthorized individuals may intercept email messages with Rush Copley. Rush Copley is not responsible for privacy of email messages except those stored in our system.

Our Commitment

Rush Copley will protect the personal information that you share with us. Our website,, is developed by Rush Copley Medical Center and Geonetric, Inc. Our address is: 2000 Ogden Avenue, Aurora, IL, 60504. Our eHealth Manager can be contacted by email at, or by telephone at 630-375-2935.

Back to top

HIPAA Joint Notice of Privacy Practices

Effective date of this notice: February 1, 2017. This notice will remain in effect until it is revised and/or updated.

This Notice of Privacy Practices is given on behalf of certain health care provider affiliates of Rush Copley Medical Center, including Copley Memorial Hospital, Rush Copley Medical Group NFP, Fox Valley Cardiovascular Consultants, Rush Copley Hospitalists, LLC, Castle Surgicenter, Castle Orthopaedics and Sports Medicine and all applicable subsidiary corporations, and all of their employed health care providers, students, and volunteers (collectively “Copley”). All of these entities may share patient information with each other for treatment, payment, or health care operations.


In the course of receiving medical services, patients provide Copley with personal information about their health, with the understanding that this information will be kept confidential. Copley may obtain health information from examinations, tests or from others who have provided medical care.
Copley uses patient information when providing treatment and may disclose patient information to other health care providers to assist them in providing treatment.

Copley may disclose information to insurance companies to receive payment, may also use the information within the organization to evaluate quality and improve processes and may also disclose patient information as required by law or as permitted by Copley policies.

Kinds of Information this Notice Applies to

This notice applies to protected health information (“PHI”) consisting of any
information in Copley’s possession that would allow someone to identify a patient and learn something about his or her health.

Joint Notice

Copley and certain non-employed hospital-based physician groups are presenting this notice as a joint notice.Those physician groups include Radiology, Anesthesia, Pathology,Neonatology, Intensive Care Unit Intensivist physicians and the Emergency Department. PHI from Copley will be shared with these physicians as necessary to carry out their treatment, payment, and healthcare operations.

Providers participating in the Organized Health Care Arrangement (OHCA) use the same electronic medical record to document and review the health care services they provide to you. Use of the electronic medical record allows your providers to coordinate your care, improve exchange of important information about your treatment, and get complete and up-to-date information to any provider who uses the shared electronic medical record.

This notice applies to services received at Copley. This includes services from some of the physicians who are not employed by Copley. If services are received from any of these physicians in their own offices, they may give patients a different Notice of Privacy Practices that applies to their offices.
Some physicians who provide care at Copley Memorial Hospital are independent contractors and are not agents, servants, or employees of the hospital, unless otherwise identified. These physicians exercise their own medical judgment in treating and providing services to patients and are solely responsible for their compliance with state and federal privacy laws. Nothing in this privacy notice is meant to imply or create any agency or employment relationship between these physicians and the hospital, either actual or implied, nor does this privacy notice alter, limit, or modify any other consent for treatment or procedures that patients may sign while receiving care at Copley.

Copley’s Legal Duties

  • Maintain the privacy of PHI.
  • Provide this Notice of Privacy Practices and legal duties regarding PHI to anyone who asks for it.
  • To abide by the terms of this notice.

How Health Information may be Disclosed

Copley may use PHI or disclose it to others for a number of different reasons. The following examples do not include all of the specific ways information may be used or disclosed.

1. Treatment. Copley will use PHI to provide medical care and services. This means that Copley employees, students, volunteers, and others who work under Copley’s direct control may read PHI to learn about a patient’s medical conditions and use it to make decisions about care. For instance, a hospital nurse may read a medical chart in order to care for that patient properly. PHI will be disclosed to others who need it in order to provide medical treatment or services. For instance, Copley may send a doctor the results of laboratory test performed at Copley.

2. Payment. PHI is disclosed as necessary to obtain payment for the services
provided. For instance, an employee in the business office may use PHI to prepare a bill. That bill may be sent, along with any PHI it contains, to the patient’s insurance company. PHI may be disclosed to companies who Copley utilizes for payment-related services. For instance, PHI may be given to a collection company to collect bills. Copley will not use or disclose more information for payment purposes than is necessary.

3. Health Care Operations. PHI may be used for activities that are necessary to operate Copley. This includes reading PHI to review the performance of staff. PHI may be used to plan for services that may be provided in the future, expanded, or reduced. PHI may be provided to students who are authorized to receive training at Copley. PHI may be disclosed as needed to others who Copley contracts with to provide administrative services. This may include lawyers, auditors, accreditation services, and consultants.

4. Legal Requirement to Disclose Information. PHI will be disclosed when required by law. This includes reporting information to government agencies that have the legal responsibility to monitor Copley. For instance, Copley may be required to disclose PHI if an audit is conducted by a federal or state agency. PHI will be disclosed when required by a court order or other judicial or administrative process.

5. Public Health Activities. PHI will be disclosed when required for public health purposes. This includes reporting patient visits, certain diseases, births, deaths, and reactions to certain medications to federal or state agencies. It may also include notifying people who have been exposed to a disease.

6. To Report Abuse. PHI may be disclosed when the information relates to a victim of abuse, neglect, or domestic violence. Copley will make this report only in accordance with laws that require or allow such reporting or with patient authorization.

7. Law Enforcement. PHI may be disclosed for law enforcement purposes. This includes providing information to help locate a suspect, fugitive, material witness, missing person, or in connection with suspected criminal activity. Copley must also disclose PHI to a federal agency investigating Copley’s compliance with federal privacy regulations.

8. Specialized Purposes. PHI may be disclosed for a number of other specialized purposes. Copley will only disclose as much information as is necessary for the purpose. For example, Copley may disclose:

  • Information of members of the armed forces as required by military command authorities.
  • Information to coroners,medical examiners, funeral directors, and organ procurement organizations (for organ, eye, or tissue donation).
  • Information for national security, intelligence, and protection of the President.
  • Information about an inmate to a correctional institution or to law enforcement officials to provide the inmate with health care, to protect the health and safety of the inmate and others, and for the safety, administration, and maintenance of the correctional institution.
  • Information to an employer for purposes of workers’ compensation and work site safety laws.

9. To Avert a Serious Threat. PHI may be disclosed if necessary to prevent serious harm to the public or to an individual. The disclosure will only be made to someone who is able to prevent or reduce the threat.

10. Family and Friends. Copley may disclose PHI to notify a family member, personal representative, or another person responsible for their care, of their location, general condition, or death. If the patient is present, then prior to disclosing the information, verbal or written consent will be obtained or the patient will have the opportunity to object. PHI will not be disclosed to family or friends if the patient objects. In the event of a disaster PHI may be provided to a disaster relief organization so they can notify family of the patient’s condition and location. In the event of the patient’s
incapacity or emergency circumstances, PHI may be disclosed based upon the professional judgment of the physician.

11. Facility Directory and Doors. Copley Memorial Hospital will list patients in the patient directory and on patient doors when they are admitted. The directory listing includes name, general condition, and location in the hospital. Copley Memorial Hospital will also list the patient’s religion in the directory but will disclose that information only to members of the clergy. Except for members of the clergy, Copley will only disclose the information in the directory to visitors who ask for a patient by name. If requested by a patient, Copley will not list them in the directory or place their name on their room door.

12. Research. PHI may be disclosed in connection with medical research projects. Federal rules govern any disclosure of PHI for research purposes without patient authorization.

13. Fund Raising. PHI may be used to contact patients to ask for donations to Copley. PHI may be disclosed to a related foundation for the same purpose. If patients do not want to be contacted for this purpose, they have the right to opt out of fundraising communications with each solicitation.

Breach Notification

1. Notice. Patients have the right to receive notice in the event of a breach of unsecured PHI. Copley will notify individuals who may be affected by a breach of unsecured PHI that compromises the security or privacy of the PHI. Copley will also notify the Department of Health and Human Services and the media, as applicable, in the event of a breach of this nature. All suspected breaches will be investigated and all necessary notifications will be sent, in accordance with federal law.

2. Breach. “Breach” means the unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of the PHI, except where an authorized person to whom such information is disclosed would not reasonably have been able to retain such information.

Patient Rights

1. Authorization. The following uses and disclosures will be made only with
authorization from the patient: uses and disclosures for marketing purposes, uses and disclosures that constitute sale of PHI and other uses and disclosures not described in this notice. If a patient authorizes Copley to use or disclose their PHI, they have the right to revoke the authorization at any time. For information about how to authorize Copley to use or disclose PHI or about how to revoke an authorization, contact the Privacy Officer listed under “Whom to Contact” at the end of this notice. Patients may not revoke an authorization for Copley to use and disclose their information to the
extent that we have taken action on an authorization. If the authorization is to permit disclosure of information to an insurance company as a condition of obtaining coverage, other laws may allow the insurer to continue to use PHI to contest claims or coverage, even after revoking the authorization.

2. Request Restrictions. Patients have the right to restrict how Copley uses or discloses their PHI, including the right to restrict PHI to health plans if the patient has paid out-of-pocket, in full, for services, and the patient requests that Copley not disclose PHI related solely to those services paid out-of-pocket to a health plan.

Copley is not required to agree to the request. If Copley does agree, it will comply with the request unless the information is needed to provide emergency treatment.

Copley cannot agree to restrict disclosures that are required by law.

3. Confidential Communication. Patients have the right to ask Copley to
communicate with them at a special address or by special means. For example, they may ask Copley to send mail to a different address rather than to their home, or they may ask Copley to speak to them personally on the telephone rather than sending PHI by mail. Patients must make this request in writing to Copley, and the request must specifically and clearly state how or where the patient wants to be contacted. Copley will not ask the reason for the request and will attempt to accommodate reasonable requests.

4. Inspect And Receive a Copy of PHI. Patients have a right to inspect their PHI contained in Copley’s records and to receive a paper and/or electronic copy of it. This right is limited to information about them that is kept in records that are used to make decisions about them. For instance, this includes medical and billing records. If patients want to review or receive a copy of these records, they must make the request in writing. Copley may charge a fee for the cost of copying and mailing the records. To ask to inspect records or to receive a copy the patient must contact the medical records department at Copley. Copley will respond to the request within 30
days. Copley may deny access to certain information. If access is denied, Copley will give the reason in writing and explain how patients may appeal the decision.

5. Amend PHI. Patients have the right to ask to amend PHI about them, which they believe is not correct or not complete. Patients must make this request in writing and give the reason they believe the information is not correct or complete. Copley will respond to the request in writing within 30 days. The request may be denied if Copley did not create the information, if it is not part of the records used to make decisions about the patient at Copley, if the information is something patients would not be permitted to inspect or copy, or if the record is complete and accurate.

6. Accounting of Disclosures. Patients have a right to receive an accounting of certain disclosures of their information to others. This accounting will list when PHI has been given to others. The list will include dates of the disclosures, the names of the people or organizations to whom the information was disclosed, a description of the information, and the reason. Patients must specifically state the time period they want the list to cover. Patients may not request a time period longer than six years.

Disclosures for the following reasons will not be included on the list: disclosures for treatment, payment, health care operations; disclosures of information in a facility directory, disclosures for national security purposes, disclosures to correctional or law enforcement personnel, disclosures that patients have authorized, and disclosures made directly to the patient.

7. Paper Copy of this Privacy Notice. Patients have a right to receive a paper copy of this notice. If patients receive this notice electronically, they may receive a paper copy by contacting the person listed under “Whom to Contact” at the end of this notice.

8. Complaints. Patients have a right to complain about Copley’s privacy practices if they think their privacy has been violated. Patients may file a complaint with the Privacy Officer listed under “Whom to Contact” at the end of this notice. A complaint may also be filed directly with the Secretary of the U. S.Department of Health and Human Services. All complaints must be in writing. Copley will not take any retaliation against anyone for filing a complaint.

Rush Health Connect

Copley participates in a health information exchange operated by Rush Health (Rush Health Connect). As a participant, Copley makes patient medical information available electronically to other participating hospitals, physicians and other authorized users for treatment, payment and healthcare operations purposes. Copley may also receive information about patients from other participants in Rush Health Connect. Rush Health Connect may participate in other health information exchanges (HIEs) on our behalf. In the future, Copley may also participate in additional regional, state or federal HIEs.

Copley’s participation in Rush Health Connect and other HIEs has been designed to comply with federal and state privacy and security laws. Access to patient information through Rush Health Connect is limited to authorized users who confirm that they will comply with these laws. Patients may elect to opt-out and not allow health or medical information to be available electronically to other providers through Rush Health Connect for treatment. If patients do not want health or medical information to be shared with other providers through Rush Health Connect, they should contact Copley’s Privacy Officer as identified at the bottom of this form to receive an Opt-Out Form and return it to Copley. Please note that if a patient chooses to opt-out after their information has been shared through Rush Health Connect,
information that was previously shared may still be available to other participants, although no new information will be shared. Making medical information available for treatment through Rush Health Connect is not a condition for receiving care.

For more information regarding Rush Health Connect, including its participants, visit

Information Sharing Through Electronic Medical Record

Rush Copley Medical Group (RCMG) uses an electronic medical record software called Epic, which has a number of programs that allow Copley to electronically exchange medical information with other healthcare providers, included but not limited to CareEverywhere® Carequality®. These programs facilitate the electronic sharing and exchange of medical and other individually identifiable health information among health care providers. Through these programs Copley may electronically disclose demographic,medical, billing and other health-related information about patients to other health care providers and electronically request such information from them for purposes including, but not limited to, facilitating or providing treatment, arranging for payment for health care services, or otherwise conducting or administering health care operations.


Copley complies with applicable Federal civil rights laws and does not discriminate on the basis of race, color, national origin, age, disability, or sex. Copley does not exclude people or treat them differently because of race, color, national origin, age, disability, or sex. Copley:

  • Provides free aids and services to people with disabilities to communicate effectively with Copley providers, such as:
    Qualified sign language interpreters
    Written information in other formats (large print, audio, accessible electronic formats, other formats)
  • Provides free language services to people whose primary language is not English, such as:
    Qualified interpreters
    Information written in other languages

If you need these services, contact the Patient Advocate. If you believe Copley has failed to provide these services or discriminated in another way on the basis of race, color, national origin, age, disability, or sex, you can file a grievance with:

Patient Advocate, 2000 Ogden Avenue, Aurora Illinois 60504
630-978-4832, 630-375-2833 (fax), (630) 978-6224 (TTY),

You can file a grievance in person or by mail, fax or email. If you need help filing a grievance, the Patient Advocate is available to help you.

You can also file a civil rights complaint with the U.S.Department of Health and Human Services,Office for Civil Rights, electronically through the Office for Civil Rights Complaint Portal, available at, or by email or phone at:

U.S. Department of Health and Human Services
200 Independence Avenue, SW
Room 509F, HHH Building
Washington, D.C., 20201
1-800-368-1019, 800-537-7697(TTY)

Complaint forms are available at

Right to Change This Notice

Copley reserves the right to change the organizations privacy practices as described in this notice at any time. Copley reserves the right to apply these changes to any PHI it already has, as well as to health information received in the future. The new notice will be posted in the Copley facilities and the Copley website at The new notice will include an effective date.

Whom to Contact
Privacy Officer
Rush-Copley Medical Center
2000 Ogden Avenue
Aurora, IL 60504

Copies of this notice are also available throughout the Copley facilities.This notice is also available at

Last updated: 2/1/17