Notice of Privacy Practices

Effective Date: 2/13/2026

This Notice describes:

• How medical information about you may be used and disclosed (shared) and how you can get access to this information. Please review it carefully.

• Your rights with respect to your health information.

• How to file a complaint concerning a violation of:

  • the privacy or security of your health information, or

  • Your rights concerning your information.

You have a right to a copy of this notice (in paper or electronic form) and to discuss it with our privacy office if you have any questions.

If you have any questions, please contact our privacy office at the address or phone number at the bottom of this notice.

Our Commitment to Your Privacy

We are committed to protecting the privacy of your health information.

This Notice:

• Explains how your health information may be used by us or shared with others.
• Helps you make informed decisions when you authorize the use or sharing of your health information.

Your personal doctor may have different policies or notices about the use and sharing of your health information created in the doctor's office.

We are required by law to:

• Keep your health information private.

• Give you this Notice. It explains our legal duties and privacy practices for your health information.

• Tell you if there is a breach of your unsecured health information.
• Follow the terms of the notice that is currently in effect.
• Use or share your health information only as the law allows or requires.

Who Will Follow this Notice?

This Notice describes the privacy practices of the members of UK HealthCare affiliated covered entity (“UK HealthCare”).

It applies to all these UK HealthCare workers:

• Health care professionals

• Employees and staff

• Trainees, students, fellows, residents, and other learners

• Volunteers

In this Notice, the words “we,” “our,” “ourselves” or “us” mean each UK HealthCare member organization listed at the end of this Notice.

How we may communicate your health information among ourselves:

Members of UK HealthCare may communicate your health information among ourselves for these purposes:

• To help with your treatment
• To get payment for services
• To support our health care operations

It will only be used as described by this Notice and as allowed or required by law.

Changes to this Notice

• We may change our policies at any time. Changes will apply to:
  • Health information we already have, and
  • New health information we get after the change.
• If we revise this Notice, we will post the revised Notice at our facilities and on our websites.
• You can request a copy of the current Notice at any time by:
  • Asking for it at any of our facilities, or
  • Contacting the Privacy Office listed at the end of this Notice.
• The effective date is listed at the top of the first page.
• You will be asked to confirm in writing or by electronic signature that you received this notice.

How We May Use and Share Your Health Information

For treatment

We may use and share your health information for your treatment. It may be used by:

• Doctors, Advanced Practice Providers, nurses, and technicians.
• Other caregivers, including our medical students, residents and volunteers.

For example, a doctor treating you for a broken leg in our facility may need to know if you have diabetes since diabetes slows the healing process. A nurse or diabetic counselor may discuss your medical condition with your doctor.

We may share your health information with providers outside UK HealthCare as needed for your health care. This includes sharing your health information with:

• A specialist as part of a referral, or
• Providers and staff at other health care facilities for care purposes.

For payment

We may use your health information for payment purposes, and share it with:

• Insurance companies and health plans
• Billing and collection agencies

For example, if you are admitted to our facility for chest pain, we will share information about your condition with your health plan. This lets the health plan pay for your care or reimburse you if you pay.

We may also tell your health plan about scheduled treatments to get prior approval or to find out if the plan will cover the procedure.

For health care operations

We may use and share your health information for our own health care operations. For example, we may use your health information to:

• Review your care to improve the quality and safety of our services.
• Evaluate the skills, qualifications, and performance of our providers.
• Train students, trainees and other health care providers.

We may share your health information with our “business associates.” These outside partners help us with our administrative and clinical work.

• Business associates may include accountants, auditors, attorneys, software licensors, and other parties who provide services to us.
• For example, we may share your health information with our business associates to conduct and arrange for legal services and audits.

We also license software, such as artificial or augmented intelligence tools, to help with treatment, payment, and health care operations. For example, our clinicians may use software to help them prepare notes for the medical record.

To protect your health information, our business associates must have safeguards in place to protect your health information. (More information about sharing health information with our business associates is described below in the Business Associates section.)

Other ways we use or share your health information

We are allowed or required to use and to share your health information in other ways – usually in ways that contribute to the public good, such as public health and research. We have to meet many conditions in the law before we can use or share your information for these purposes. For more information see: www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html

To participate in UK HealthCare’s Organized Health Care Arrangement

At UK HealthCare, we work together as part of an Organized Health Care Arrangement. This means that:

• We communicate your health information among ourselves for treatment, to obtain payment for services, and to carry out our health care operations related to the arrangement.
• When you receive care at our facilities – including UK King’s Daughters and UK St. Claire HealthCare – you may receive care from independent practitioners who are not employees or agents of UK HealthCare.

• This Notice applies at any UK HealthCare location. All providers caring for you at any UK HealthCare facility must follow the terms of this Notice. It does not matter if they are employees or contractors of UK HealthCare. This Notice applies to any health information created or received for you while you are a patient at UK HealthCare.
• This Notice does not apply to the independent providers in their private offices. If you receive care in their offices, they may have you sign their own privacy notices.

To participate in Organized Health Care Arrangements with other facilities

We may participate in joint arrangements with other health care providers or facilities. We may do this to provide treatment, improve our quality of care, review health care decisions, or to help process payments. We may share your health information with these other providers and facilities.

For example, Golisano Children’s at UK is part of the ACCESS Heart Network. To get a membership list of that network, ask the director of the Joint Pediatric and Congenital Heart Program at Golisano Children’s at UK.

To participate in Health information Exchanges (HIEs)

To help give our patients the best care we can, we take part in health information exchanges. We work with exchanges in Kentucky and Ohio, for example.

• These exchanges let doctor’s offices, hospitals, labs, radiology centers, and other health care providers share your health information in a secure way.
• They give your providers – if they use the exchange – your most up-to-date health information to help care for you.
• You can choose to opt out of these exchanges.
• If you have questions or want to opt out of sharing your health information with an exchange, contact our Privacy Office. The contact information is at the end of this Notice.

To participate in data registries

We may share your health information with data registries. These registries help support our health care operations (including quality improvement), process payments, support public health and research, and other activities. We only do this as allowed by law.

Note: We will not share any substance use disorder treatment information protected by federal law (42 C.F.R. Part 2) in any electronic health exchanges or data registries, unless:

• You give signed consent to share the information, or
• The law requires or allows us to share the information.

When required by law

Except as explained in the section below on Substance Use Disorder (SUD) Treatment Records, we may use or share your health information as required by state or federal law. For example, we share health information with the U.S. Department of Health and Human Services as needed to prove we follow federal privacy law.

When we do use or share your information as required by law:

• We will only use or share what is needed to comply with the law.
• If required by law, you will be notified if your health information is used by us or shared with others to comply with the law.

For public health activities

We may use or share your health information for public health reasons to:

• Public health authorities that are allowed by law to receive health information for the purpose of preventing or controlling disease, injury or disability.
• Public health or other governmental authorities that are allowed by law to receive reports of child abuse or neglect.
• The Food and Drug Administration (FDA) for public health reasons related to the quality, safety or effectiveness of FDA-regulated products or activities. This includes collecting or reporting adverse events, dangerous products, and defects or problems with FDA-regulated products.
• A person at risk of getting or spreading a disease, if the law allows such sharing.
• Your employer in order to conduct workplace medical surveillance (for example, to test your blood for radiation exposure) or to evaluate if you have a work-related illness or injury.
• Your school or your child's school if the information is limited to proof of immunization and the school is required by law to have such proof prior to enrollment.

If we believe you may be a victim of abuse, neglect or domestic violence

We may share your health information with a government agency if we believe you are a victim of abuse, neglect or domestic violence and the agency is authorized to receive your health information in such cases. This includes spousal, adult, or elder abuse, neglect, or domestic violence.

For health oversight activities

Except as explained in the section below on SUD Treatment Records, we may use or share your health information with health oversight agencies for them to use as authorized by law.

• These activities may include audits, investigations, and inspections.
• Oversight agencies may include agencies that oversee the health care system, benefit programs, and regulation and civil rights compliance.

For judicial and administrative legal proceedings

Except as explained in the section below on SUD Treatment Records, we may use or share your health information if ordered by a court of law or an administrative judge. In some cases, we may need to share your health information if we receive a subpoena, discovery request or other lawful papers.

For law enforcement

Except as explained in the section below on SUD Treatment Records, we may share your health information for a law enforcement purpose with a law enforcement official if certain conditions are met.

To coroners, medical examiners, and funeral directors

We may share your health information with:

• A coroner or medical examiner to help identify a deceased person, find the cause of death, or do other duties allowed by law.
• A funeral director, as allowed by law, if the information is needed to carry out funeral duties for the deceased.

For organ, eye, or tissue donation and transplantation

We may use or share health information with organizations involved in organ, eye or tissue donation and transplants as necessary.

For research purposes

We may use or share a patient’s health information for research if:

• It is used or shared solely to design a study,
• The person whose information is used or shared is deceased, or
• A review board or privacy board approves the research and determines:
  • obtaining patient authorization is not practical; and
  • measures are in place to protect the privacy of your health information.

In all other cases, we need your written authorization to share your health information for research.

To prevent serious threats to health or safety

We may – as allowed and required by the law and ethics standards – use or share your health information if we believe it is needed to prevent or lessen a serious threat to the health or safety of a person or the public. If such sharing happens, it must be to someone reasonably able to prevent or lessen the threat.

We may also use or share your health information if we believe it is needed for law enforcement authorities to identify or apprehend a person who:

• Admits to a role in a violent crime that we reasonably believe caused serious physical harm to the victim, or
• Seems to have escaped from a correctional institution or lawful custody.

For military activities

We may use or share your health information if you are a member of the U.S. Armed Forces or a member of a foreign military. The information is only shared as needed – and if certain conditions are met – to assure the success of the military’s mission.

For national security and intelligence

We may share health information with authorized federal officials:

• To conduct lawful intelligence, counter intelligence, and other national security activities (as authorized by the National Security Act and implementing authority).
• To protect the President or other persons, or for some federal investigations.

To correctional institutions or other law enforcement custodians

If a patient is an inmate of a correctional institution or in the lawful custody of a law enforcement official, we may share the patient’s health information with the institution or the official if needed for health and safety.

For workers' compensation

We may share your health information as authorized by and as needed to comply with laws for workers' compensation or other like programs set up by law.

To family or friends

We may share your health information with a friend, family member, or other person you choose. The information must relate to their role in your care or payment for care.

For disaster relief and notification

We may use or share your health information with:

• Your family or others responsible for your care to notify them of your location, general condition (such as good or fair), or death.

• A disaster relief entity authorized by law or its charter to aid in disaster relief efforts, so that it can help notify your family or others responsible for your care of your location, general condition, or death.

After death

If a patient dies, we may share his or her health information with other persons, such as family, friends, or caregivers.

• The person must have been involved in the patient’s medical care or paying medical bills before the patient’s death.
• The information must be relevant to that person's involvement.
• It must be consistent with the wishes the patient expressed before death.

To business associates

• Some services are provided to us through “business associates.” We will share your health information with our business associates and let them create, use, maintain or send your health information to perform their jobs for us.
• For example, we may share your health information to an outside billing company that helps us bill insurance companies.
• We have agreements with our business associates requiring them to have safeguards in place that will protect your health information.

For Our Facility directory

We may use and share health information about you in our patient directory while you are a patient at a UK HealthCare facility.

• This information may include your name, location in UK HealthCare, your general condition (such as good or fair), and your religious affiliation.
• Directory information may be shared with anyone who asks about you by name. But your religious affiliation may only be shared with a clergy member.
• If you cannot be listed in the patient directory due to state or federal law, then we will follow the law.
• You may choose to not share your information in the directory. To do this, contact the Registration Office/Desk at the UK HealthCare facility where you received this Notice.

For fundraising

We or a related foundation may contact you to raise funds for UK HealthCare. We raise funds to expand and support health care services, education programs, and disease research. We may use or share the following health information for fundraising activities:

• Your name, address, other contact information, age, gender, and date of birth,
• The units where you received services and your treating doctor, and
• Your outcome information, health insurance status, and dates you received services.

You have the right to opt out of receiving our fundraising communications.If you opt out, you can always choose to opt back in for fundraising activities that interest you. To opt in to fundraising efforts, call or email our Privacy Office as listed below. Your decision to opt in or out of fundraising communications will not affect your care.

For patient communications

We may use or share your health information to send appointment reminders and other patient notices, or for enrollment in a patient portal. These communications may be by mail, text messages, email, or on the patient portal.

In most cases, you have the right to opt out of receiving emails or text messages. But some messages cannot be turned off. This is for your protection, such as a message that your MyChart password was changed.

When Your Authorization Is Required

Some uses and sharing of your health information require your written permission (“authorization”) before we can proceed. These include:

For psychotherapy notes

If psychotherapy notes are created for your treatment, most use and sharing of these notes require your prior written authorization. Here is how “psychotherapy notes" are defined.

• Psychotherapy notes are:
  • Notes recorded in any medium by a mental health professional,
  • The notes document or analyze the contents of conversation during a private counseling session or a group, joint, or family counseling session, and
  • The notes are kept separate from the rest of your medical record.
• Psychotherapy notes do not include:
  • Medicine prescriptions and monitoring,
  • Counseling session start and stop times,
  • The type of treatments and their frequency,
  • Results of clinical tests, and
  • Any summary of a diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.

For marketing

We must get your written authorization to use or share your health information for marketing purposes. Authorization is not required if we speak to you face-to-face or if you get a promotional gift of nominal value.

For the sale of your health information

If sharing your health information would be considered a sale, we must get your written authorization first.

Special Restrictions on Sensitive Information

Some kinds of health information get extra protection under state or federal law. Examples are certain sensitive information, such as information about the testing or treatment of:

• Mental health care,
• Substance use disorder,
• HIV/AIDS, or
• Sexually transmitted diseases.

If these special privacy rules apply to your health information, we will follow the law that applies.

Substance Use Disorder (SUD) Treatment Records

Some UK HealthCare facilities, units and staff provide treatment for substance use disorders (SUD). Records for SUD treatment have special protections under federal law (42 CFR Part 2). We will not use or share your protected SUD treatment records (or testify about the content of these records) for civil, criminal, administrative, or legislative proceedings.

When SUD treatment records may be shared

We will only share your SUD treatment records if:

• You give written consent, or
• We get a court order that we must share them. This order must:
  • Comply with federal law (42 CFR Part 2),
  • Give you notice and a chance to be heard, as required by law, and
  • Come with a subpoena or other legal demand that requires sharing.

Consent for treatment, payment, and operations

• You may give a one-time, written consent that allows us to use and share your SUD information for treatment, payment, and health care operations now and in the future.
• You may revoke your written consent as allowed by federal law (42 CFR §§ 2.31 and 2.35).
• Health information that is disclosed to a Part 2 program, covered entity, or business associate pursuant to your written consent for treatment, payment, and health care operations may be further disclosed by that Part 2 program, covered entity, or business associate without your written consent, to the extent the HIPAA regulations permit such disclosure.

Duties regarding public health

We may share de-identified health information with public health authorities, including information about our treatment of SUD. De-identified information does not identify you, according to federal law (HIPAA’s privacy rule). See more about de-identified health information below.

No limit on your privacy rights

Our participation in care arrangements with other health care providers (and our use of this joint Notice) does not remove any of your rights or limit our legal duties to protect your SUD records under federal law.

Other Times Health Information May Be Used or Shared

De-identified information

Federal law (HIPAA) lets us use and share health information if we remove (or one of our business associates removes) information that could identify you. We call this de-identified information. The privacy principles listed above do not apply to de-identified information. While HIPAA does not restrict the use or sharing of this information, other laws may do so.

Health information is considered to be de-identified if:

• It does not identify the patient, and
• There is no reasonable expectation that the patient could be identified from the information shared.

We use and share de-identified information, as allowed by law, to:

• Support patient care, scientific research, and education activities,
• Help us improve treatment options,
• Reduce health care costs,
• Improve the management of our health care operations, and
• Advance public health initiatives.

We use and share de-identified information when we work with persons or groups inside and outside the U.S., such as:

• Other academic institutions,
• Foundations and organizations,
• Business associates,
• Government agencies, and
• Commercial entities.

Limited data set

We may use your health information to create a “limited data set” by removing certain identifying information. We may use and disclose a limited data set only for research, public health, or health care operations purposes, and any third party who receives a limited data set must sign an agreement to protect your health information.

Authorization required

In any other situation not described in this notice, we are required to obtain your written authorization before using or disclosing your health information. If you choose to authorize use or disclosure, you can later revoke that authorization by notifying us in writing of your decision. However, the revocation will not be effective (1) to the extent we took action in reliance on the authorization before receiving the revocation, or (2) if the authorization was obtained as a condition of obtaining insurance coverage, other law provides the insurer with the right to contest a claim under the policy or the policy itself.

Redisclosure of health information

Once your health information is shared with someone, that person could share that information with others. Here is what you should know:

• If the recipient is not covered by HIPAA, HIPAA will not prevent them from sharing your health information.
• In some cases, an even stricter law (such as 42 CFR Part 2, relating to certain substance use disorder records) may still protect your health information. These laws may apply to sharing for civil, criminal, administrative, and legislative proceedings against you.

Your Rights Related to Your Health Information

• Right to inspect and copy

In most cases, you have the right to look at and to get a copy of your medical and billing records that we maintain (or that are maintained for us). Here’s what you should know:

• Submit a written or electronic request.
• If the information is in an electronic format and if you ask for an electronic copy, we will provide a copy in the format you request – if it is not too much of a burden to produce. If we cannot readily provide it in the format you request, we will work with you prepare a readable electronic copy.
• You can ask us to send the records directly to another person. To do this, submit a signed written or electronic request to our Privacy Office. Tell us the name of the person and the address to send it to.

If you request copies, we may charge a reasonable cost-based fee for:

• Labor needed to copy the information,
• Supplies needed for paper copies or the cost of portable media (such as an electronic memory drive),
• Postage if sending the information by mail, and
• Labor needed to prepare a summary or explanation of your records (if you ask for it and agree to the fees).

If we deny your request, you may submit a written or electronic request for a review of that decision.

• Right to amend your records

If you believe something in your medical or billing records is incorrect or missing, you can ask us to correct it. Submit your request in writing or electronically that explains what you want us to change and why.

We may deny your request if:

• The information was not created by us,
• The information is not part of your records, or
• We think the record is accurate and complete as it is.

If we deny your request, you may submit a written or electronic statement that explains why you disagree.

• Right to an accounting

You have the right to get a list of the times we have shared your health information.

Exceptions – we do not have to tell you if the sharing was:

• For treatment, payment, or health care operations,
• Made with you,
• Incident to a use or sharing of your health information allowed or required by the HIPAA privacy rule,
• Authorized by you,
• For our directory,
• With persons (such as friends or family) involved in your care or to notify them,
• For disaster relief, national security, or intelligence purposes,
• To correctional institutions or other law enforcement custodians,
• Part of a limited data set, or
• Information created more than 6 years before your request.

You must submit a written or electronic request to get a list of times we shared your health information. The request must state the time period you want the list to cover (no more than 6 years before the date of the request). You may get a paper or electronic list.

Your first request in a 12-month period is free. Other requests will be charged based on our cost to make the list. We will tell you the cost before you are charged.

• Right to request restrictions

You have the right to ask us to restrict or limit how we use or share your health information:

• For treatment, payment or health care operations.
• With someone involved in your care or paying for your care, like a family member or a friend.
• For example, you could ask that we not use or share information about a surgery you had.

All requests should be in writing or electronic form. Send them to our Privacy Office at the address listed later in this notice. We will let you know of our decision.

We must agree to your request to not share your health information to a health plan, if:

• The purpose for the disclosure is not related to treatment,
• You paid in full and out of pocket for the items or services that the information restriction applies to (such as a genetic test), and
• The law does not require us to share the information with your health plan.

Otherwise, we are not required to agree to your request. If we do agree, we will comply with your request, unless the information is needed to provide emergency treatment.

Except for restrictions that we must comply with relating to health plans, we may terminate our agreement to a restriction at any time by notifying you in writing. That termination will only apply to information created or received after we sent the notice of termination, unless you agree to apply the termination to older information.

• Right to a paper copy of this Notice

You have the right to get a paper copy of this Notice upon request. You may find a copy of this Notice at any time at our websites:

• • UK HealthCare: https://ukhealthcare.uky.edu/patients-visitors/patients/policies/privacy-policy
  • UK King’s Daughters Medical Center: https://www.kingsdaughtershealth.com/about-us/legal-notices/notice-of-privacy-practices
  • UK St. Claire HealthCare: https://www.st-claire.org/patients-visitors/medical-records/notice-of-privacy-practices/
• Right to request confidential communications

You have the right to request that your health information be sent to you in a confidential way. Tell us in writing or electronically how and where you want us to send your information, such as sending mail to an address other than your home.

• Right to be notified of a breach

We will tell you if there is a breach of your health information. A breach is when your health information has been used or shared in a way that is not allowed under federal privacy laws and puts your health information at risk.

Send any written or electronic requests or appeals to our Privacy Office listed below.

Contact for Questions, Complaints, or Requests

For any questions, complaints, and requests regarding your privacy rights or this Notice, contact our Privacy Office.

Privacy Office address and phone number

Privacy Officer
UK HealthCare
2333 Alumni Drive, Suite 400
Lexington, KY 40517
Phone 859-323-1184 or 859-323-8002

You may send a written complaint to the U.S. Department of Health and Human Services Office for Civil Rights. Our Privacy Officer can give you the address or you can visit the Office for Civil Rights website at www.hhs.gov/ocr/privacy/hipaa/complaints.

Under no circumstances will you be punished or treated differently for filing a complaint.

UK HealthCare Affiliated Covered Entity

List of Affiliated Covered Entities Who Will Follow This Notice

1. UK HealthCare (including the University of Kentucky (Albert B. Chandler) Hospital, Golisano Children’s at UK, UK HealthCare Good Samaritan Hospital, and all UK HealthCare clinics and locations, including pharmacies, urgent care and hospice)
2. Individual organizational units of the UK HealthCare professional colleges, to the extent they perform clinical activities and operations at various campuses and are performing HIPAA-covered functions. These professional colleges include:

• UK College of Medicine
• UK College of Nursing
• UK College of Pharmacy
• UK College of Dentistry
• UK College of Health Sciences
• UK College of Social Work
• UK College of Public Health

1. UK student health centers when claims are submitted to health insurance
2. UK St. Claire HealthCare and all of its clinics and locations (including pharmacies, urgent care, home health and hospice)
3. UK King’s Daughters Medical Center and all of its clinics and locations (including pharmacies, urgent care centers, family care centers, and home health agencies)
4. King’s Daughter’s Medical Specialties, Inc. and all of its clinics and locations
5. Kentucky Medical Logistics, Inc.
6. Kingsbrook Lifecare Center
7. Kentucky Heart Foundation, Inc.
8. Kentucky Heart Institute, Inc.
9. King’s Daughters Medical Center Ohio and all of its clinics and locations
10. Any other location affiliated with or owned or operated by the University of Kentucky, whether now or in the future

AM-0001

Page 13 of 13