Notice of Privacy Practices

Roswell Park wants you to know that we take your privacy very seriously. This page explains our policies and rules on how we will protect and maintain the confidentiality of your personal information which is contained in your medical records and in our business records.


Roswell Park Comprehensive Cancer Center (referred to in this document as "Roswell" or "We") is required by federal and New York law to maintain the privacy of your health information and to provide you with this notice describing its privacy practices and obligations. Roswell will not use or disclose your health information, including your medical and billing records maintained at Roswell, except as described in this notice. For purposes of this Notice, your “health information” refers to biographical information, such as your name, address, social security or patient number, medical record number, or other items of information that alone or in combination with other information can be used to identify you, and also information about your health, including past history, treatment, diagnosis, test results, and any other information about your health or condition, or relating to payment of charges for medical treatment, found in your medical record or in other records that are maintained by Roswell.

You will be asked to acknowledge in writing on your admission or registration at Roswell that you have received a copy of this form.

How Roswell May Use or Disclose Your Health Information:

Treatment: We will use your health information in providing and coordinating your care and treatment. We may disclose all or any portion of your medical record information to your attending physicians at Roswell, consulting physician(s), nurses, technicians, medical students, and other health care providers who have a legitimate need for such information in order to provide or participate in your care and treatment. A variety of Roswell departments will share your health information in order to coordinate specific services, such as providing medications, food service (if you are an in-patient), lab work, and x-rays. We also may, where necessary and appropriate, disclose your health information to people outside Roswell who are involved in your medical care after you leave Roswell, such as your personal physician, immediate family members, friends who are to be involved in your care, and others (as directed by you) who will provide services that are part of your care.

Treatment Alternatives: We may use and disclose your health information in order to contact you and provide you with information about possible treatment options, alternatives, or other health related services that may be of benefit to you.   

Payment: We may use or disclose your health information for the purpose of ascertaining whether you have insurance coverage, to send billing for your treatment, to facilitate claims management, medical data processing, and to collect reimbursement. The information may be released to an insurance company, government health payer such as Medicare or Medicaid, or other entities (or their authorized representatives) involved in the payment of your medical bill and may include copies or excerpts from your medical record which are necessary for payment of your account. For example, a bill sent to a third party payer may include information that identifies you, your diagnosis, and the procedures and supplies used.

Routine Healthcare Operations: Roswell may use and disclose your health information in the course of routine healthcare operations, including quality assurance, utilization review, peer review, in-patient food service, telephone and television service for in-patients, internal auditing, accreditation, certification, licensing or credentialing activities, and for educational purposes for students, medical residents and trainees.

Family/Friends: Roswell may release health information about you to a member of your family or a friend of yours who is involved in your medical care. We may also give information to a family member or other person who is or agrees to be responsible for your medical bills. Unless you direct otherwise, we may also tell your family or friends your general condition and that you are an inpatient at Roswell. In addition, in the event you were involved in a disaster or catastrophe, we may disclose information about you to an organization assisting in a disaster relief effort so that your family can be notified about your condition, status and location.

Appointment Reminders: We may, unless you tell us not to, use and disclose your health information to contact you electronically or by telephone or mail as a reminder that you have an appointment for treatment or medical care at Roswell.

Hospital Directory: Roswell may include your name and room number in its hospital directory while you are a patient at Roswell. Your religious affiliation may be given to a member of the clergy, such as a priest or rabbi. You have the right to direct us not to use or disclose your health information in the directory or to give any information out to clergy.

Business Associates: A business associate is an individual or entity under contract with Roswell to perform or assist Roswell in performing a function or activity involving you or your care which necessitates a permissible use or disclosure of your health information. Roswell may use and disclose health information about you to business associates. Examples of business associates, include, but are not limited to, a copy service used by Roswell to copy medical records, collection agencies, accountants, lawyers, medical transcriptionists and third-party billing companies. We maintain a written contract with each business associate, which requires the business associate to protect the confidentiality of your health information.

Research: If you are a participant in research at Roswell, your health information may be used or disclosed as part of that research, as described in a specific authorization signed by you as part of the process by which you enroll as a participant in the research. There may be instances in which Roswell may use and disclose medical information about you in the absence of a specific authorization, when the use of such information in a clinical research study or an outcomes analysis has been approved by Roswell’s Institutional Review Board. Such approval will only be given where the use or disclosure will not involve a significant risk of a breach of confidentiality. For example, the research project may involve comparing the health and recovery of certain patients with the same medical condition who received one medication to those who received another. In those instances, there will be no outside disclosure of your health information. In addition, as a major part of our mission is research, we may use your health information for accumulating databanks, outcome reviews and screening for eligibility for participation in clinical trials. In these instances, there will be no disclosure to outside parties.

Organ/Tissue Donation: To the extent allowed by law, Roswell may disclose your health information to organ procurement organizations and other entities engaged in the procurement, banking or transplantation of organs for the purpose of tissue donation and transplant.

Fundraising: We may disclose certain information to our foundation (the Roswell Park Alliance Foundation) so that the Foundation may contact you for fundraising efforts. The information released would only be contact information, such as your name, address, phone number and the dates you received treatment or services at Roswell. If you do not want Roswell to contact you for fundraising efforts, you should notify the Roswell Park Alliance Foundation in writing to the Senior Gift Processor, c/o Roswell Park Comprehensive Cancer Center, Elm and Carlton Streets, Buffalo, NY 14263, or call the Foundation at (716) 845-4444.

Healthcare Related Messages and Educational Events: We may use and disclose your health information in order to contact you with healthcare related messages (e.g., annual screening reminders) and provide you with information about our educational and supportive events and resources that may be of interest to you. 

Regulatory Agencies: Roswell may disclose your health information to a health oversight agency for activities authorized by law, including, but not limited to, licensure, certification, audits, investigations and inspections. These activities are necessary for the government and certain private health oversight agencies, (e.g. Joint Commission on Accreditation of Healthcare Organizations or the NY State Department of Health) to monitor the healthcare system.

Law Enforcement/Litigation: Roswell will disclose your health information for law enforcement purposes as required by law or in response to a valid subpoena or court order.

Public Health: As required by law, Roswell may disclose your health information to public health or government authorities charged with preventing or controlling disease, injury or disability. For example, Roswell is required to report the existence of or exposure to communicable diseases, such as AIDS or hepatitis, to the New York State Department of Health.

Workers Compensation: Roswell may release health information about you to your employer or an insurance company in connection with a workers’ compensation claim filed by you.

Military/Veterans: If you are a member of the armed forces, we may disclose your health information as required by military command authorities.

Inmates: If you are an inmate of a correctional institute or under the custody of a law enforcement officer, Roswell may release your health information to the correctional institute or law enforcement official.

Coroners, Medical Examiners, Funeral Directors: Roswell may notify a coroner, funeral director or medical examiner in case of death.

Other Uses/Revocation of Authorizations: Any other uses and disclosures of your health information not described in this Notice will be made with your written authorization. For example, the use and/or disclosure of psychotherapy notes, use or disclosure of PHI for marketing purposes, and disclosures that constitute a sale of PHI require authorization.  An authorization permitting Roswell to use or disclose your health information can be revoked by you at any time by providing a written notice clearly identifying the written authorization that is being revoked, specifying the portion or all of the authorization being revoked, and delivering the revocation to the Health Information and Medical Records Department at Roswell. Such revocations shall be effective two business (2) days after receipt thereof by that department.

Your Health Information Rights:

You have the following rights concerning your health information maintained at Roswell:

Right to Confidential Communications: You have the right to receive confidential communications of your medical information by alternative means or at alternative locations. For example, you may request that Roswell only contact you at work or by mail, and to tell us not to contact you at a certain address or telephone number.

Right to Inspect and Copy:  You have the right to inspect and copy all or portions of your medical record in any format you choose. New York State law permits Roswell to recover costs that are associated with providing a copy of your medical record.

Right to Amend: You have the right to request an amendment to your medical record or other health information as provided by Roswell Policy and Procedure #408.10. A written request form, and a copy of this policy and procedure, may be obtained by contacting the Health Information and Medical Records Department at (716) 845-5991, or by contacting your Roswell attending physician. Roswell may deny such an amendment under certain circumstances and in accordance with the procedures outlined in Policy and Procedure #408.10.

Right to an Accounting: You have the right to obtain an accounting of certain disclosures to third parties outside of Roswell of your health information as provided by 45 CFR §164.528 and described in Roswell Policy and Procedure #442.1. Disclosures which you have authorized will not be reflected in this accounting.

Right to Request Restrictions: You have the right to request additional restrictions on certain uses and disclosures of your health information under 45 CFR § 164.522. In addition, you have the right to restrict certain disclosures of protected health information to a health plan when you pay in full for the health care item or service. Roswell may agree to honor your request but has the right to refuse requests for restrictions which are not mandated by law. You must make your request in writing, and Roswell will respond to your request within ten (10) business days thereafter.

Right to Receive Notification:  You have the right to receive a notification in the event of a breach of your protected health information. 

Right to Receive Copy of this Notice:  If you receive this Notice on our web site or by electronic mail (e-mail), you are also entitled to request a paper copy of the Notice. For instructions on how to obtain this information in Braille, another language, or other available formats, please call toll-free at 1-800-Roswell (1-800-767-9355) or visit our website at

For More Information or to Report a Problem:

If you have questions, need additional information, or wish to file a complaint, you may contact the Privacy Officer of Roswell at (716) 845-7794. If you believe your privacy rights have been violated, you may file a complaint with Roswell or with the Secretary of the Department of Health and Human Services. All complaints must be submitted in writing. Federal law and Roswell policy prohibit retaliation against a person for filing a complaint.

Changes to this Notice: Roswell will abide by the terms of this notice currently in effect. Roswell reserves the right to change or modify its privacy practices, provided such changes or modifications comply with applicable law, and further provided it then issues an updated Notice of Privacy Practices. Roswell reserves the right to change the terms of this Notice to reflect changes in practices and to make the new notice provisions effective for all protected health information that it maintains, including information received by Roswell prior to such change.

Notice Effective Date: The effective date of the notice is February 1, 2019.