THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED, YOUR RIGHTS WITH RESPECT TO YOUR HEALTH INFORMATION, HOW YOU CAN GET ACCESS TO YOUR HEALTH INFORMATION, AND HOW TO FILE A COMPLAINT CONCERNING A VIOLATION OF THE PRIVACY OR SECURITY OF YOUR HEALTH INFORMATION OR OF YOUR RIGHTS CONCERNING YOUR INFORMATION. YOU HAVE A RIGHT TO A COPY OF THIS NOTICE (IN PAPER OR ELECTRONIC FORM) AND TO DISCUSS IT WITH OUR PRIVACY OFFICER VIA THE CONTACT DETAILS HEREIN IF YOU HAVE ANY QUESTIONS. PLEASE REVIEW IT CAREFULLY.

Please Review This Notice Carefully

Download a PDF of the English version. 
Esta información está disponible en español. (This information is available in Spanish.) 
Cov ntaub ntawv no muaj ua lus Hmoob. (This information is available in Hmong.)

Who This Notice Applies To

This Joint Notice of Privacy Practices for Protected Health Information (“Notice”) applies to the health care provider entities that are affiliates of Froedtert ThedaCare Health, Inc. (“Froedtert ThedaCare”) and to The Medical College of Wisconsin, Inc. and its affiliates (“MCW”). When this Notice says “we,” “us,” or “our,” it refers to both Froedtert ThedaCare and MCW, unless stated otherwise.

This Notice describes our privacy practices under the Health Insurance Portability and Accountability Act and its associated regulations (“HIPAA”). This Notice applies to all of our health care provider entities that are covered entities under HIPAA, including:

  • Froedtert ThedaCare’s affiliated hospitals, clinics, and providers in Froedtert ThedaCare’s North Region, including ThedaCare, Inc.
  • Froedtert ThedaCare’s affiliated hospitals, clinics, and providers in Froedtert ThedaCare’s South Region
  • MCW’s affiliated clinics and providers

This Notice does not apply to information that is not subject to HIPAA, or information used or shared in a manner that cannot identify you. This Notice does not apply to us as an employer. This Notice does not apply to any health plan. Any health plan is a separate covered entity for the purpose of HIPAA and has its own notice of privacy practices.

Our Responsibilities

We are required by law to:

  • Protect the privacy of your protected health information (“PHI”) that is subject to HIPAA.
  • Provide you this Notice to explain how PHI about you may be used and disclosed by us and that describes your rights and our legal duties and privacy practices concerning PHI.
  • Follow the terms of this Notice.
  • Notify you if we become aware of a breach of unsecured PHI and you are one of the affected individuals.

Your Right to a Copy of this Notice

A copy of this Notice from any of us will serve as notice for all of us, as described above. We may update this Notice at any time. Changes we make will apply to all PHI we have about you. You can find the most up- to-date version of this Notice:

How We Use and Share Your PHI

We may use and share your PHI in certain situations. Some types of information, like mental health records, substance use disorder treatment, reproductive health, or HIV/AIDS-related information, may have extra protections by law that may limit certain uses and disclosures of that information. Applicable state or federal laws that provide greater privacy protection or broader privacy rights will continue to apply and we will comply with such laws to the extent they are applicable. Here are the main ways we may use or share your PHI:

For Treatment: To provide your medical care and treatment. This can include sharing your information with other healthcare providers to help them treat you. This also applies to telehealth services.

For Payment: To bill and collect payment from you or your insurance, Medicare, or other payers. This includes checking if services are covered and getting approval before treatment.

For Healthcare Operations: To conduct business activities like business management and planning, quality assessment, activities relating to improving health or reducing health care costs, staff evaluations, licensing, and training and learning purposes.

Appointment Reminders: To remind you about upcoming appointments or coordinate services if needed.

Treatment Options: To contact you about new or additional treatments or services that could benefit you, such as informing patients with headaches about new research or therapies.

Minors’ Information: Usually, we share minors’ PHI with their parents or legal guardians unless the law says otherwise, such as in cases of abuse or if sharing could cause harm.

Abuse, Neglect or Threats to Safety: If we believe you are a victim of abuse or neglect, we may share your PHI with authorities if you agree or if the law requires it. We may also share information to prevent serious harm to you or others.

When Required by Law or Court Order: We must share your PHI when the law requires it, such as reporting suspected abuse or responding to court orders.

Law Enforcement: We may share your PHI with police or other law enforcement agencies for things like identifying suspects or if you commit a crime on our premises.

Public Health: We may share your PHI to help control disease outbreaks, report births or deaths, or track medication issues.

Health Oversight: We may share your PHI with government agencies that oversee healthcare for audits, investigations, or licensing.

Military and National Security: If you are involved with the military, national security, or intelligence activities, your PHI may be shared with the proper authorities or federal agencies so they may carry out their duties under the law or for national security reasons.

Inmates: If you are incarcerated, your PHI may be shared with the medical staff at the prison for your care or safety or to law enforcement for security purposes or other proper authorities so they may carry out their duties.

Worker’s Compensation: We may share PHI with persons that handle your worker’s compensation claims related to workplace injuries or illnesses or for purposes of complying with laws related to workers’ compensation or other similar programs.

Change in Ownership: If there is a sale, transfer, merger, or consolidation of all or part of us with another health care provider, your PHI may be shared with the new owners. You still have the right to request copies or transfers of your records.

Breach Notification: If there is an unsecured breach of your PHI, such as if your PHI is shared by us by mistake, we will notify you as required by law using the contact information you provided. Your PHI may be disclosed as part of the breach notification and reporting process.

Research: Your PHI may be used in medical research if approved by ethics boards or if you agree. Researchers might receive your information without identifiers to protect your privacy.

Business Associates: We share your PHI with third parties who provide services to us, such as billing or transcription services. Our business associates are required by law to protect the privacy of PHI.

After Death: Your PHI may be shared with coroners, medical examiners, funeral directors as needed or required.

Organ and Tissue Donation: If you are an organ donor, your PHI may be shared with organizations involved in organ or tissue donation and transplantation.

De-identification. We may remove certain identifiers from the information so that it no longer identifies or could reasonably be used to identify you or we may permit a Business Associate to de-identify your information. Once de-identified the information is no longer considered PHI and not subject to this Notice. We or our business associates may use and disclose de- identified information in accordance with applicable law.

Health Information Exchanges (HIEs)

We may take part in one or more Health Information Exchanges (HIEs). HIEs allow healthcare providers, hospitals, labs, health plans, health insurers and other authorized groups to electronically share your PHI. This helps improve the quality, safety, and coordination of your care, for example, if you are traveling outside of Wisconsin. We are allowed by law to participate in HIEs for treatment, payment, healthcare operations and other purposes permitted by law. You are automatically opted in to such HIEs. You have the option to opt out of certain HIEs where we have the ability to offer this choice. If you opt out of certain HIEs, your PHI will no longer be shared through those HIEs unless the law requires it. However, your decision does not affect the PHI that was shared prior to the time you opted out of participation. To opt out of the HIEs where we have the ability to offer an opt out choice, please fill out the HIE Opt-Out Form, which you can do by contacting our Health Information Management/Medical Records Department.

When You Can Say No to Sharing Your Health Information

Facility Directory: When you are a patient, we might put your name, location in the building, general condition and religion in a directory. People who ask for you by name can get this information, except religion. We may give your religious affiliation to clergy even if they do not ask for you by name. You can ask us not to share this information.

Family and Friends: We might share your PHI with family or friends who help take care of you unless you say no. If you are present and don’t object, we may share your PHI. If you’re not present or are unable to speak and in our judgement, we think it is in your best interest, we may share your PHI as needed.

Disasters: In a disaster, we may share your PHI to help care for you or coordinate your care or to tell family or friends of your location and condition.

Fundraising: We might contact you to ask you for donations to help our hospitals or for other fundraising events and efforts. You can opt out of receiving these requests.

News and Events: We may contact you about new services, programs or events.

Other Uses

Use of Artificial Intelligence (AI): Physicians and/or providers rendering treatment and medical care to you may use artificial intelligence and augmented intelligence tools and technologies (or AI) to help with your medical care and some administrative tasks, including technology that records the relevant clinical details of your conversation with your physician and other providers. This is later reviewed by your provider to include in your medical record documentation. Decisions about your medical care will be made by you (or your representative) and your provider.

Data from Wearables: If you link wearables (like fitness trackers) to our systems, we may collect your data. For example, wearables may share information such as activity, heart rate, or sleep. Data shared from wearables may not be protected under HIPAA or subject to this Notice and may be subject to third-party privacy policies or third-party terms.

Website and Online Tracking: We use cookies and tracking technologies and may use or disclose PHI as permitted by law in connection with our use of such technologies.

Use and Disclosure of Substance Use Disorder Records Subject to Part 2

If you get treatment for drug or alcohol use from us, certain federal laws and regulations protect your privacy by requiring that specific Substance Use Disorder (“SUD”) records about SUD diagnosis, treatment, or referrals are kept confidential and shared only in certain ways. Please note that these laws and regulations do not protect all SUD records that we may have; these laws and regulations apply to our programs that are federally funded and hold themselves out as and/or have the primary purpose of providing SUD treatment, diagnosis, or referral for treatment (“Program”). As required by applicable laws and regulations, we will limit disclosures of your information regarding SUD diagnosis, treatment, and referral for treatment, that you are enrolled in a Program, and other information where the laws and regulations require additional restrictions on disclosure (“SUD Records”). If SUD Records are disclosed to us or our business associates pursuant to your written consent for treatment, payment, and health care operations or are disclosed by you or another person involved in your care to one of our providers that is not a Program, we or our business associates may use and disclose such information without your written consent to the extent that the HIPAA regulations permit such uses and disclosures, consistent with the other provisions in this Notice regarding PHI.

We usually need your written consent to share your SUD Records, but there are some important exceptions when we can share your SUD Records without your consent, such as when we are permitted by the applicable laws and regulations to use and disclose SUD Records without your written consent. Some of the ways we may share your SUD Records without your consent including the following:

  • Medical Emergencies: We may share your SUD Records if there’s a medical emergency and we can’t get your permission first. We may also share your SUD Records during a temporary state of emergency declared by a state or federal authority as the result of a natural or major disaster, or if the FDA has a reason to believe that your health may be threatened by an error in the manufacture, labeling, or sale of a product under the FDA jurisdiction.
  • Research: Sometimes your SUD information may be used and shared for research purposes without your written consent. Generally, we would first obtain your written consent; however, in certain circumstances, we may be permitted to use or disclose your SUD Records for research purposes without your consent to the extent permitted by HIPAA, FDA and HHS regulations related to human subject research where a waiver of consent has been granted.
  • Audits and Reviews: We may share your SUD Records for certain program financial and management audits and evaluations. For example, we may share your identifying information with agencies that fund a Program or is authorized by law to regulate the activities of a Program or to review to make sure everything is working right. We may also use or disclose your identifying information to qualified personnel who are performing audit or evaluation functions for any person that provides financial assistance to a Program, which is a third-party payer or health plan covering you in your treatment, or which is a quality improvement organization performing review, the contractors, subcontractors, or legal representatives of such person or quality improvement organization, or an entity with direct administrative control over a Program.
  • Fundraising: Consistent with the other provisions in this Notice, we may contact you to ask for donations, but you can say no.
  • Public Health: We can share your SUD Records with public health officials, but only if there is a reasonable basis to believe that the information can’t be used to identify you.
  • Court Order: We may use or disclose your SUD Records if a court orders us to do so.

We may use and share your SUD Records when you give written consent, including the following:

  • People You Choose: If you say it’s okay, we can share your SUD Records with any person or category of persons identified or generally designated by you, including your family or other health care providers.
  • Single Consent for Treatment, Payment, or Healthcare Operations: We may also use and disclose your SUD Records when the consent provided is a single consent for all future uses and disclosures for treatment, payment, and healthcare operations, as permitted by the HIPAA regulations, until such time you revoke such consent in writing.
  • Central Registry or Withdrawal Management Program. We may disclose your SUD Records to a central registry or to any withdrawal management or treatment program for the purposes of preventing multiple enrollments, with your consent. For example, if you consent to participating in a drug treatment program, we can disclose your information to the related program to coordinate care and avoid duplicate enrollment.
  • Criminal Justice System. We may disclose information from your SUD Records to those persons within the criminal justice system who have made your participation in a Program a condition of the disposition of any criminal proceeding against you. The written consent must state that it is revocable upon the passage of a specified amount of time or the occurrence of a specified event. The time when consent becomes revocable may be no later than the final disposition of the conditional release or other action in connection with which consent was given.
  • Prescription Tracking: We may report any medication prescribed or dispensed by us to state prescription drug monitoring programs if the law requires or permits it, but only with your consent.

Any SUD Record, or testimony about the content of any SUD Record, can’t be used in a civil, administrative, criminal, or legislative proceeding against you unless you provide consent (separate from any other consent) or a court issues an order. The applicable laws and regulations don’t protect information about a crime committed on our premises or at our locations or against our staff, or any threats to commit a crime. The applicable laws and regulations also don’t prohibit sharing information to report suspected child abuse or neglect. Also, the restrictions on use and disclosure to not apply to communications of SUD Records between or among individuals having a need for them in connection with their duties arising out of the provision of diagnosis, treatment, or referral for treatment of patients with a SUD if the communications are within the Program (or with an entity that has direct administrative control) and to communications of SUD Records to a qualified service organization if needed by the qualified service organization to provide services to us or on our behalf. If applicable state laws are stricter than these federal rules and regulations, we follow the stricter state laws.

Uses and Disclosures that Require Your Written Authorization/Consent

We will not share your PHI or SUD Records in the situations listed below without first obtaining written authorization or consent. If you provide us with an authorization/consent, you may revoke it at any time by submitting a request in writing. Revocation does not apply to PHI or SUD Records that have already been shared with your permission. You can obtain an authorization/consent form from us upon request.

  • Disclosure of Psychotherapy or Counseling Notes: Unless we obtain your written authorization, in most circumstances we will not share your psychotherapy or counseling notes. We may share your psychotherapy notes in some situations, including: for your continued treatment; training of medical students and staff; to defend ourselves during litigation; if the law requires; health oversight activities regarding your psychotherapist; to avert a serious or imminent threat to yourself or others; and to the coroner or medical examiner upon your death.
  • Marketing: Disclosures for marketing purposes which result in our receiving financial payment from a third party whose product or services is being marketed will require your written authorization. This does not include compensation that merely covers our cost of reminding you to take and refill your medication or otherwise communicate about a drug or biologic that is currently prescribed to you. However, we may share your PHI without your authorization to send you information about alternative medical treatments, our own programs or about health-related products and services that may be of interest to you, if we do not receive financial remuneration for making such communications.
  • Sale of PHI: Any activity constituting a sale of your PHI will require your prior written authorization.

Notice of Further Disclosure:

PHI that is disclosed pursuant to this Notice may be subject to redisclosure by the recipient and no longer protected by HIPAA. Law applicable to the recipient may limit their ability to use and disclose the PHI received, such as if the recipient is another covered entity subject to HIPAA or a Program that is federally funded and holds itself out as and/ or has the primary purpose of providing SUD treatment, diagnosis, or referral for treatment.

Your Rights About Your PHI

You have rights when it comes to your PHI and your SUD Records. These rights help you control who sees your information and how it is used. The following are statements of your rights, subject to certain limitations, with respect to your PHI and apply equally with respect to SUD Records:

See and Get a Copy of Your PHI

You can ask to view or get a copy of your PHI contained in a Designated Record set (as defined in HIPAA). You can do this through MyChart or you can make a written request. We can give you a paper or electronic copy. However, there are exceptions and some records you can’t see, like:

  • Psychotherapy notes or SUD counseling notes
  • Information for legal cases
  • Research you are part of
  • Information promised to be kept confidential
  • Our business information that is not actually in the Designated Record Set of your medical record
  • Anything that could cause harm if shared

We might charge a reasonable fee for copies or mailing. If we deny your request, you can ask for a review by another provider not involved in the decision.

Ask for a Summary or Explanation

You can ask for a summary of your records (instead of the full file), or an explanation of what is in your records.

Get an Electronic Copy 

If your medical record/PHI in the Designated Record Set is kept electronically, you can ask for an electronic copy for yourself or to send to someone else. We will try to send it in the format you want. You can also use our patient portal to access your medical record/PHI.

Ask Us to Fix Wrong Information

If you think something in your record is wrong or missing, you can ask us to amend it. The request must be in writing and explain exactly what should be changed and why. We may deny your request if:

  • You didn’t tell us specifically what to change or give a reason
  • We didn’t create the information
  • We determine that the information is already correct

If we deny your request, you can send us a written disagreement, which will be added to your record.

Ask for a List of Who We Shared Your Information With

You can ask for a list (called an “accounting”) of certain times we have shared your PHI, going back up to 6 years prior to the date of your request. This does not include disclosures made for certain purposes, such as information we shared for treatment, payment, or healthcare operations purposes, or notification and communication with family or friends, or disclosures required by law. Your request must be in writing. If you are requesting an accounting of disclosures of SUD Records made pursuant to your written consent, going back up to 3 years prior to the date of your request, we will provide such accounting consistent with the HIPAA requirements and other applicable law and regulations relating to the disclosures made through our electronic health record. We will provide the first requested accounting in any 12-month period without charge. However, we may charge you for the cost of providing the accounting for any subsequent accounting requested in a 12-month period. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time before any costs are incurred.

Ask Us to Limit How We Share Your Information

You can ask us to limit how we share your PHI, like not telling certain family members, friends, and individuals involved in your care, or not sharing PHI with your health plan if you paid in full at your visit. We don’t have to agree to your request for restriction except for a restriction requested to not disclose PHI for purposes of payment or health care operations to your health plan for care and services in which you have paid us in full out-of-pocket. If we do agree to any request, we still may provide PHI, as necessary, to give you emergency treatment.

Ask Us to Contact You in a Specific Way

You can ask us to contact you in a certain way. We will make reasonable efforts to accommodate your request. For example:

  • Only call your work phone
  • Mail letters to a different address

Choose Someone to Act for You

If you are incapacitated and have given someone legal power (Power of Attorney) to make health decisions for you, they can see your health information and make choices about how it is shared. We will confirm their authority before giving access.

Send Your Health Information Using an App

You can ask us to send your electronic PHI or SUD Records in the Designated Record Set to you or another person, organization, or service through an application programming interface (called an API). Once your information is sent this way, it is no longer protected by our system or subject to the protections and rights outlined in this Notice, and may no longer be subject to the same laws, regulations, policies, or procedures regarding its confidentiality, security, privacy, use or disclosure. You take full responsibility for how that information is used or shared by others. We suggest checking the privacy practices and policies of whoever you are sending it to before making this request.

Get a Paper Copy of This Notice

You can ask for a paper copy of this notice at any time, even if you got it electronically. You can also access it in your MyChart account or print it from our websites:

froedtert.com and thedacare.org and mcw.edu

Conscience Rights in Healthcare 

We respect individuals’ rights to decline participation in healthcare services based on religious or moral beliefs. This includes refusal of treatments and screenings.

Contact Information

Compliance Department 

Froedtert ThedaCare
Online: compliancereporting.ethicspoint.com
Email: [email protected] 
Phone: 1-833-942-0798
Mail: Attn Privacy Officer
N74 W12501 Leatherwood Ct. 
Menomonee Falls, WI 53051

MCW
Phone: 1-844-703-8171
Online: mcw.ethicspoint.com
Mail: Research Park Center Suite R1400 
10000 Innovation Dr.
Wauwatosa, WI 53226

Health Information/Medical Records Department
Froedtert ThedaCare - South Region & MCW 
Phone: 262-836-2510
Email: [email protected]
(note- the security of email transfers is not guaranteed)
Fax: 262-836-8490
Mail: Hartford Health Center
Attn: Health Information Management-ROI 
110 Lone Oak Ln.
Hartford, WI 53027

Froedtert ThedaCare – North Region
Online: https://thedacare.org/about-us/contact-us/ or
https://www.swellbox.com/thedacare-wizard.html

Patient Financial Services

Froedtert ThedaCare – South Region
Phone: 1-800-466-9670
Email: [email protected] 
Fax: 414-777-1503
Mail: Attn Financial Assistance Team 
400 Woodland Prime Suite 103
N74 W12501 Leatherwood Ct. 
Menomonee Falls, WI 53051-4490

Froedtert ThedaCare - North Region
Phone: 800-236-4102
Doctor or Clinical Billing 
Phone: 920-996-3200
Mail: PO Box 8003 
Appleton, WI 54912-8003 
Hospital Billing
Phone: 920-830-5900
Mail: PO Box 2759 
Appleton, WI 54912-2759

MCW
Phone: 1-844-239-1939

Websites:

Froedtert ThedaCare – South Region
froedtert.com

Froedtert ThedaCare – North Region
thedacare.org

MCW
mcw.edu

How to File a Complaint

If you ever believe your privacy rights have been violated (including your rights relating to SUD Records), you have the right to file a complaint, either with us or with the federal government. We will not punish you or treat you any differently if you choose to file a complaint.

To file a complaint with us, please use the contact information listed in the Contact Information section above.

You can file a complaint with the U.S. Department of Health and Human Services if you believe your privacy rights under HIPAA were violated. You may report suspected violations relating to SUD Records to the Secretary of the United States Department of Health and Human Services in the same manner as HIPAA violations are reported.

Website: www.hhs.gov/ocr/hipaa/
Phone: 202-619-0257 or toll-free at 877-696-6775
Mail: Centralized Case Management Operations
U.S. Department of Health and Human Services
200 Independence Ave., S.W.
Room 509F HHH Bldg.
Washington, D.C. 20201

When filing a complaint, you will need to:

  1. Name the person or organization you believe violated your privacy rights and describe what happened.
  2. File the complaint within 180 days of when you found out about the issue.

By law, we must:

  • Give you this Notice so you know how we protect your health information
  • Follow the privacy practices explained in this Notice
  • Keep your PHI protected through proper safeguards

If you have any questions about this Notice or your rights, please contact our Privacy Officer using the contact information listed in the Contact Information section above.

The Froedtert ThedaCare & the Medical College of Wisconsin health network complies with applicable federal civil rights laws and does not discriminate, exclude or treat people differently on the basis of race, color, national origin, age, disability, sex (consistent with the scope of sex discrimination described at 45 CFR § 92.101(a)(2)), or any other group protected by law.

Attention: If you speak another language, assistance services, free of charge, are available to you. Call: 414-805-3000 (TTY: 1-800-947-3529)

Español (Spanish): ATENCIÓN: Si habla español, tiene a su disposición servicios gratuitos de asistencia lingüística. Llame al: 414-805-3000 (TTY: 1-800-947-3529)

Hmoob (Hmong): LUS CEEV: Yog tias koj hais lus Hmoob, cov kev pab txog lus, muaj kev pab dawb rau koj. Hu rau: 414-805-3000 (TTY: 1-800-947-3529)

Effective Date: April 14, 2003
Last Revision Date: January 19, 2026
Item #: 37974 (supersedes 3/20, 10/19, 10/16, 06/16, 05/15, 07/13, 03/12, 09/10, 04/10, 07/09)