Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU THAT IS PROTECTED UNDER THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996, AS AMENDED (“HIPAA”) MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.
PLEASE REVIEW IT CAREFULLY.
Color Health, Inc. (f/k/a Color Genomics, Inc., hereinafter referred to as “Color”) is required by law to maintain the privacy of your protected health information and to provide you with a notice of our legal duties and privacy practices with respect to protected health information. This Notice of Privacy Practices, or the Notice, describes how we may use and disclose your protected health information to carry out treatment, payment or health care operations and for other specified purposes that are permitted or required by law. The Notice also describes your rights with respect to your protected health information. “Protected health information” is information about you, including basic demographic information, that may identify you and that relates to your past, present or future physical or mental health or condition and related health care services.
You have the following rights with respect to your protected health information:
- Obtain a paper copy of the Notice of Privacy Practices upon request. You may request a copy of the Notice at any time. To obtain a copy of the Notice, contact email@example.com.
- Request a restriction on certain uses and disclosures of your information. You have the right to request a restriction on the protected health information (“PHI”) that we use or disclose about you for treatment, payment, or health care operations. You also have the right to request a restriction on the PHI we disclose about you to someone who is involved in your care or payment for your care, such as a family member or friend. Except as described in this section, we are not required to agree to your request. We must agree to your request if the disclosure has been made to a health plan for the purpose of payment or health care operations and the disclosure relates to an expense for which you have paid out of pocket. To request restrictions, you must fill out the form on color.com/hipaa-revoke.
- Inspect and obtain a copy of your information. You have the right to access and copy PHI about you contained in your medical and billing records for as long as Color maintains the information. To read or copy your PHI, you must send a written request to firstname.lastname@example.org. Additional state law requirements may apply in order to access and copy such PHI. If you request a copy of the information, we may charge you a reasonable fee for the costs of the copying, mailing, or other supplies that are necessary for the electronic transfer of your information. If we maintain an electronic health record containing your health information, you have the right to request that we send a copy of your health information in electronic format to you or a third party that you identify. We may deny your request to read and copy in certain limited circumstances. If you are denied access to your PHI, you may request that the denial be reviewed by filing a request for review with the Color’s Privacy Officer.
- Amend your information. If you feel that PHI we have about you is incomplete or incorrect, you may request that we amend the information. You may request an amendment for as long as we maintain your health information. To request an amendment, you must send a written request to email@example.com. In addition, you must include a reason that supports your request. In certain cases, we may deny your request for amendment. If we deny your request for amendment, you have the right to file a statement of disagreement with the decision with the Privacy Officer and we may prepare a rebuttal to your statement, which we will provide to you.
- Receive an accounting of disclosures of your information. You have the right to receive an accounting of certain disclosures we have made of your PHI after the effective date of this Notice. The accounting will exclude disclosures we have made directly to you, disclosures to friends or family members involved in your care, disclosures made pursuant to a valid authorization, and disclosures for notification purposes. The right to receive an accounting is subject to certain other exceptions, restrictions, and limitations. To request an accounting, you must submit your request in writing to firstname.lastname@example.org. Your request must specify the time period for which you are seeking an accounting, but it may not be longer than 6 years or the time period permitted by law. The first accounting you request within a 12 month period will be provided free of charge, but you may be charged for the cost of providing additional accountings. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time.
- Request communications of your information by alternative means or at alternative locations. For instance, you may request that we contact you about medical matters only in writing or at a different residence or post office box. To request confidential communication of your PHI, you must submit your request in writing to email@example.com. Your request must state how or when you would like to be contacted. We will accommodate all reasonable requests. We reserve the right to verify your identity in order to confirm the alternative contact and address information.
The following categories describe different ways that we use and disclose your protected health information. For each category of uses or disclosures, we try to explain what we mean and provide some examples.
- We will use your protected health information for treatment.
For example: Information obtained by a member of your health care team will be recorded in your record and used to determine and to document the chosen course of treatment. Color will record the actions it took and its observations.
- We will use your protected health information for payment.
For example: A bill may be sent to you or a third-party payor. The information on or accompanying the bill may include information that identifies you, as well as your diagnosis, procedures, and supplies used.
- We will use your protected health information for health care operations.
For example: Members of our staff may use information in your health record to assess the care and outcomes in your case and others like it. This information will then be used in an effort to continually improve the quality and effectiveness of the health care and service we provide.
- We are likely to use or disclose your PHI for the following purposes:
Business Associates: There are some services provided at Color through contracts with business associates. For example, we may have a contract with a billing service. When we contract for these services, we may disclose your PHI to our business associate(s) so that they can perform the job we have asked them to do and bill Color, you, or your third-party payor for services rendered. To protect your information, however, we require all business associates to appropriately safeguard your information. Business associates are also directly responsible for compliance with federal security standards and certain provisions of the federal privacy law, to further ensure the protection of your PHI.
Communication with Individuals Involved in your Care or Payment for your Care: Health professionals, such as a physician or nurse, using their professional judgment, may disclose to a family member, other relative, close personal friend or any other person you identify, PHI relevant to that person’s involvement in your care or payment related to your care.
Personal Communications: Subject to certain limitations imposed by law, we may contact you to provide appointment reminders or information about treatment alternatives or other health-related benefits and services that may be of interest to you. We may receive payment in exchange for making these communications. You may opt out of receiving communications for which we have been paid. To opt out, contact firstname.lastname@example.org.
Food and Drug Administration (FDA) or Other Regulatory Agency: We may disclose to the FDA or other regulatory agencies having jurisdictions, or persons under the jurisdiction of the FDA or such other regulatory agencies, PHI relative to adverse events with respect to food, medicines, supplements, product and product defects, or post marketing surveillance information to enable product recalls, repairs, or replacement.
Worker’s Compensation: We may disclose your PHI to the extent authorized by and to the extent necessary to comply with laws relating to worker’s compensation or other similar programs established by law.
Public Health: As required by law, we may disclose your PHI to public health or legal authorities charged with preventing or controlling disease, injury, or disability.
Law Enforcement: We may disclose your PHI for law enforcement purposes as required by law or in response to a valid subpoena or court order.
As Required by Law: We will disclose your PHI when required to do so by federal, state, or local law.
Health Oversight Activities: We may disclose your PHI to an oversight agency for activities authorized by law. These oversight activities include audits, investigations, and inspections, as necessary for licensure and for the government to monitor the health care system, government programs, and compliance with civil rights laws.
Judicial and Administrative Proceedings: If you are involved in a lawsuit or a dispute, we may disclose your PHI in response to a court or administrative order. Subject to applicable state law, we may also disclose health information about you in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have been made, either by us or the requesting party, to tell you about the request or to obtain an order protecting the information requested.
- We are permitted to use or disclose your PHI for the following purposes:
Research: We may disclose your PHI to researchers when their research has been approved by an institutional review board that has reviewed the research proposal and established protocols to ensure the privacy of your information.
Notification: We may use or disclose your PHI to notify or assist in notifying a family member, personal representative, or another person responsible for your care, regarding your location and general condition.
To Avert a Serious Threat to Health or Safety: We may use and disclose your PHI when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person.
Regulatory Compliance: Federal law makes provision for your medical information to be released to an appropriate health oversight agency, public health authority or attorney, provided that a member of our workforce or business associate believes in good faith that we have engaged in unlawful conduct or have otherwise violated professional or clinical standards and are potentially endangering one or more patients, workers or the public.
Victims of Abuse or Neglect: We may disclose PHI about you to a government authority if we reasonably believe you are a victim of abuse or neglect. We will only disclose this type of information to the extent required by law, if you agree to the disclosure, or if the disclosure is allowed by law and we believe it is necessary to prevent serious harm to you or someone else or the law enforcement or public official that is to receive the report represents that it is necessary and will not be used against you. In such cases, we will promptly inform you that a report has been or will be made unless there is reason to believe that providing this information will place you in serious harm.
Data Breach Notification: We may use your PHI to provide legally-required notices of unauthorized access, acquisition, or disclosure of your PHI.
We will obtain your written authorization before using or disclosing your PHI for purposes other than those provided for above (or as otherwise permitted or required by law). Most disclosures of your PHI for which we receive payment will require your authorization. Uses and disclosures of your PHI for marketing require your authorization and your authorization is required for uses and disclosures of psychotherapy notes. You may revoke an authorization in writing at any time. Upon receipt of the written revocation, we will stop using or disclosing your PHI, except to the extent that we have already taken action in reliance on the authorization.
If more than one law applies to this Notice, such as more stringent state law, we will follow the more stringent law.
If you have questions or would like additional information about Color’s privacy practices, you may contact the Privacy Officer at email@example.com. If you believe your privacy rights have been violated, you can file a complaint with the Privacy Officer or with the United States Secretary of Health and Human Services. There will be no retaliation for filing a complaint.
This Notice is effective as of May 25, 2018.