Patient Privacy Notice

Effective Date: Aug 5, 2022

THIS NOTICE DESCRIBES HOW CERTAIN MEDICAL AND HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

Certain information about you that Population Health, Inc., sometimes referred to as Healthcare Select (“Population Health”), obtains from Covered Entities under the Health Insurance Portability and Accountability Act (HIPAA), or entities that the regulations implementing that law deem their “Business Associates”, may be Protected Health Information (“PHI”) including information about your medications. PHI includes certain information that may identify you and that relates to your past, present, or future physical or mental health or condition, the provision of health care products and services to you or payment for such services. This Notice describes how we may use and disclose the PHI about you which is shared with us by such Covered Entities or their Business Associates, as well as how you can obtain access to such PHI. This Notice also describes your rights with respect to such PHI. Other Notices posted by us from time to time describe how we might use or disclose information which is not PHI shared with us by a Covered Entity or Business Associate.

We reserve the right to change our practices and this Notice and to make the new Notice effective for all PHI we maintain. If we do so, the updated Notice will be posted on our website with the date that any updates were made. Upon request, we will provide any revised Notice to you.

How We May Use and Disclose Your PHI

The following categories describe different ways that we use and disclose your PHI. We have provided you with examples in certain categories; however, not every permissible use or disclosure will be listed in this Notice. Note that some types of PHI, such as HIV information, genetic information, alcohol and/or substance abuse records, and mental health records may be subject to special confidentiality protections under applicable state or federal law and we will abide by these special protections.

I. Uses and Disclosures of PHI That Do Not Require Your Prior Authorization

Except where prohibited by federal or state laws that require special privacy protections, we may use and disclose your PHI for treatment, payment and health care operations without your prior authorization as follows:

Treatment

We may use and disclose your PHI to provide and coordinate the treatment, medications and services you receive. For example, we may disclose PHI to pharmacists, doctors, nurses, technicians and other personnel involved in your health care. We may also disclose your PHI with other third parties, such as hospitals, other pharmacies and other health care facilities and agencies, including healthcare information exchange networks, to facilitate the provision of health care services, medications, equipment and supplies you may need.

Payment

We may use and disclose your PHI in order to obtain payment for the health care products and services that we provide to you and for other payment activities related to the services that we provide or arrange. For example, we may contact your insurer, pharmacy benefit manager or other health care payer to determine whether it will pay for health care products and services you need and to determine the amount of your co-payment, deductible or co-insurance. We may contact you about a payment or balance due on your account. We may also disclose your PHI to other health care providers or HIPAA covered entities who may need it for their payment activities.

Health Care Operations

We may use and disclose your PHI for our health care operations. Health care operations are activities necessary for us to operate our health care businesses. For example, we may use your PHI to monitor the performance of the staff, including pharmacists or other health care professionals, providing treatment to you. We may use your PHI as part of our efforts to continually improve the quality and effectiveness of the health care products and services we provide. We may also analyze PHI to improve the quality and efficiency of health care, for example, to assess and improve outcomes for health care conditions. We may also disclose your PHI to HIPAA covered entities that have provided services to you so that they can improve the quality and effectiveness of the health care services that they provide. We may use your PHI to create de-identified data, which is stripped of your identifiable data and no longer identifies you.

Business Associates

We may contract with third parties to perform certain services for us, such as billing services or consulting services. These third party service providers, referred to as Business Associates, may need to access your PHI to perform services for us. They are required by contract and law to protect your PHI and only use and disclose it as necessary to perform their services for us.

To Communicate with Individuals Involved in Your Care or Payment for Your Care

We may disclose to a family member, other relative, close personal friend, or any other person you identify, PHI directly relevant to that person’s involvement in your care or payment related to your care. Additionally, we may disclose PHI to your “personal representative.” If a person has the authority by law to make health care decisions for you, we will generally regard that person as your “personal representative” and treat him or her the same way we would treat you with respect to your PHI.

Food and Drug Administration (“FDA”)

We may disclose to persons under the jurisdiction of the FDA, PHI relative to adverse events with respect to drugs, foods supplements, products and product defects, or post-marketing surveillance information to enable product recalls, repairs, or replacement.

Workers’ Compensation

To the extent necessary to comply with law, we may disclose your PHI to workers’ compensation or other similar programs established by law.

Public Health

We may disclose your PHI to public health or legal authorities charged with preventing or controlling disease, injury, or disability, including the FDA. In certain circumstances, we may also report work-related illnesses and injuries to employers for workplace safety purposes.

Law Enforcement

We may disclose your PHI for law enforcement purposes as required or permitted by law for example, in response to a subpoena or court order, in response to a request from law enforcement, and to report limited information in certain circumstances.

Comply With the Law

We will share information about you if state or federal laws require it, including with the Department of Health and Human Services if it wants to see that we’re complying with federal privacy law.

Health Oversight Activities

We may disclose your PHI to an oversight agency for activities authorized by law. These oversight activities include audits investigations, inspections, and credentialing, as necessary for licensure and for the government to monitor the health care system government programs and compliance with civil rights laws.

Judicial and Administrative Proceedings

If you are involved in a lawsuit or a dispute, we may disclose your PHI in response to a court or administrative order. We may also disclose your PHI in response to a subpoena, discovery request or other lawful process instituted by someone else involved in the dispute, but only if efforts have been made, either by the requesting party or us, to first tell you about the request or to obtain an order protecting the information requested.

Research

We may use your PHI to conduct research and we may disclose your PHI to researchers as authorized by law. For example, we may use or disclose your PHI as part of a research study when the research has been approved by an institutional review board or privacy board that has reviewed the research proposal and established protocols to ensure the privacy of your information.

Coroners, Medical Examiners and Funeral Directors

We may release your PHI to these entities so that they can carry out their duties.

Organ or Tissue Procurement Organizations

Consistent with applicable law, we may disclose your PHI to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of organs for the purpose of tissue donation and transplant.

Notification

We may use or disclose your PHI to notify or assist in notifying a family member, personal representative, or another person
responsible for your care, regarding your location and general condition.

Disaster Relief

We may use and disclose your PHI to organizations for purposes of disaster relief efforts.


Correctional Institution

If you are or become an inmate of a correctional institution, we may disclose to the institution, or its agents, PHI necessary for your health and the health and safety of other individuals.

To Avert a Serious Threat to Health or Safety

We may use and disclose your PHI when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person.

Military and Veterans

If you are a member of the armed forces, we may release PHI about you as required by military command authorities or under law. We may also release PHI about foreign military personnel to the appropriate foreign military authority.

National Security, Intelligence Activities, and Protective Services for the President and Others

We may release PHI about you to federal officials for intelligence, counterintelligence, protection of the President, and other national security activities authorized by law.

Victims of Abuse or Neglect

We may disclose PHI about you to a government authority if we reasonably believe you are a victim of abuse or neglect. We will only disclose this type of information to the extent required by law, if you agree to the disclosure, or if the disclosure is allowed by law and we believe it is necessary to prevent serious harm to you or someone else.

II. Uses and Disclosures of PHI that Require Your Prior Authorization

Specific Uses or Disclosures Requiring Authorization

We will obtain your written authorization for the use or disclosure of psychotherapy notes, use or disclosure of the PHI described in this notice for marketing, and for the sale of the PHI described in this notice, except in limited circumstances where applicable law allows such uses or disclosure without your authorization.

Other Uses and Disclosures

We will obtain your written authorization before using or disclosing the PHI described in this notice for purposes other than those set forth in this Notice or otherwise permitted by law. You may revoke an authorization in writing at any time. Upon receipt of the written revocation, we will stop using or disclosing your PHI, except to the extent that we have already taken action in reliance on the authorization.

YOUR HEALTH INFORMATION RIGHTS

We may use your Personal Information, Demographic Information and/or Usage Information that we collect about you subject to this Privacy Policy for the following purposes:

Obtain a Paper Copy of the Notice Upon Request

You may request a copy of our current Notice at any time. Even if you have agreed to receive the Notice electronically, you are still entitled to a paper copy. You may obtain a paper copy by contacting the Privacy Office.

Request a Restriction on Certain Uses and Disclosures of PHI

You have the right to request additional restrictions on our use or disclosure of your PHI by sending a written request to the Privacy Office. We are not required to agree to the restrictions, except in the case where the disclosure is to a health plan for purposes of carrying out payment or health care operations, is not otherwise required by law, and the PHI pertains solely to a health care item or service for which you, or a person on your behalf, has paid in full.

Inspect and Obtain a Copy of PHI

With a few exceptions, you have the right to access and obtain a copy of the PHI described herein that we maintain about you. If we maintain an electronic health record containing your PHI, you have the right to request to obtain the PHI in an electronic format. To inspect or obtain a copy of your PHI, you must send a written request to the Privacy Office. You may ask us to send a copy of your PHI to other individuals or entities that you designate. We may deny your request to inspect and copy in certain limited circumstances. If you are denied access to your PHI, you may request that the denial be reviewed.

Request an Amendment of PHI

If you feel that PHI we maintain about you is incomplete or incorrect, you may request that we amend it. To request an amendment, you must send a written request to the Privacy Office. You must include a reason that supports your request. If we deny your request for an amendment, we will provide you with a written explanation of why we denied it.

Receive an Accounting of Disclosures of PHI

With the exception of certain disclosures, you have a right to receive a list of the disclosures we have made of your PHI described herein, in the six years prior to the date of your request, to entities or individuals other than you. To request an accounting, you must submit a request in writing to the Privacy Office. Your request must specify a time period. We’ll provide one accounting a year for free but will charge a reasonable, cost-based fee if you ask for another one within 12 months.

Request Communications of PHI by Alternative Means or at Alternative Locations

You have the right to request that we communicate with you about health matters in a certain way or at a certain location. For instance, you may request that we contact you at a different residence or post office box, or via e-mail or other electronic means. Please note if you choose to receive communications from us via e-mail or other electronic means, those may not be a secure means of communication and your PHI that may be contained in our e-mails to you will not be encrypted. This means that there is risk that your PHI in the e-mails may be intercepted and read by, or disclosed to, unauthorized third parties. To request confidential communication of your PHI, you must submit a request in writing to the Privacy Office. Your request must tell us how or where you would like to be contacted. We will accommodate all reasonable requests. However, if we are unable to contact you using the ways or locations you have requested, we may contact you using the information we have.

Choose someone to act for you

If you have given someone medical power of attorney or if someone is your legal guardian, that person can exercise your rights and make choices about your health information. We will make sure the person has this authority and can act for you before we take any action.

Notification of a Breach

You have a right to be notified following a breach of your unsecured PHI, and we will notify you in accordance with applicable law.

Where to Obtain Forms for Submitting Written Requests

You may obtain forms for submitting written requests by contacting the Privacy Officer at Population Health Privacy Office, 6800 W 115th Street Overland Park, KS 66211 or toll-free by telephone at 833-247-0468.

For More Information or to Report a Problem

If you have questions or would like additional information about Population Health privacy practices, you may contact our Privacy Officer at Population Health, 6800 W 115th Street Overland Park, KS 66211 or toll-free by telephone at 833-247-0468. If you believe your privacy rights have been violated, you can file a complaint with the Privacy Officer or with the U.S. Department of Health and Human Services Office for Civil Rights by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-877-696-6775, or visiting www.hhs.gov/ocr/privacy/ hipaa/complaints/. We will not retaliate against you for filing a complaint.


Effective Date

This Patient Privacy Notice is effective as of August 5,2022.

Patient Privacy Web Access

This Patient Privacy notice can be accessed online at healthcareselect.com/patient-privacy/