Effective: October 2019
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
Your Information, Your Rights, Our Responsibilities
The United States government created rules for the use and protection of medical information by hospitals, clinics, laboratories and other health care entities. The rules are a result of the 1996 Health Insurance Portability and Accountability Act (HIPAA) and subsequent rules and laws that affect HIPAA. These rules are meant to provide all patients in the United States with standard privacy and security safeguards of medical information. One rule requires Prometheus Biosciences (“Prometheus”, “we”, “our”) to provide all patients with a Notice of Privacy Practices. In this Notice, we refer to your medical information as “Protected Health Information” or “PHI”.
Protecting Your Privacy
We take your privacy seriously and we want you to know how we collect, use, share and protect your information. We are required by law to maintain the privacy and security of your Protected Health Information. The federal government defines Protected Health Information as any information, whether oral, electronic or paper, that is unique to an individual, such as name, address, telephone number, test results, etc., that is related to your health records. We adhere to stringent standards designed to safeguard Protected Health Information against accidental or unauthorized access or disclosure. We have taken reasonable steps to ensure the integrity and confidentiality of your Protected Health Information.
When it comes to your Protected Health Information, you have certain rights under HIPAA and federal privacy rules that implement HIPAA. This section explains your rights as a patient and our responsibilities as a “Covered Entity” under HIPAA.
|Get an electronic or paper copy of your medical record||You can ask to see, or get an electronic or paper copy of, your medical record, such as your final laboratory test results and other Protected Health Information we have about you. Please submit a written request to Prometheus’ Privacy and Security Officer if you would like to make this request. We will provide a copy or a summary of your Protected Health Information, usually within 30 days of your request. We will charge you a reasonable, cost-based fee.|
|Ask us to correct your medical record||You can ask us to correct Protected Health Information that you think is incorrect or incomplete. Please submit a written request to Prometheus’ Privacy and Security Officer if you would like to make this request. We may say “no” to your request under certain circumstances, but we’ll tell you why, in writing, within 60 days.|
|Request confidential communications||You can ask us to contact you in a specific way (for example, home or office phone) or to send mail to a different address. Please submit a written request to Prometheus’ Privacy and Security Officer if you would like to make this request. We will say yes to all reasonable requests.|
|Ask us to limit what we use or share||You can ask us not to use or share certain Protected Health Information for treatment, payment, or our health care operations. Please contact the Prometheus’ Privacy and Security Officer if you would like to make this request. We are not required to agree to your request, and we may say “no” if it would affect your care or our ability to collect payment. If we say no, we will explain why in writing. If you or a person other than your health insurer pays for a service or health care item out-of-pocket in full, you can ask us not to share the Protected Health Information with your health insurer. We will say yes unless a law requires us to share that information.|
|Get a list of those with whom we have shared information||You can ask for an “accounting of disclosure list”, which lists each time we’ve shared your Protected Health Information for six years prior to the date you ask, with whom we shared it with, and why. This list will include all of the disclosures within that six year period except for disclosures about treatment, payment, and health care operations, and certain other disclosures that are allowed to be excluded from this list (such as any you asked us to make). We will provide one accounting of disclosure list a year for free, but will charge a reasonable, cost-based fee if you ask for another one within 12 months. Please contact the Prometheus’ Privacy and Security Officer if you would like to make this request.|
|Get a copy of this notice||You can ask for a paper copy of this notice at any time, even if you have agreed to receive the notice electronically. We will provide you with a paper copy upon request. Please contact the Prometheus’ Privacy and Security Officer if you would like to make this request.|
|Choose someone to act for you||If you have given someone medical power of attorney or if someone is your legal guardian, that person can exercise your rights and make choices about your Protected Health Information on your behalf. We will make sure the person has this authority and can act for you before we take any action. Please contact the Prometheus’ Privacy and Security Officer if you would like to make this request.|
|File a complaint if you feel your rights are violated||You can complain if you feel we have violated your rights under HIPAA. Please contact the Prometheus’ Privacy and Security Officer if you would like to file a complaint. You can also file a complaint by letter with the U.S. Department of Health and Human Services Office for Civil Rights. We will not retaliate against you for filing a complaint.|
Our Uses and Disclosures of Your Protected Health Information
We typically use or share your Protected Health Information in the following ways.
|To treat you||We can use your Protected Health Information and share it with other professionals who are treating you. Example: We may disclose your Protected Health Information to your health care providers who are involved in your treatment.|
|To improve our organization and our laboratory operations||We can use and share your Protected Health Information to improve our laboratory operations, to improve your care, and to contact you when necessary. Example: We may disclose your Protected Health Information to support business activities and to maintain our quality improvement programs.|
|To bill for your services||We can use and share your Protected Health Information to bill and get payment from health plans or other entities. Example: We may disclose your Protected Health Information to your health plan for determinations of eligibility, coverage, to collect outstanding amounts, and to appeal any reimbursement denial.|
Your Choices About What Protected Health Information We Share
For certain Protected Health Information, you can tell us your choices about what we share.
|In these cases, you have both the right and choice to tell us to||Share Protected Health Information with your family, close friends, or others involved in your care. Share Protected Health Information in a disaster relief situation. If you are not able to tell us your preference for how we share your Protected Health Information (for example, if you are mentally incapacitated), we may share your Protected Health Information if we believe it is in your best interest. We may also share your Protected Health Information when needed to lessen a serious and imminent threat to health or safety.|
|In these cases, we never share your information unless you give us written permission||We will follow applicable state and federal laws that provide additional privacy protections for your Protected Health Information. We do not share your Protected Health Information for: Marketing purposes.Sales activities.Creation and/or maintenance of psychotherapy notes.Sale of Protected Health Information.|
How Else Can We Share Your Protected Health Information?
We are allowed or required to share your Protected Health Information in other ways, – usually in ways that contribute to the public good, such as public health and research. We have to meet many conditions in the law before we can share your Protected Health Information for these purposes.
|Help with public health and safety issues||We can share your Protected Health Information for situations such as: Preventing disease.Reporting adverse reactions to medications.Preventing or reducing a serious threat to anyone’s health or safety.Reporting suspected abuse, neglect, or domestic violence.|
|Do research||Research is vital to the advancement of medical science and public health. Under HIPAA, we may use and disclose your Protected Health Information for research without your authorization in certain circumstances. In particular, we may use and disclose your Protected Health Information for research without an authorization when your name and other direct identifiers specified in HIPAA have been removed (de-identified) and the recipient of the Protected Health Information signs a data use agreement, or when the research study is reviewed and approved by an Institutional Review Board before the research study begins and the Institutional Review Board waives the requirement to obtain your authorization for the research. Under specific situations, a researcher may also use your de-identified Protected Health Information to determine whether enough patients exist to make a study scientifically valid.|
|Business Associates||We can share Protected Health Information to other companies or individuals known as Business Associates that need the information to provide services to us. The business associates are required to maintain the privacy and security safeguards of Protected Health Information.|
|Comply with the law||We will share Protected Health Information if state or federal laws require that we make these disclosures.|
|Address workers’ compensation, law enforcement, and other government requests||We can use or share Protected Health Information about you: For workers’ compensation claims.For law enforcement purposes or with a law enforcement official.With health oversight agencies for activities authorized by law.With special government functions, such as military, national security, and presidential protective services.|
|Respond to lawsuits and legal actions||We can share Protected Health Information about you in response to a court or administrative order, or in response to a subpoena.|
Changes to the Terms of This Notice
We will let you know promptly if a breach occurs that may have compromised the privacy or security of your Protected Health Information.
We must follow the terms and conditions described in the Notice that is currently in effect and provide you with a copy of the Notice. We will not use or share your Protected Health Information other than as described herein unless you tell us we can in writing. If you give us authorization to use or share your Protected Health Information for a purpose that requires your authorization, you may change your mind at any time. Please let us know if you change your mind.
Our Privacy Commitment
We understand that Protected Health Information is personal. As a certified laboratory under the Clinical Laboratory Improvement Amendment of 1988 (CLIA) and as a Covered Entity under HIPAA, in most situations, we have an indirect treatment relationship with you in that our interaction is mainly with your health care provider ordering the test. Since we receive and maintain a record of your Protected Health Information for testing services, please be assured that we are committed to protecting your Protected Health Information.
This Notice of Privacy Practices Applies to the Following Organizations
This Notice also applies to Prometheus facilities and health care and other service providers, who participate in your care or treatment, including:
- Any health care professional authorized to enter information into any health record established and maintained by Prometheus.
- All employees of Prometheus, including laboratory medical staff.
- Any health care or service provider who, although not employed by a Prometheus facility, provides services to you at a Prometheus facility or other facility, including but not limited to laboratory and diagnostic providers.
If you have questions about this Notice of Privacy Practices, or want to submit a specific privacy request, or file a complaint, please use the following methods to contact us.