Notice of Privacy Practices

Last updated: January 16, 2024

THIS NOTICE OF PRIVACY PRACTICES (THIS “NPP”) DESCRIBES HOW YOUR HEALTH INFORMATION MAY BE USED AND DISCLOSED BY ANDHEALTH PROVIDERS, P.C. (“AndHealth Providers,” “We” OR “Us”), AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW THE NPP CAREFULLY.

The Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”), requires Covered Entities (as defined therein) (each a “CE”) like AndHealth Providers to ask patients to acknowledge receipt of a document similar to this NPP, which is published on the AndHealth website and the AndHealth mobile application (the “App”). By clicking on the “I Acknowledge Receipt of the Notice of Privacy Practices” check box to sign this NPP, You acknowledge receipt of the NPP. You can receive a copy of the NPP by asking for one from AndHealth Providers, or by printing one from our website at any time.

CE Responsibilities

Under HIPAA, CEs like AndHealth Providers must take steps to protect the privacy of your Protected Health Information (“PHI”). PHI includes information that we have created or received regarding your health or payment for services related to your health. It includes both your medical records and personal information such as your name, social security number, financial information, address, and phone number.

Under federal law, we are required to:

• Protect the privacy of your PHI. All of our employees and physicians are required to maintain the confidentiality of PHI and receive appropriate privacy training.
• Provide you with this Notice of Privacy Practices explaining our duties and practices regarding your PHI.
• Notify you promptly in the case of a breach of unsecured PHI.
• Follow the practices and procedures set forth in this NPP.
• We will not use or share your PHI other than as described here unless you tell us we can in writing. If you tell us we can, you may change your mind at any time. Let us know in writing if you change your mind. For more information see: https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html.

Uses and Disclosures of Your Protected Health Information That Do Not Require Your Authorization

AndHealth Providers uses and discloses PHI in a number of ways connected to your treatment, payment for your care, and our healthcare operations. Some examples of how we may use or disclose your PHI without your authorization are listed below.

TREATMENT

• To our physicians, nurses, physician assistants, coaches, and others involved in your healthcare or preventive healthcare.
• To our different departments to coordinate treatment-related activities, such as prescriptions and lab work.
• To other healthcare providers treating you who are not on our staff such as emergency room staff, coaches, specialists and other providers. For example (and without limitation), if you are being treated for migraine headache, we may share your PHI among your primary physician, a neurologist, and your physical therapist, so they can provide proper care.

PAYMENT

• To administer your health benefits policy or contract. For example (and without limitation), we may share your PHI with your health insurance plan so it will pay for your services.
• To bill you for healthcare we provide.
• To pay others who provided care to you.
• To other organizations and providers for payment activities unless disclosure is prohibited by law.

HEALTHCARE OPERATIONS

• To administer and support our business activities or those of other healthcare organizations (as allowed by law), including providers and plans. For example (and without limitation), we may use your PHI to conduct quality analysis, data aggregation, review and improve our services and the care you receive and to provide training.
• To other individuals (such as consultants and attorneys) and other companies and organizations that help us with our business activities. (Note: If we share your PHI with other organizations for this purpose, they must agree to protect your privacy.)

OTHER

We are allowed or required to share your information in other ways – usually in ways that contribute to the public good, such as public health and research. We have to meet many conditions in the law before we can share your information for these purposes. For more information see: https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html. We may use or disclose your PHI without your authorization for legal and/or governmental purposes in the following circumstances:

• As required by law – When we are required by state or federal laws, including (without limitation) privacy laws and workers’ compensation laws. For example (and without limitation), we will share PHI with the Department of Health and Human Services if it wants to see that we’re complying with federal privacy law.
• Public health and safety – To an authorized public health authority or individual to:
  • Protect public health and safety.
  • Help with product recalls.
  • Prevent or control disease, injury, or disability.
  • Report vital statistics such as births or deaths.
  • Investigate or track problems with prescription drugs and medical devices, and report adverse reactions to medications.
• Abuse or neglect – To government entities authorized to receive reports regarding suspected abuse, neglect, or domestic violence.
• Minors – In general, parents and legal guardians are legal representatives of minor patients. However, in certain circumstances, as dictated by state law, minors can act on their own behalf and consent to their own treatment. In general, we will share the PHI of a patient who is a minor with the minor’s parents or guardians, unless the minor could have consented to the care themselves (except where parental disclosure may be required per applicable law).
• Oversight agencies – To health oversight agencies for certain activities such as audits, examinations, investigations, inspections, and licensures.
• Legal proceedings – In the course of any legal proceeding or in response to an order of a court or administrative agency and in response to a subpoena, discovery request, or other lawful process.
• Law enforcement – To law enforcement officials in certain circumstances for law enforcement purposes. By way of example and without limitation, disclosures may be made to identify or locate a suspect, witness, or missing person; to report a crime; or to provide information concerning victims of crimes.
• Health Information Exchanges – We may participate in health information exchanges (“HIEs”) and may electronically share your medical information for treatment, payment and healthcare operations purposes with other participants in the HIEs. HIEs allow us, and your other healthcare providers and organizations, to efficiently share and better use information necessary for your treatment and other lawful purposes. In some states, the inclusion of your medical information in an HIE is voluntary and subject to your right to opt-in or opt-out; if you choose to opt- in or not to opt-out, we may provide your medical information in accordance with applicable law to the HIEs in which we participate.
• Financial information – We may ask you about income or other financial information to determine if you may qualify for services where applicable. We may use this information for operations, marketing, and administrative purposes and to improve our service offerings.
• Military activity and national security – To the military and to authorized federal officials for national security and intelligence purposes, to the Department of Veterans Affairs as required by military authorities, or in connection with providing protective services to the President of the United States.
• Research – We can use or share your PHI for health research.
• Coroners, medical examiners funeral directors, and organ donation—To coroners, medical examiners, funeral directors, and organ procurement organizations as authorized by law.
• Threat to health or safety—To avoid a serious threat to the health or safety of yourself and others.

We may also use or disclose your PHI without your authorization in the following miscellaneous circumstances:

• Contacting you directly – We may use your PHI, including your email address or phone number, to contact you. For example, we may also use this information to send you visit follow-ups and other communications relating to your care and treatment, or let you know about treatment alternatives or other health related services or benefits that may be of interest to you, via email, phone call, or text message.
• Your patient account – We may make certain PHI, such as information about care or treatment, appointment histories and medication records, accessible to you through online tools, such as email or your AndHealth patient account.
• Treatment alternatives and plan description—To communicate with you about treatment services, options, or alternatives, as well as health-related benefits or services that may be of interest to you, or to describe our health plan and providers to you.
• De-identified information—If information is removed from your PHI so that you can’t be identified, except as prohibited by law.

For certain health information, you can tell us your choices about what we share. If you have a clear preference for how we share your information in the situations described below, talk to us. Tell us what you want us to do, and we will accommodate reasonable and feasible requests:

• Family and friends – With a member of your family, a relative, a close friend—or any other person you identify who is directly involved in your healthcare— provided that, when you are either not present or are unable to make a healthcare decision for yourself (for example if you are unconscious), and we determine that disclosure is in your best interest. We will also assume that we may disclose PHI to any person you permit to be physically present with you as we discuss your PHI with you. For example, we may disclose PHI to a friend who brings you into an emergency room, we may allow someone other than you to pick up your prescription, and we will assume that we may discuss your healthcare with a person you bring with you to your in-office or virtual appointments.
• Disaster relief—To an authorized public or private entity for disaster relief purposes. For example, we might disclose your PHI to help notify family members of your location or general condition.

Uses and Disclosures of Your Protected Health Information That Require Us to Obtain Your Authorization

Except in the situations listed in the sections above, we will use and disclose your PHI only with your written authorization. This means we will not use your PHI in the following cases, unless you give us written permission:

• Marketing purposes, except as allowed by HIPAA or applicable law (by way of example, marketing communications allowed by HIPAA without authorization include communications pertaining to care or treatment and/or our products or services).
• Sale of your information.
• Most sharing of psychotherapy notes.

In the case of fundraising, we may contact you for fundraising efforts, but you can tell us not to contact you again for such a purpose.

In some situations, federal and state laws provide special protections for specific kinds of PHI and require authorization from you before we can disclose that specially protected PHI. For example, additional protections may apply in some states to genetic, mental health, drug and alcohol abuse, rape and sexual assault, sexually transmitted disease and/or HIV/AIDS-related information, and/or to the use of your PHI in certain review and disciplinary proceedings of healthcare professionals by state authorities. In these situations, we will comply with the more stringent state laws pertaining to such use or disclosure. If you have questions about these laws, please contact the Privacy Officer at 614-321-9743 or [email protected].

Your Rights Regarding Your Protected Health Information

You have the right to:

• Request restrictions by asking that we limit the way we use or disclose your PHI for treatment, payment, or healthcare operations. You may also ask that we limit the information we give to someone who is involved in your care, such as a family or friend. Please note that we are not required to agree to your request and we may say “no” if it would affect your care. If you pay for a service or health care item out-of-pocket in full, you can ask us not to share that information for the purpose of payment or our operations with your health insurer. We will say “yes” unless a law requires us to share that information
• Ask that we communicate with you by another means. For example, if you want us to communicate with you at a different address, we can usually accommodate that request. We may ask that you make your request to us in writing. We will agree to reasonable requests.
• Request an electronic or paper copy of your PHI. We may ask you to make this request in writing and we may charge a reasonable fee for the cost of producing and mailing the copies, which you will receive usually within 30 days. In certain situations, we may deny your request and will tell you why we are denying it. In some cases, you may have the right to ask for a review of our denial.
• Ask to amend PHI we created that you feel is incorrect or incomplete. Your request for an amendment must be in writing and provide the reason for your request. In certain cases, we may deny your request, in writing within 60 days. You may respond by filing a written statement of disagreement with us and ask that the statement be included with your PHI.
• Choose someone to act for you. If you have given someone medical power of attorney or if someone is your legal guardian, that person can exercise your rights and make choices about your health information. We will confirm the person has the authority and can act for you before we take any action.
• Seek an accounting of certain disclosures by asking us for a list of the times we have disclosed your PHI, including who we’ve shared it with and why. Your request must be in writing and give us the specific information we need in order to respond to your request. You may request disclosures made up to six years before your request. You may receive one list per year at no charge. If you request another list during the same year, we may charge you a reasonable, cost-based fee. These lists will not include disclosures made for treatment, payment, or healthcare operations and certain other disclosures as permitted by law (such as any you asked us to make).
• Request a paper copy of this NPP. You can ask for a paper copy of this NPP at any time, even if you have agreed to receive this NPP electronically. We will provide you with a paper copy promptly.
• Receive written notification of any breach of your unsecured PHI.
• File a complaint if you believe your privacy rights have been violated. You can file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-877-696-6775, or visiting https://www.hhs.gov/hipaa/filing-a-complaint/complaint-process/index.html. We will not retaliate against you for filing a complaint.

Communication Platforms

We may make certain PHI, such as information about care or treatment, appointment histories and medication records, accessible to you through secured online tools such as your AndHealth patient account and through the App.

We may also use PHI to send you appointment reminders and other communications relating to your care and treatment, or let you know about treatment alternatives or other health related services or benefits that may be of interest to you, via email, phone call, or text message.

If you agree to our Consent to Communications, and communicate with us via emails, texts or chats, you acknowledge that we may exchange PHI with you via email, text or chat, that email, text and certain chat functionality may not be a secure method of communication, and that you agree to the security risks of such communication. If you would prefer not to exchange PHI via email, text or chat, you can choose not to communicate with us via those means, and you can notify us at support@andhealth.com.

Changes to Privacy Practices

AndHealth Providers may modify this NPP from time to time. The revised NPP will apply to all PHI that we maintain. We will make any such changes to this NPP by posting the revised NPP on our website, and the revised NPP will be available upon request. The date of the last update will be clearly indicated at the top of this NPP. Please review this NPP from time to time to ensure you are familiar with our privacy practices.

Questions and Complaints

If you have any questions about this NPP or would like an additional copy, please contact our Privacy Officer at 614-321-9743 or emailing [email protected].

If you think that we may have violated your privacy rights or you disagree with a decision we made about access to your PHI, you may send a written complaint to the Privacy Officer at AndHealth Providers, 2 Miranova Pl, Suite 500, Columbus, OH 43215.

By clicking on the “I Acknowledge Receipt of the Notice of Privacy Practices” check box to sign this NPP, You acknowledge receipt of the NPP.