Notice of HIPAA Privacy Practice

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

We are required by law to protect the privacy of health information that may reveal your identity, and to provide you with a copy of this notice, which describes the health information privacy practices of our medical group, its medical staff and affiliated health care providers who jointly perform health care services with our medical group. A copy of our current notice will always be posted on our website at www.heydayhealth.com. You can obtain a copy of this notice at any time by emailing the Privacy Officer at privacy@heydayhealth.com

If you have any questions about this notice or would like further information, please contact the Privacy Officer at privacy@heydayhealth.com or (234) 200-0854.

WHAT HEALTH INFORMATION IS PROTECTED

We are committed to protecting the privacy of information we gather about you while providing health-related services. Some examples of protected health information include information indicating that you are a patient of our medical group or receiving health-related services from our providers, information about your health condition, genetic information, or information about your health care benefits under an insurance plan, each when combined with identifying information, such as your name, address, social security number or phone number.

YOUR RIGHTS TO ACCESS AND CONTROL YOUR HEALTH INFORMATION

You have the following rights to access and control your health information:

Right to Inspect and Copy Records: You have the right to inspect and obtain a copy of any of your health information that may be used to make decisions about you and your treatment for as long as we maintain this information in our records, including medical and billing records. To inspect or obtain a copy of your health information, please submit your request in writing to the Privacy Officer. If you request a copy of the information, we may charge a fee for the costs of copying, mailing or other supplies we use to fulfill your request. If you would like an electronic copy of your health information, we will provide you a copy in electronic form and format as requested as long as we can readily produce such information in the form requested. Otherwise, we will cooperate with you to provide a readable electronic form and format as agreed. In some limited circumstances, we may deny the request.

Right to Amend Records: If you believe that the health information we have about you is incorrect or incomplete, you may ask us to amend the information for as long as the information is kept in our records by writing to us. Your request should include the reasons why you think we should make the amendment. If we deny any part of or your entire request, we will provide a written notice that explains our reasons for doing so. You will have the right to have certain information related to your requested amendment included in your records.

Right to an Accounting of Disclosures: You have a right to request an “accounting of disclosures,” which is a list with information about how we have shared your health information with others. To obtain a request form for an accounting of disclosures, please write to the Privacy Officer. You have a right to receive one list every 12-month period for free. However, we may charge you for the cost of providing any additional lists in that same 12-month period.

Right to Receive Notification of a Breach: You have the right to be notified within sixty (60) days of the discovery of a breach of your unsecured protected health information if there is more than a low probability the information has been compromised. The notice will include a description of what happened, including the date, the type of information involved in the breach, steps you should take to protect yourself from potential harm, a brief description of the investigation into the breach, mitigation of harm to you and protection against further breaches and contact procedures to answer your questions.

Right to Request Restrictions: You have the right to request that we further restrict the way we use and disclose your health information to treat your condition, collect payment for that treatment, run our normal business operations or disclose information about you to family or friends involved in your care. To request restrictions, please write to the Privacy Officer. We are not required to agree to your request for a restriction, unless that restriction is regarding disclosure of health information to your health insurance company and: (1) the disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law; and (2) the health information pertains solely to a health care item or service for which you or another person (other than your health insurance company) paid for in full. However, if we do agree, we will be bound by our agreement unless the information is needed to provide you with emergency treatment or comply with the law. Once we have agreed to a restriction, you have the right to revoke the restriction at any time. Under some circumstances, we will also have the right to revoke the restriction as long as we notify you before doing so.

Right to Request Confidential Communications: You have the right to request that we contact you about your medical matters in a more confidential way, such as calling you at work instead of at home, by notifying the Health Ally who is assisting you. We will not ask you the reason for your request, and we will try to accommodate all reasonable requests.

Right to Obtain a Copy of Notices: If you are receiving this Notice electronically, you have the right to a paper copy of this Notice. We may change our privacy practices from time to time. If we do, we will revise this Notice and post any revised Notice on our website.

Right to File a Complaint: If you believe your privacy rights have been violated, you may file a complaint with us by calling the Privacy Officer at (234) 200-0854 or with the Secretary of the Department of Health and Human Services. We will not withhold treatment or take action against you for filing a complaint.

REQUIREMENT FOR WRITTEN AUTHORIZATION

Generally, we will obtain your written authorization before using your health information or sharing it with others outside of our medical group, except as provided below. There are certain situations where we must obtain your written authorization before using your health information or sharing it, including:

Marketing: We may not disclose any of your health information for marketing purposes except as otherwise permitted by law.

Sale of Protected Health Information: We will not sell your protected health information to third parties. The sale of protected health information, however, does not include a disclosure for public health purposes, for research purposes where our medical group will only receive payment for our costs to prepare and transmit the health information, for treatment and payment purposes, for the sale, transfer, merger or consolidation of all or part of our medical group, for a business associate or its subcontractor to perform health care functions on our medical group’s behalf, or for other purposes as required and permitted by law.

Psychotherapy Notes: We usually do not maintain psychotherapy notes about you. If we do, we will not use and disclose your psychotherapy notes without your written authorization except as otherwise permitted by law.

WRITTEN AUTHORIZATION

If you provide us with written authorization, you may revoke that written authorization at any time, except to the extent that we have already relied upon it. To revoke a written authorization, please write to the Privacy Officer at our medical group.

HOW WE MAY USE AND DISCLOSE YOUR HEALTH INFORMATION WITHOUT YOUR WRITTEN AUTHORIZATION

There are some situations when we do not need your written authorization before using your health information or sharing it with others, including:

Treatment, Payment and Health Care Operations.

Treatment: We may share your health information with providers at the medical group who are involved in taking care of you, and they may in turn use that information to diagnose or treat you. A provider in our medical group may share your health information with another provider to determine how to diagnose or treat you. Your provider may also share your health information with another provider to whom you have been referred for further health care.

Payment: We may use your health information or share it with others so that we may obtain payment for your health care services. For example, we may share information about you with your health insurance company in order to obtain reimbursement after we have treated you. In some cases, we may share information about you with your health insurance company to determine whether it will cover your treatment.

Health Care Operations: We may use your health information or share it with others in order to conduct our business operations. For example, we may use your health information to evaluate the performance of our staff in caring for you, or to educate our staff on how to improve the care they provide for you.

Health Information Exchanges (HIEs): We also share your information with health information exchanges so it can be accessed by your treating providers and other authorized third parties. You have the right to request that we not share your health information with health information exchanges. Please contact our Privacy Officer if you would like more information on the health information exchanges we participate in or to opt out of having your information shared with these health information exchanges.

Business Associates. We may disclose your health information to contractors, agents and other “business associates” who need the information in order to assist us with obtaining payment or carrying out our business operations. Business associates are required by law to abide by the HIPAA regulations. If we do disclose your health information to a business associate, we will have a written contract to ensure that our business associate also protects the privacy of your health information. If our business associate discloses your health information to a subcontractor or vendor, the business associate will have a written contract to ensure that the subcontractor or vendor also protects the privacy of the information.

Friends and Family Designated to be Involved in Your Care. If you verbally agree or in certain other circumstances, we may share your health information with a family member, relative, or close personal friend who is involved in your care or payment for your care.

Other Types of Uses and Disclosures.

As Required by Law: We may use or disclose your health information if we are required by law to do so.
Public Health Activities: We may disclose your health information to authorized public health officials so they may carry out their public health activities under law, such as controlling disease or public health hazards.
Victims of Abuse, Neglect or Domestic Violence: We may release your health information to a public health authority authorized to receive reports of abuse, neglect or domestic violence. We only make these disclosures if you agree or when we are required or authorized by law to make the disclosure.
Health Oversight Activities: We may release your health information to government agencies authorized to conduct audits, investigations, and inspections of our facilities.
Lawsuits and Disputes: We may disclose your health information if we are ordered to do so by a court or administrative tribunal that is handling a lawsuit or other dispute. We may also disclose your information in response to a subpoena, discovery request, or other lawful request by someone else involved in the dispute, but only in accordance with procedures under applicable law.
Law Enforcement: We may disclose your health information to law enforcement officials for certain reasons, such as complying with court orders, assisting in the identification of fugitives or the location of missing persons, if we suspect that your death resulted from a crime, or if necessary, to report a crime that occurred on our property or off-site in a medical emergency.
To Avert a Serious and Imminent Threat to Health or Safety: We may use your health information or share it with others when necessary to prevent a serious and imminent threat to your health or safety, or the health or safety of another person or the public.

Workers’ Compensation: We may disclose your health information for workers’ compensation or similar programs that provide benefits for work-related injuries.

Coroners, Medical Examiners and Funeral Directors: In the event of your death, we may disclose your health information to a coroner or medical examiner. We may also release this information to funeral directors as necessary to carry out their duties.‍

Research: Under certain circumstances, we may disclose your health information to researchers who are conducting a specific research project. For certain research activities, an Institutional Review Board (IRB) or Privacy Board may approve uses and disclosures of your health information without your authorization.

Specialized Government Functions: In certain circumstances, HIPAA authorizes us to use or disclose your health information to authorized federal officials for the conduct of national security activities and other specialized government functions.

De-identified Data or Limited Data Set: We may use and disclose your health information if we have removed any information that has the potential to identify you so that the health information is “de-identified.” We may also use and disclose health information about you in the form of a “limited data set” if the person who will receive the information signs an agreement to protect the privacy of the information as required by federal and state law. A limited data set will not contain any information that would directly identify you (such as your name, street address, social security number, phone number, fax number, electronic mail address, website address, or license number).

Incidental Disclosures: While we will take reasonable steps to safeguard the privacy of your health information, certain disclosures of your health information may occur during or as an unavoidable result of our otherwise permissible uses or disclosures of your health information. ‍

Use and Disclosures Where Special Protections May Apply: Some kinds of information, such as HIV-related information, substance use disorder treatment information, mental health information, and genetic information, are provided special protections under state or federal laws. If there are more restrictive requirements under these laws, we may not disclose your health information without your written permission as required by such laws, even for some of the general purposes listed above. If you have questions or concerns about the ways these types of information may be used or disclosed, please speak with your health care provider.

Changes to This Notice: This notice is effective beginning April 14, 2021 and most recently revised on October 2, 2024. We reserve the right to change this notice at any time and to make the revised or changed notice effective in the future. If the terms of this notice are changed, a revised version will be available upon request and will be posted on our website at www.heydayhealth.com. We will abide by the terms of the notice currently in effect.