Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
Genalyte’s Protection of Protected Health Information (PHI)
Under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and related amendments to both HIPAA and HITECH, Genalyte, Inc. (“Genalyte”) is required by law to maintain the privacy of your individually identifiable health information, called protected health information (“PHI”), and to provide you with notice of our legal duties and privacy practices with respect to your PHI. This protection applies to any PHI whether in oral, written or electronic format. Genalyte is committed to the protection of your PHI in compliance with all local, state and federal laws and regulations and will make reasonable efforts to ensure the confidentiality of your PHI. We take this commitment seriously and we strongly urge you to read this notice carefully.
Genalyte’s Use and Disclosure of PHI
Genalyte collects your PHI to the extent necessary to provide services and obtain payment for these services. If a breach occurs that compromises the privacy or security of your information, we will let you know promptly. When it comes to your health information, you have certain rights. While we cannot list every possible use or disclosure, all of the ways we use or disclose your PHI will fall into one of the following categories.
- FOR TREATMENT – Genalyte will use your PHI to provide your medical care, and we disclose PHI to physicians, nurses, pharmacies, and other health care professionals who provide you with health care services and/or are involved in the coordination of your care, such as providing your physician with your laboratory test results. We may also disclose your PHI to another laboratory if we are unable to perform the testing ourselves.
- FOR PAYMENT – Genalyte will use or disclose PHI to obtain payment for laboratory services we provide. For example, we may provide PHI to a third-party billing company or your health plan to receive payment for the health care services provided to you.
- FOR HEALTH CARE OPERATIONS – Genalyte will use or disclose your PHI for health care operations purposes. Genalyte may also disclose PHI to other health care providers or health plans that are involved in your care for their health care operations. For example, we use health information about you to manage your treatment and services.
- FOR PERSONS INVOLVED IN YOUR CARE – Genalyte may disclose PHI to individuals, such as family members or others who are involved with your care or assist you in paying for your care. We also may disclose such information to an entity assisting in a disaster relief effort. To the extent allowed by federal and state law, we may disclose the PHI of minors to their parents or legal guardians.
- FOR BUSINESS ASSOCIATES – We may also disclose PHI to our business associates, such as our billing service, that perform administrative services for us. We have written agreements with each of our business associates that outlines the protection of your confidentiality.
Other Uses and Disclosures: We are permitted and/or required by law to disclose your PHI without your consent, subject to conditions specified by law.
- To comply with the law. We will share information about you if state and federal laws require it, including the U.S. Department of Health and Human Services if they want to see that we are complying with federal privacy law.
- In response to a court or administrative order, subpoena, discovery request, or other lawful process, including but not limited to the following:
- For law enforcement purposes, including reporting of certain types of wounds or physical injuries or in response to a court order, warrant, subpoena or summons, or similar process authorized by law;
- For identification or location of a suspect, fugitive, material witness or missing person;
- If we believe you to be a victim of a crime we may release your PHI to certain governmental agencies;
- To medical examiners or coroners for the purpose of identifying a deceased person, determining the cause of death, or another purpose authorized by law and to funeral directors as necessary to carry out their duties with respect to the deceased consistent with applicable law;
- In relation to criminal conduct on Genalyte premises;
- To law enforcement officials to identify or locate suspects, fugitives, witnesses, victims of crimes, or any other allowable law enforcement purpose;
- As required by law to a government oversight agency conducting audits, investigations, inspections, oversight functions, and to prevent a serious and imminent threat to an individual or the public;
- For public health activities such as required public health investigations as well as reporting of disease, injury, and death;
- To the U.S. Food and Drug Administration for the purpose of reporting adverse events, product defects, and participation in product recall;
- In relation to your worker’s compensation benefits;
- To a personal representative who administers or executes your estate as established under applicable law;
- To researchers conducting research with respect to which your written consent is not required as approved by an Institutional Review Board in compliance with governing law so long as researchers do not remove or copy any of the PHI;
- If you are a member of the military, to include military personnel, veterans, and the U.S. Armed Forces for activities set forth by certain military command authorities required by armed forces services. This also includes authorization for, if necessary, national security, intelligence, or protective services activities compliant with U.S. Law;
- De-identified Information and Limited Data Sets may be used or disclosed. Health information that has been de-identified does not contain any information that can directly identify you. Both de-identified information and limited data sets do not contain any information that could directly identify you. For example, a limited data set may include your city, but not your street address or name.
Authorization for Other Uses and Disclosures of PHI
Any other manner of PHI disclosure not set forth above requires Genalyte to obtain your written authorization. If you would like to authorize us to release your PHI in a matter not set forth above, you will need to provide written authorization to our HIPAA Privacy Officer. You can find this contact information below. You may also revoke your written authorization at any time. You can do this by contacting the HIPAA Privacy Officer in writing to notify them of your revocation.
Information Breach Notification
If it is determined that a breach has occurred we must undertake the following steps:
- We will perform a Risk Assessment (“RA”) considering the following factors: (i) the nature and extent of PHI involved (including the types of identifiers and the likelihood or re-identification, (ii) the unauthorized person who used the PHI or to whom the disclosure was made, (iii) whether the PHI was actually acquired or viewed and (iv) the extent to which the risk to PHI is mitigated.
- If we can demonstrate through the RA that there is a low probability that your PHI has been compromised then the Breach Notification is not required.
- If the RA determines that the PHI has been compromised we will send you written notice without unreasonable delay and no later than sixty (60) days from the discovery of the breach.
- Such notification will include: (i) a description of what happened (including the dates the breach occurred and was discovered if known), (ii) a description of the types of unsecured PHI that were involved in the breach (e.g., whether the breach involved the full name, date of birth, home address, account number, diagnosis, or other types of information), (iii) steps individuals involved in the breach should take to protect themselves from potential harm results from such breach, (iv) a description of the steps Genalyte is doing to investigate the breach, mitigate harm to individuals and protect against further breaches, and (v) contact procedures for individuals to ask questions or obtain additional information (including Genalyte’s phone number, email address, website and mailing address).
- Regarding diagnoses, such notification may also include whether and what kinds of treatment information were involved in the breach.
- Such notification may also indicate whether employee sanctions were imposed depending on the nature of such breach.
Your Rights Regarding PHI
Subject to certain exceptions under applicable law, your rights with respect to your PHI are as follows:
- You have a right to request a paper and/or electronic copy of this notice at any time by contacting us at email@example.com, calling us at (858) 956-1200 and asking for the HIPAA Privacy Officer, or by sending a written request to Attention: HIPAA Privacy Officer, 10520 Wateridge Circle, San Diego, CA 92121.
- You have the right to request restrictions on how we use and disclose your PHI for treatment, payment, and health care operations activities; or our disclosure of PHI to individuals involved in your care or payment for your care. We retain the right to terminate an agreed-to-restriction if we believe such termination is appropriate. If we have terminated this restriction, we will notify you in writing of this termination.
- You have the right to receive communications of PHI in confidence.
- You have the right to inspect and obtain a copy of your PHI consisting of your laboratory test results or reports ordered by your physician.
- You have a right to receive an accounting of disclosures of your PHI made by us to individuals or entities other than you in the past six (6) years. This list will not include disclosures for:
- When a written authorization form has been received by the patient.
- Treatment, payment, and health care operations.
- Occurred prior to the date of compliance with privacy standards.
- Requests made by correctional institutions, law enforcement officials as provided by law, and national security and intelligence purposes.
- If you believe that your PHI contains a mistake, you may request, in writing, we correct the information. If your request is denied, we will provide an explanation of the reasoning for our denial.
- To request a copy of your PHI:
- Contact our HIPAA Privacy Officer by email at firstname.lastname@example.org or submitting a request in writing to Genalyte, Attention: HIPAA Privacy Officer, 10520 Wateridge Circle, San Diego, CA 92121.
How to Exercise Your Rights or Ask Questions
To exercise your rights or for any questions regarding this Notice, please contact our HIPAA Privacy Officer at 10520 Wateridge Circle, San Diego, CA 92121.
To File a Complaint
If you believe that your privacy rights have been violated, you have a right to file a complaint with the HIPAA Privacy Officer at Genalyte or with the Secretary of the U.S. Department of Health and Human Services. The complaint must be in writing and describe the acts or omissions that you believe violate your privacy rights. There will be no retaliatory action against you if you make such a complaint.
U.S. Department of Health and Human Services
Office of the Secretary
200 Independence Avenue, S.W.
Washington, D.C. 20201
Tel: (202) 619-0257
Toll Free: 1-877-696-6775
Amendments to Genalyte’s Notice of Privacy Practices
This Notice is effective November 25, 2020