Notice of Privacy Practices
Effective Date: September 12, 2013
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
This Notice of Privacy Practices (this “Notice”) will tell you about the ways in which Progenity, Inc. (“we” or “us”) protects, uses and discloses your protected health information (“PHI”). This Notice also describes your rights and certain obligations we have regarding the use and disclosure of PHI. If you have any questions about this Notice, or need additional information related to this Notice, please contact our Privacy Ofﬁcer Howard Slutsky at 5230 S. State Road, Ann Arbor, Michigan 48108, (248) 536-3259.
“PHI” means any information, transmitted or maintained in any form or medium, which we create or receive that relates to your physical or mental health, the delivery of health care services to you, or payment for health care services, and that identifies you or could be used to identify you. We maintain your PHI in records we create related to the services and items you receive from us. This Notice applies to all of those records created, received or maintained by us.
We are required by law to: make sure that PHI is kept private; give you this Notice of our legal duties and privacy practices with respect to your PHI; and comply with the currently effective terms of this Notice. You may request from us a copy of your completed laboratory test report. See the section below titled "Your Rights with Respect to Your PHI and How to Exercise Them." The following paragraphs describe examples of the ways we may use and disclose PHI:
Use for Treatment, Payment or Health Care Operations
For Treatment: We may use PHI about you to provide, coordinate and manage your health care treatment and related services. For example, we may disclose PHI about you to our personnel, as well as to doctors, nurses, hospitals, clinics, and other health care providers who are involved in your care. For example, your PHI may be provided to a health care provider to whom you have been referred so as to ensure that the health care provider has appropriate information regarding your previous treatments and diagnoses.
For Payment: We may use and disclose PHI about you so that the services and items you receive from us may be billed to and payment may be collected from you, an insurance company or a third party payor. For example, we may need to give your insurance company information about the services or items that you received from us so that your insurance company will pay us or reimburse you for the services or items.
We will not share treatment information with your insurance company or another third party payor when you pay out of pocket for the treatment.
For Health Care Operations: We may use or disclose your PHI to carry out health care operations. These are activities that are needed to operate our facilities and for administrative and quality assurance purposes. They include, for example: conducting quality assessment and improvement activities; reviewing the qualifications and performance of health care providers; training and performing accreditation, certification, or licensing activities; and managing our business and performing general administrative activities.
Other Uses and Disclosures of PHI
Listed below are a number of other ways that PHI can be used or disclosed. This list is not exhaustive. Therefore, not every use or disclosure in a category is listed.
Business Associates: We obtain some services provided through contracts with business associates in which PHI is disclosed. For example, we may use a third party for billing and collections, document destruction, software support and quality assurance. At times, we may disclose your PHI to our business associates so that the business associates can provide services to, or on behalf of, us. We will require that any business associate who receives your PHI appropriately safeguards your PHI through a written business associate agreement. If our business associate discloses the PHI to its own subcontractor, it must enter into a similar agreement with the subcontractor regarding your PHI as we have with it.
Individuals Involved in Your Care or Payment for Your Care: We may release PHI about you to a friend or family member who is involved in your medical care or who helps to pay for your care. In addition, we may disclose PHI about you to an entity assisting in a disaster relief effort so that your family can be notiﬁed about your condition, status and location. You have the right to object to such disclosure, unless you are unable to function or there is an emergency.
As Required by Law: We may use and disclose PHI about you when required to do so by federal, state or local law.
Law Enforcement/Legal Proceedings: We may disclose PHI about you for law enforcement purposes as required by law or in response to a court or administrative order. We may disclose PHI about you in response to a subpoena, discovery request or other lawful process by someone else involved in a dispute, but only if efforts have been made to tell you about the request or to obtain an order protecting the information requested.
Public Health Risks: We may disclose PHI about you for public health activities, including to prevent or control disease, or, when required by law, to notify public authorities concerning cases of abuse or neglect. We may disclose necessary information about you to law enforcement, to family members, or to others if we believe that you may present a serious danger to yourself or others. We may warn others in order to prevent or lessen serious threat to you or to others.
Coroners and Medical Examiners: We may release PHI about you to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death.
Research: Under certain circumstances, we may use or disclose PHI about you for research purposes. For example, we might disclose PHI for use in a research project involving the effectiveness of certain medical procedures. In some cases, we might disclose PHI for research purposes without your knowledge or approval. However, such disclosures will be made only if approved through a special process. This process evaluates a proposed research project and its use of PHI, and balances the research needs with your need for privacy of your PHI.
To Avert a Serious Threat to Health or Safety: We may use and disclose PHI about you when necessary to prevent a serious threat to your health or safety or the health or safety of the public or another person.
Military: If you are a member of the armed forces, we may release PHI about you as required by military command authorities.
About a Decedent: In the event of your death, disclosures about you (the decedent) can be made to family members or others involved in your care or payment for your care prior to your death unless inconsistent with your prior expressed preferences that are known to us. Disclosures may also be made to your personal representative.
Health-Related Benefits and Services: We may use and disclose PHI about you to tell you about health-related benefits or services that may be of interest to you.
Additional State and Federal Requirements: Some state and federal laws provide additional privacy protection of your health information. These include:
Sensitive Information. Some types of health information are particularly sensitive, and the law, with limited exceptions, may require that we obtain your written permission or in some instances, a court order, to use or disclose that information. Sensitive health information includes information dealing with genetics, HIV/AIDS, mental health, sexual assault and alcohol and substance abuse.
Information Used in Certain Disciplinary Proceedings. State law may require your written permission if certain health information is to be used in various review and disciplinary proceedings by state health oversight boards.
Information Used in Certain Litigation Proceedings. State law may require your written permission for us to disclose information in certain legal proceedings.
Disclosures to Certain Registries. Some laws require your written permission if we disclose your health information to certain state-sponsored registries.
Uses and Disclosures of PHI that Require Your Written Permission (Authorization): Uses and disclosures of your PHI for purposes other than those referred to in this Notice will be made only with your written authorization. You also have the right to revoke such authorization in writing for any future uses and disclosures. However, it will not stop any uses or disclosures that we have already made before you revoked your authorization.
The disclosure of your records is subject to your authorization if we receive financial remuneration from a third party whose product or service is the subject of the communication of PHI. Financial remuneration consists of direct or indirect payment to us from, or on behalf of, the third party whose product is the subject of the communication. We may obtain conditional or unconditional authorizations for research activities provided the authorization differentiates between those that are conditional and those that are unconditional.
If we receive direct or indirect remuneration in exchange for the disclosure of PHI (a so-called “sale” of PHI), an authorization must be obtained from you. A sale of PHI is a disclosure of PHI by us where we or a business associate directly or indirectly receive remuneration from or on behalf of the recipient of the PHI in exchange for the PHI.
We may combine conditional and unconditional authorization for research if we differentiate between the two activities and allow for unconditional research activities. Future research studies may be part of a properly executed authorization which includes all of the required core elements of an authorization.
We must obtain an authorization for any use or disclosure of PHI for marketing, except if the communication is in the form of:
(A) Face-to-face communication made by us to you.
(B) A promotional gift of nominal value provided by us.
If the marketing involves financial remuneration to us from a third party, the authorization must state that such remuneration is involved.
Right to Opt Out of Fundraising Communications. We may engage in fundraising activities, and may contact you in connection with those activities. If we do, you have the right to opt out of receiving such communications by notifying our Privacy Officer in writing.
Your Rights with Respect to Your PHI and How to Exercise Them
You have the following rights with respect to your PHI:
Completed Test Reports: You (or your authorized representative) may request from us a copy of your completed laboratory test reports under the HHS and CMS final rule of February 6, 2014 providing patient access to test reports.
Inspect and Copy: You have the right to inspect and copy your PHI maintained by us. Generally, this information includes health care and billing records. You have the right to obtain electronic copies of your PHI. You do not have a right of access to (1) information prepared in anticipation of or for use in, a civil, criminal, or administrative action; and (2) PHI maintained by us that is (a) subject to the Clinical Laboratory Improvements Amendments of 1988, 42 U.S.C. 263a (“CLIA”), if access to the individual would be prohibited by law, or (b) exempt from CLIA pursuant to 42 U.S.C. 493.3(a)(2). Under certain circumstances, you also do not have a right of access to information created or obtained in the course of research involving treatment or received from someone other than a health care provider under a promise of confidentiality.
To inspect and/or obtain copies of your PHI maintained by us you must submit your request in writing to our Privacy Officer, at the address listed on the first page of this Notice. We may charge a fee for the costs of copying, mailing or other expenses associated with complying with your request consistent with federal and state law. We may deny your request to inspect and copy your PHI for the reasons set forth above or under certain other limited circumstances. If you are denied access to PHI other than for a reason stated above, you will receive a written denial. You may request that the denial be reviewed. Thereafter, a licensed health care provider chosen by us will review your request and the denial. The person conducting the review will not be the person who originally denied your request. We will comply with the outcome of the review.
You may request that we transmit a copy of your PHI to another person. To do so you must request this in writing, you must sign the request, and it must clearly identify the designated person and where to send the copy of the PHI.
Right to Amend PHI: You may ask us to amend the PHI we have about you. You have the right to request an amendment for so long as the information is kept by or for us. To request an amendment to your PHI, your request must be made in writing and submitted to our Privacy Officer. In addition, you must provide a reason that supports your request. We will generally make a decision regarding your request for amendment no later than sixty (60) days after receipt of your request. However, if we are unable to act on the request within this time, we may extend the time for thirty (30) more days but we will provide you with a written notice of the reason for the delay and the approximate time for completion. If we deny your requested amendment, we will provide you with a written denial.
We have the right to deny your request for an amendment if it is not in writing or does not include a reason to support the request. We are not required to agree to your request if you ask us to amend PHI that: was not created by us, unless the person or entity that created the information is no longer available to make the amendment; is not part of the PHI kept by or for us; is not part of the PHI which you would be permitted to inspect and copy; or is already accurate and complete.
Right to an Accounting of Disclosures: You have the right to request an accounting of our disclosures of PHI about you. We do not have to list certain disclosures, such as those made pursuant to a prior authorization by you or for certain law enforcement purposes.
To request this list or accounting of such disclosures, your request must be submitted in writing to our Privacy Officer. Your request must also state a time period, which may not be longer than six (6) years. Your request should also specify the format of the list you prefer (i.e., on paper or electronically). The first list you request within a twelve (12) month period will be free. For additional lists, we may charge you for the costs of providing the list. We will notify you of the costs involved and you may choose to withdraw or modify your request at that time before any costs are incurred.
Right to Request Restrictions on Use or Disclosure: You have the right to request that we restrict uses and/or disclosures of PHI about you to carry out treatment, payment or health care operations, and also to request that we restrict disclosures to a family member, other relative or a close personal friend of yours or any person identified with you PHI directly relevant to that person’s involvement with your health care or payment related to your health care. You may request that we restrict information from use or disclosure involving PHI to notify or assist in notification of a family member, a personal representative of yours, or another person responsible for your care of your location, general condition or death.
However, we are not obligated to agree to the request to restrict the disclosure to a health plan if the disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law, and if the PHI pertains solely to a health care item or service for which you or a person other than a health plan on your behalf has paid us in full.
We may terminate a restriction if you agree to or request a termination in writing, if you orally agree to the termination and the oral agreement is documented, or if we inform you that we are terminating the agreement to a restriction, except that such termination is not effective for PHI restricted as provided in the above paragraph, and is only effective with respect to PHI created or received after we have so informed you.
We cannot restrict disclosures required by law or requested by the federal government to determine if we are meeting our privacy protection obligations. We are not required to agree to your request; however, if we do agree, we will comply with your request unless the information is needed to provide you emergency health care treatment. To request restrictions, you must make your request in writing to our Privacy Officer. Your request must specify (1) what PHI you want to limit; (2) whether you want to limit our use, disclosure or both; and (3) to whom you want the limits to apply (e.g., disclosures to your spouse). We may terminate our agreement to the restriction if you orally agree to the termination and it is documented, you request the termination in writing or we inform you that we are terminating our agreement with respect to any information created or received after receipt of our notice.
We will document the restriction and maintain it in written or electronic form for a period of at least six (6) years from the date of its creation of the day when it was last in effect, whichever is later.
Right to Request Conﬁdential Communications: You have the right to request that we communicate with you about health care matters in a certain way or at a certain location. For example, you can ask that we use an alternative address for billing purposes. To request confidential communications, you must make your request in writing to our Privacy Officer. We will not ask you the reason for your request. We will accommodate all reasonable requests. Your request must specify how or where you wish to be contacted.
Right to a Paper Copy of this Notice: You have the right to a paper copy of this Notice. You may ask us to give you a copy of this Notice at any time. Even if you have agreed to receive this Notice electronically, you are still entitled to a paper copy of this Notice. To obtain a paper copy of this Notice, please write to or call our Privacy Officer.
Breach of Your Unsecured PHI
We will notify you in the event we become aware of a breach of your unsecured PHI. An acquisition, access, use or disclosure of PHI in a manner not permitted is presumed to be a breach unless we are able to demonstrate that there is low probability that the PHI has been compromised based on a risk assessment of at least the following factors:
(1) The nature and extent of the PHI involved, including the types of identifiers and the likelihood of identification.
(2) The unauthorized person who used the PHI or to whom the disclosure was made.
(3) Whether the PHI was actually acquired or viewed.
(4) The extent to which the risk to the PHI has been mitigated.
Changes to this Notice
We reserve the right to change our privacy practices that are described in this Notice. We reserve the right to make the revised or changed privacy practices applicable to PHI we already have about you as well as any information we receive in the future. Prior to a material change to the uses or disclosures, your rights, our legal duties or other privacy practices stated in this Notice, we will promptly revise the Notice. The Notice will contain the effective date on the first page.
If you believe your privacy rights have been violated, you may ﬁle a complaint with us or with the Secretary of the Department of Health and Human Services. To file a complaint with us, write to our Privacy Officer. All complaints must be in writing. Complaints to the Secretary may be filed either in paper or electronically. You will not be penalized or retaliated against for ﬁling a complaint.