HIPAA Notice and Consent
Last Updated: October 22, 2019
THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
1. Who Must Follow This Notice
Developed by our team of doctors, Limber Health, Inc. (referred to as “Limber”, “we,” “our,” or “us”) provides you with tailored suggestions and programs based on the information you provide regarding your specific health status and goals. This is a joint notice of our information privacy practices. All departments and units of our organization, including employees and contractors, will follow this notice. We may share health information with each other for purposes described in this Notice. In addition, we also use and share your information for other reasons as allowed and required by law. If you have any questions about this Notice, please see our contact information located at the bottom of this Notice.
2. What Information Does This Notice Cover?
Regulations under the Health Information Portability and Accountability Act of 1996 (“HIPAA”) law tell us how we can use and disclose, and how we must safekeep and secure, identifiable health information we collect from and about you. Once you enroll in the Limber Program, we collect that information directly from you via questionnaires, your exercising progress, and health information you disclose. Once we receive this information, it is treated as “protected health information” or “PHI” under HIPAA, and this Notice applies to all such information.
PHI includes identifiable health information (such as your name and email address), and information that relates to (a) your past, present, or future health or condition, or (b) the provision of health care to you. We need PHI to provide you with high quality, tailored programs and to comply with certain legal requirements.
3. Our Commitment to Your Privacy
We understand that health information about you is private and personal. We are dedicated to maintaining the privacy and integrity of the protected health information that we receive from you as part of your application for or participation in the Services.
We are required by law to maintain the privacy of your PHI and to provide you with notice of our legal duties and privacy practices with respect to your PHI. When we use or disclose your PHI, we are required to abide by the terms of this Notice (or other Notice in effect at the time of the use or disclosure). This Notice applies to the records of services you receive at or from Limber.
4. How We May Use and Disclose Protected Health Information About You
This section of our Notice shares how we may use PHI about you. We will protect PHI as much as we can under the law. Sometimes state law gives more protection to PHI than federal law. Sometimes federal law gives more protection than state law. In each case, we will apply the laws that protect PHI the most.
We are required to maintain the confidentiality of your PHI, and we have policies and procedures and other safeguards to help protect your PHI from improper use and disclosure. The following categories describe different ways that we use your PHI within Limber and disclose your PHI to persons and entities outside of Limber. We have not listed every use or disclosure within the categories below, but all of the ways that we are permitted to use and disclose PHI will fall within one of the following categories. In addition, there are some uses and disclosures that will require your specific authorization, which are described below as well.
How much PHI may legally be used or disclosed without your written permission will vary depending, for example, on the intended purpose of the use or disclosure.
Sometimes we may only need to use or disclose a limited amount of PHI, such as to send you a reminder or to confirm your health insurance coverage. At other times, we may need to use or disclose more PHI such as when a doctor is providing medical treatment.
Below are examples of ways that we may disclose PHI about you without a written authorization from you.
- Disclosure at Your Request. If you ask us to send PHI about you to a third party such as a friend, family member, or healthcare provider, we will do so if we believe that your request is authentic. We may ask you to prove your identity before we honor this request. We may need up to 60 days to honor a request like this, depending on the data you want us to disclose, but in most cases we can honor this request in 30 or fewer days.
- Physician/Provider Care. This is an important use and disclosure of your PHI. We may use and disclose your PHI to a physician or other health care provider to provide treatment and other services to you. For example, we may disclose your pain level reduction results to your physician so that he/she can monitor your results in our program.
- Health Care Operations of Covered Entities. We are also permitted to share PHI about you with other covered entities for their health care operations (including, for example, your employer, health plan and certain service providers serving as the business associates of such entities). For example, we might share PHI about you with your health insurer when they are evaluating whether they have made the right types of chronic condition programs available to you. Or, we might share PHI about you with your physician’s office so that she can demonstrate to the federal government that he/she has referred you to a chronic condition management program and how it is working for you. Any other covered entity in this example must have or have had a relationship with you. And, like our health care operations, any other covered entity may only seek from us PHI about you that is the minimum necessary for its purposes. Other examples include of another’s health care operations include, but are not limited to, using information about you to improve quality of care, quality assessment activities, disease management programs, patient satisfaction surveys, compiling health information, training, de-identifying PHI and benchmarking.
- Business Associates. Some services in our organization are provided through our contracts with business associates. Examples of business associates include accreditation agencies, management consultants, quality assurance reviewers, and billing and collection services, and secure cloud hosting of data, including PHI, that we are legally responsible for. We may disclose your PHI to our business associates so that they can perform the job we have asked them to do. To protect your PHI, we require our business associates to sign a contract or written agreement stating that they will appropriately safeguard your PHI and will use it only as we permit them to under that contract.
- Health-Related Products and Services. We may use and disclose your PHI to tell you about our health-related products or services that may be of interest to you.
- Threat to Health or Safety. We may use and disclose your PHI when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat as determined by us in good faith.
5. Special Situations That Do Not Require Your Authorization
The following categories describe some additional circumstances in which Limber may use or disclose your PHI without your authorization.
- Lawsuits and Other Legal Disputes. We may use and disclose PHI in responding to a court or administrative order, a subpoena, or a discovery request. We may also use and disclose your PHI to the extent permitted by law without your authorization, for example, to defend a lawsuit or arbitration.
- Law Enforcement Officials. We may disclose your PHI to the police or other law enforcement officials as required or permitted by law: (1) in response to a court order, subpoena, warrant, summons or similar process; (2) to identify or locate a suspect, fugitive, material witness, or missing person; (3) about the victim of a crime if, under certain limited circumstances, we are unable to obtain the person’s agreement; (4) about a death we believe may be the result of a criminal conduct; (5) about criminal conduct at Limber; and (6) in emergency circumstances to report a crime; the location of the crime or victims; or the identity, description or location of the person who committed the crime.
- Victims of Abuse, Neglect or Domestic Violence. If we reasonably believe you are a victim of abuse, neglect, or domestic violence, we may disclose your PHI to a governmental authority, including a social service or protective services agency, authorized by law to receive reports of such abuse, neglect, or domestic violence.
- Health Oversight Activities. We may disclose your PHI to a health oversight agency for activities authorized by law. An example of a health oversight agency is a state health insurance regulator or Medicaid program. These oversight activities include, for example, audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws.
- Research that Does Not Involve Your Treatment. When a research study does not involve any treatment, we may disclose your PHI to researchers. To do this, we will either ask your permission to use your PHI or we will use a special process that protects the privacy of your PHI. For example, we are allowed to supply to a third party researcher a data set with identifiers about you removed except for complete dates and five digit zip codes. The researcher, before receiving this data set, must contract with us to limit her use of it, to safekeep the data, and to destroy or return it when the research concludes.
- Specialized Government Functions. We may use and disclose your PHI to units of the government with special functions, such as the U.S. military or the U.S. Department of State, under certain circumstances. We may use and disclose your PHI to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law. We may use and disclose your PHI to authorized federal officials so they may provide protection to the President, other authorized persons or foreign heads of state, or conduct special investigations.
- Workers’ Compensation. We may disclose your PHI as authorized by and to the extent necessary to comply with state laws relating to workers’ compensation or other similar programs.
- As Required By Law. We may use and disclose your PHI when required to do so by any other law not already referred to in the preceding categories. For example, the Secretary of the Department of Health and Human Services may review our compliance efforts, which may include seeing your PHI.
6. Situations Requiring Your Written Authorization
We will first obtain your written permission if there are situations that we need to use your PHI that require written authorization by law. This permission is described as a written “authorization.” If you authorize us to use or disclose PHI about you, you may revoke that authorization in writing at any time. If you revoke your authorization, we will no longer use or disclose PHI about you for the reasons stated in that written authorization, except to the extent we have already acted in reliance on your authorization. You understand that we are unable to take back any disclosures we have already made with your permission, and we are required to retain our records. Also, a revocation applies only to what was authorized, and does not apply to the example situations above where we are permitted to use or disclose PHI about you without an authorization. Some typical disclosures that require your authorization are:
- Research Involving Your Treatment. When a research study involves your treatment, we may disclose your PHI to researchers only after you have signed a specific written authorization. In addition, an Institutional Review Board (IRB) will already have reviewed the research proposal, established appropriate procedures to ensure the privacy of your PHI and approved the research. You do not have to sign the authorization, but if you refuse, you cannot be part of the research study and may be denied research-related treatment.
- Marketing. We must also obtain your written authorization prior to using your PHI to send you any information that HIPAA defines as marketing information. HIPAA defines marketing as a communication about a product or service that encourages you to purchase or use the product or service when that product is not one of Limber’s programs or services, or when we are paid to communicate about the product or service to you.
There are some types of communications me may send you that are not part of the Services, for which we do not need your prior authorization. We might send these communications to you directly, or one of our business associates may send them for us.
7. Your Rights Regarding Your PHI
You have the following rights regarding PHI we maintain about you. You may contact us to obtain additional information and instructions for exercising the following rights.
- Right to request additional restrictions. You may request restrictions on our use and disclosure of your PHI. While we will consider all requests for additional restrictions carefully, we are not required to agree to a requested restriction, unless the request is regarding a disclosure to a health plan for a payment or health care operation purpose and the PHI relates solely to a health care item or service for which we have been paid out-of-pocket in full. This request must be in writing. We will send you a written response. If we agree with the request, we will comply with your request except to the extent that disclosure has already occurred or if you are in need of emergency treatment and the information is needed to provide the emergency treatment.
- Right to Receive Confidential Communications. You may request to receive your PHI by alternative means of communication or at alternative locations. For example, you can request that we only contact you at work or by mai. To request confidential communications, you must make your request in writing. We will not ask you for the reason for your request. We will accommodate all reasonable requests. Your request must specify how or where you wish to be contacted. We note, however, that as our program operates best through an online digital platform, a request for alternative communications may negatively impact how you experience the program.
- Inspection and Copies. You have an absolute right to obtain copies of the PHI we have about you that we collect and use in the normal course of providing the Services to you. You do not have a right to get copies of PHI we have about you in research databases or in data sets we use to study and improve the quality of our business, to train our employees, or manage the legal and financial aspects of our business, although typically, we do not use PHI for most such purposes. To obtain a copy, we require that you request that copy in a way that we can reliably conclude is authentic. You may request a copy of PHI about you in writing on paper, or, via an email where we have the means to confirm your identity, or through contacting firstname.lastname@example.org when our support team can confirm your identity. If you want your legal representative or attorney to request this copy for you, they will have to request the copy in writing as we have not issued any digital identity credentials to them. We reserve the right to reject an online request as inauthentic.
- Once we have your authentic request, we will see if the information you want is easily available to you on your account with us, and coach you through how to access it. If more work is required by us, we have up to 30 days to complete that work, which we may extend by another 30 days if necessary to prepare the data.
- Once we have your authentic request, we will also discuss with you in what form and format you want the information, among those we offer. For example, do you want the information printed, or in a secure spreadsheet. We will also discuss with you how to deliver it where you want it to go. We are always obliged to send PHI securely, and we do not allow the copying of PHI onto mobile storage devices like thumb-drives to protect the security of our systems.
- We will provide (or transmit at your request) one copy of your PHI per calendar year at no cost to you. If you request more than one copy per year, we are allowed to charge you for copying (for example, the cost of paper and ink) and mailing/transmission, and will supply you with an estimate before proceeding, so that you can change your mind if you want to.
- Right to Amend Your Records. You have the right to request that we amend PHI we have about you. If you desire to amend your records, your request must be in writing. We will accept an email or secure message that we believe is authentically from you. We will comply with your request unless we believe that the information that would be amended is accurate and complete or other special circumstances apply. If we deny your request, you will be permitted to submit a statement of disagreement for inclusion in your records.
- Right to Addendum. You have the right to add an addendum to your PHI maintained in your medical record.
- Right to Receive an Accounting of Disclosures. You can request that we give you an “accounting of disclosures”. This is a summary of the people and organizations to whom we have disclosed PHI about you that are outside of Limber or who are not covered entities that have a relationship with you and who have received PHI as described in this notice. Your request must be written (not by phone) so we know exactly what you want. We will accept as a writing writing on paper, or, via the messaging feature of your Limber account, via an email where we have the means to confirm your identity, or through contacting email@example.com when our support team can confirm your identity. We reserve the right to reject an online request as inauthentic. Through your request, you may obtain an accounting of certain disclosures of your PHI made by us during any period of time six years prior to the date of your request. Your written request should indicate in what form you want the list (for example, on paper or electronically). If you request an accounting more than once during a twelve (12) month period, we will charge you for the costs involved in fulfilling your additional request. We will inform you of such costs in advance, so that you may modify or withdraw your request to save costs.
- Copy of this Notice. You are entitled to a copy of this notice. You can print out a paper copy of this notice from our website any time you like. You are also entitled to ask us to print it and mail it to you. You may obtain a copy of this Notice at our website: . To obtain a paper copy of this Notice, contact us using the contact information at the end of this Notice.
8. Minimum Necessary
To the extent required by law, when using or disclosing your PHI or when requesting your protected health information from another covered entity, we will make reasonable efforts not to use, disclose, or request more than the minimum amount of protected health information necessary to accomplish the intended purpose of the use, disclosure, or request, taking into consideration practical and technological limitations.
9. Changes to this Notice
We may prospectively change the terms of this Notice from time to time. Changes will apply to current PHI, as well as new PHI after the change occurs. We will post the new Notice on our website at . Upon your request, you may obtain any revised Notice by calling or emailing us and requesting that a revised copy be sent to you in the mail.
10. Concerns or Complaints
If you desire further information about your privacy rights, are concerned that we have violated your privacy rights, or disagree with a decision that we made about access to your PHI, you may contact us (listed below). Finally, you may send a written complaint to the U.S. Department of Health and Human Services, Office of Civil Rights. Our Privacy Officer can provide you the address. We will not take any action against you for filing a complaint.
11. Consent to Share and Release Information
APPLICABLE TO U.S. RESIDENTS
Limber Health, Inc. (“Limber”), as part of administering the Limber program (“Services”), may have access to and use my personal health information (“PHI”), which I provide to Limber as part of my participation in the Services. I understand and acknowledge that Limber may store, share, and use my PHI to review and improve the quality of the Services. Furthermore, Limber may provide health information to my health plan; if my health plan requests any of my PHI, Limber may provide such PHI as is minimally necessary, as defined by HIPAA, to accomplish the request.
12. How to Contact Us
If you would like more information about your privacy rights, please contact Limber and ask to speak with the Privacy Officer or email firstname.lastname@example.org. To the extent you are required to send a written request to Limber to exercise any right described in this Notice, you must submit your request to Limber at:
Limber Health, Inc.
Cooley LLP c/o Brian Burke
11951 Freedom Drive
Reston, Virginia 20190-5656