Last Updated: October 2022
This Notice of Privacy Practices (the Notice) describes the privacy practices of Gifthealth Inc. (“GH”). In this Notice, we may also refer to GH as we, us or our. It also applies to the members of its Affiliated Covered Entity (“GH ACE”). This is a group of covered entities and health care providers we own or control. They designate themselves as a single entity to comply with the Health Insurance Portability and Accountability Act ("HIPAA"). The members of the GH ACE can share Protected Health Information (PHI) with each other. We do this for the treatment, payment and health care operations of the GH ACE and as allowed by HIPAA and this Notice. For a complete list of the members of the GH ACE, contact the GH Privacy Office.
By law, we must protect your PHI. We must provide you with this Notice explaining our legal duties and privacy practices for your PHI. This Notice describes how we may use and disclose your PHI. We provide you with some examples, but we don’t spell out every allowable use or disclosure in this Notice. This Notice also describes your rights and what we must do to use and disclose your PHI. We, and our employees and workforce members, must follow the terms of this Notice and any changes we make to it. We must follow state privacy laws that are stricter (or more protective of your PHI) than federal laws. Some types of sensitive PHI may require even more privacy protections under state or federal law. These may include HIV information, genetic details, alcohol and/or substance abuse records and mental health records. If you would like more information on protections in your state, contact the GH Privacy Office. You can also contact the same office to learn more about use or disclosure restrictions for sensitive PHI.
PHI is information about you that we need in order to provide our services to you, and that may be used to identify you. It may include your name, contact information as well as information about your health, medical conditions, and prescriptions. It may also relate to your:
● Past, present or future physical or mental health or condition
● Provision of health care products and services to you
● Payment for such products or services
We may use and share your PHI for various reasons. For instance:
Treatment: We may use and disclose your PHI to provide and help you get the treatment, medication, and services you require. For example, we may:
● Share your PHI with other parties (such as pharmacies, doctors, hospitals or other health care providers) to help them provide care to you or coordinate your care. In some cases, uses and disclosures of your PHI may be made through a Health Information Exchange or other shared system.
● Contact you to offer services related to your treatment. These may include:
Payment: We may use and share your PHI to obtain payment for the services we provide to you and for other payment activities related to the services provided. For example, we may:
● Share your PHI with your insurer, pharmacy benefit manager, or other health care payor to determine whether it will pay for your health care products and services. This also may tell us how much you may owe.
● Contact you about a payment or balance due for prescriptions you get from us.
● Share your PHI to other health care providers, health plans or other HIPAA Covered Entities who may need it for their payment purposes.
Healthcare operations: We may use and share your PHI for our health care operations, which we need to carry out in our health care business. For example, we may:
● Use and share your PHI to monitor the quality of our health care services, provide customer services to you, resolve complaints and coordinate your care.
● Transfer or receive your PHI if we buy or sell pharmacy locations.
● Use and share your PHI to contact you about health-related products and programs. Or to tell you about things we think may interest you, such as programs for GH patients.
● Share your PHI with other HIPAA Covered Entities that have provided services to you. We do this so they can improve the quality and value of the health care services they provide.
● Use your PHI to create de-identified data. This is data that no longer identifies you. We may use it or share it for analytics, business planning or other reasons.
● Share your PHI to the Food and Drug Administration (FDA) relative to adverse events regarding drugs, foods, supplements, and other health products or to post marketing surveillance to enable product recalls, repairs, or replacement.
We are also allowed or required to use or share your PHI without your approval in situations such as:
Business associates: We may allow access to those who provide services to us and assure us they will protect the information. For example, third parties who perform billing or consulting services. They are required by law and their agreements with us to protect your PHI in the same way we do.
People involved in your care or for payment of it: We may share your PHI with certain people who are involved in your care or the payment of it. This may include a friend, personal representative, family member or any other person you identify as a caregiver. For example, we may provide prescriptions and related information to your caregiver on your behalf. We may also make these disclosures after your death unless you’ve expressly told us not to do so. Upon your death, we may disclose your PHI to a person allowed by law to act for your estate. If you are a minor, we may release your PHI to your parents or legal guardians when permitted or required by law.
Workers' compensation: We may share your PHI to comply with workers’ compensation laws or similar programs.
Law enforcement: We may share your PHI with law enforcement officials as permitted or required by law. For example, we may share your PHI to report certain injuries or to report criminal conduct that happens on our premises. Also, we may share it in response to a court order, subpoena, warrant or similar written request from law enforcement.
Required by law: We will share your PHI to comply with federal, state or local law.
Judicial and administrative proceedings: We may share your PHI in response to a court or administrative order, subpoena, discovery request or other lawful process.
Public health and safety purposes: We may share your PHI in certain situations to help with public health and safety issues. For example, to:
● Prevent disease
● Report adverse reactions to medicine
● Report suspected abuse, neglect or domestic violence
● Prevent or reduce a threat to a person’s health or safety
Health oversight activities: We may share your PHI to an oversight agency for certain activities, including:
● Audits, investigations, inspections, licensure or disciplinary actions
● Civil, administrative and criminal proceedings
● As necessary for oversight of the healthcare system, government programs or compliance with civil rights laws
Research: Under certain circumstances, we may use or disclose your PHI for research purposes. For example, we may use or disclose your PHI as part of a research study when the research has been approved by an institutional review board and there is an established protocol to ensure the privacy of your information.
Coroners, medical examiners and funeral directors: We may share your PHI to these entities so they may carry out their duties.
Organ or tissue donation: We may share your PHI to organ procurement organizations.
Notification: We may use or share your PHI to notify or to help to notify a family member or any other person responsible for your care about your location, general condition or death. We may also disclose your PHI to disaster relief groups so that your family or others responsible for your care can learn of your location, general condition or death.
Correctional institution: We may share your PHI with a correctional institution or its agents if you are or become an inmate. This is to help them provide your health care, and protect your health and safety, and that of others.
Specialized government functions and Military: We may share your PHI to authorized federal officials for the conduct of military, national security activities, and other specialized government functions. If you are a member of the U.S. armed forces or the foreign military, we may disclose your PHI for activities deemed necessary by appropriate command authorities or under the law.
In some situations, we may only use and share your PHI when you confirm in writing that it is okay to use or disclose your PHI. Those instances include:
● Using or disclosing your PHI for marketing purposes.
● Selling your PHI to third parties. (But we may do so without your permission if we transfer a business to another health care provider that must comply with HIPAA.)
● Sharing psychotherapy notes (if we have any).
We will need your written approval before using or disclosing your PHI for purposes other than those described in this Notice or permitted by law. You may revoke your approval anytime. Just send a written notice to the GH Privacy Office. Your revocation will be effective upon receipt. But it will not undo any use or sharing of your PHI that has already happened based on your previous permission.
Written requests and other information: You may ask for more information about our privacy practices, or obtain forms for submitting written requests. Just contact the GH Privacy Officer
● By writing: 266 North Fourth Street, Suite 200. Columbus, Ohio 43215
● By phone: (833) 614-4438
● By email: firstname.lastname@example.org
Obtain a copy of the Notice: You have the right to a paper copy of our current Notice anytime. You may do so by going to the site where you obtain health care services from us. You can also contact the GH Privacy Office.
Inspect and obtain a copy of your PHI: With a few exceptions, you have the right to see and get a copy of the PHI we have about you.
To inspect or get a copy of your PHI, send a written request to the GH Privacy Office. You may also ask us to provide a copy of your PHI to someone else. We may charge a reasonable fee, allowed by HIPPA.
We may deny your request to inspect and copy your record in certain cases. If we do, we will notify you in writing. We will let you know if you may request a review of the denial.
Request a change: If you feel the PHI we have about you is wrong or incomplete, you may ask us to fix it. For example, if your date of birth is incorrect, you may ask us to correct it.
Send a written request to the GH Privacy Office. You must include a reason for your request. If we deny your request, we will explain in writing the reasoning.
Receive a report of disclosures: You have the right to ask for a list of certain disclosures we make of your PHI for purposes other than treatment, payment or health care operations. This is called an"accounting." (Note certain other disclosures are not required in the report we give to you.)
To get a list of the disclosures, send a written request to the GH Privacy Office. We will provide one report every 12 months free of charge. But we may charge you for the cost of any other reports. We will notify you in advance of the cost. You may withdraw or modify your request at that time.
Request a restriction on certain uses and disclosures: You have the right to ask for limits on the way we use or share your PHI. Just send a written request to the GH Privacy Office.
We aren’t required to agree to your request except where the disclosure:
● Is to a health plan or insurer for purposes of carrying out payment or health care operations
● Is not otherwise required by law
● Is PHI related to a health care item or service for which you, or a person on your behalf, has paid in full out of pocket
If you don’t want a claim sent to your health plan, talk to your pharmacist or health care provider when you check in for care or before your prescription is sent to the pharmacy.
Request confidential communications: You have the right to request that we communicate with you in a certain way or at a certain location. For example, you may ask that we contact you only in writing at a specific address.
To request confidential communication of your PHI, send a written request to the GH Privacy Office. Your request must state how, where or when you would like us to contact you. We will accommodate all reasonable requests.
Notification of breach: You have a right to know if there is a breach of your unsecured PHI, as defined by HIPAA.
Complaints: If you believe your privacy rights were violated, you can file a complaint with the:
● GH Privacy Officer, in one of the three ways:
● Secretary of the U.S. Department ofHealth and Human Services
Submit all complaints in writing. We won’t penalize you or retaliate against you in any way if you file a complaint.
We may change the terms of this Notice and our privacy policies at any time. If we do, the new terms and policies will be effective for all the information we now have about you and they will apply to any information that we may get or hold in the future.
If we make material or important changes to our privacy practices, we will promptly revise our Notice.
You may ask for a copy of the revised Notice, by sending a request to the GH Privacy Office.
We will also post the revised Notice in our retail stores and on our website. Go to www.gifthealth.com. There will also be copies at our sites and locations where you receive health care products and services from us.
Effective Date. This Notice is effective as of 09/01/2022.