Notice of Privacy Practices
Last Updated: March 1, 2019
THIS NOTICE DESCRIBES HOW MEDICAL AND PHARMACEUTICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED, AND HOW YOU CAN OBTAIN ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
This Notice of Privacy Practices addresses the legal duties and privacy practices of Schraft’s 2.0, LLC (“Schraft’s,” “we,” “us,” or “our”) regarding the protected health information (“PHI”) of individuals that use our services as an online pharmacy focused on fertility drugs (“patients,” “you,” or “your”), and their rights under the Health Insurance Portability and Accountability Act, as amended (“HIPAA”).
I. Uses and Disclosures of PHI.
PHI is information about a patient, including demographic information, that may identify the patient and is related to the patient’s past, present or future physical or mental health or condition and related health care services. There are circumstances where we are not required to a receive patient’s written authorization to use or disclose patient PHI, outlined in Section (A) below, and Section (B) provides circumstances when patient written authorization is required to use or disclose the patient’s PHI.
A. Patients’ Prior Written Authorization Not Required.
1) Business Associates
There are some services provided by us through contracts with HIPAA business associates. When these services are contracted for, we may disclose our patients’ PHI to our business associates so that they can perform the job we have asked them to do and bill the applicable patient or your third-party payor for services rendered. To protect our patients’ PHI, we require the business associate to appropriately safeguard the PHI and sign a business associate agreement with us.
We are permitted to use and disclose our patients’ PHI in connection with their medical treatment in situations such as allowing a family member, other relative, close personal friend or other person involved in the patient’s health care to pick up the patient’s prescriptions and to receive PHI that is directly related to the patient’s care. In doing so, we are to use our professional judgment and experience with common practice in determining what is in the patient’s best interest. Other examples include sending information about a patient’s prescriptions to the patient’s family doctor or to a specialist who is treating the patient or to a hospital where the patient is receiving care, particularly if the patient has suffered a health emergency.
If a patient is covered by a pharmacy benefit plan, we are entitled to send PHI to the plan or to another business entity involved in our billing system describing the medication or health care equipment we have dispensed so that we can receive payment.
4) Health Care Operations
In addition, we can provide PHI for health care operations such as evaluations of the quality of our patients’ health care in order to improve the success of treatment programs. Other examples include reviews of health care professionals, insurance premium rating, legal and auditing functions, and business planning and management.
Additional Disclosures of Our Patient’s PHI Without Written Authorization are Permitted under the Following Circumstances:
a) When requires by law to do so, such as reporting patients’ health information to state, federal, or local law enforcement officials, court officials, or government agencies, such as the FDA.
b) When ordered by authorized public health officials for the purpose of carrying out public health activities, such as to report product problems, or exposure to a communicable disease.
c) When the use/disclosure relates to victims of abuse, neglect or domestic violence.
d) When the use/disclosure is for health oversight activities, such as by written request of a state/federal government agency performing management audits, financial audits, and program monitoring.
e) When the use/disclosure is for judicial and administrative proceedings, such as in response to an order of a court.
f) When the use/disclosure is to provide notification and reporting of an unsecured breach as required by law.
g) When the use/disclosure is for law enforcement purposes, such as reporting certain types of wounds or injuries, or if there is a good faith belief the disclosure is necessary to prevent or lessen a serious, imminent threat to the safety of a person or the public.
h) When the use/disclosure is related to death, such as disclosing a patient’s health information to coroners, medical examiner and funeral directors so they can carry out their duties related to such patient’s death.
i) When the use/disclosure is related to cadaveric organ, eye, or tissue donation purposes.
j) We may disclose information about our patients for military activities, national security and intelligence activities, and for protective services to the President of the United States.
k) We may disclose information about our patients to a correctional institution having lawful custody of such patients.
l) We may disclose your health information as authorized by and to the extent necessary to comply with the laws related to workers’ compensation or other similar programs established by law.
m) When the use/disclosure relates to certain research purposes. For example, in limited circumstances, we may disclose your information to researchers preparing a research protocol or if an institutional review board determines authorization is not necessary.
B. Patients’ Prior Written Authorization Required
For purposes other than those mentioned above, we are required to ask for our patients’ written authorizations before using or disclosing any of their PHI. If we request an authorization, any of our patients may decline to agree, and if a patient gives us an authorization, the patient has the right to revoke the authorization at any time and by doing so, stop any future uses and disclosures of the patient’s health information that the authorization covered. An example of a situation where the patient’s prior authorization would be required would be if we wish to conduct a marketing program that would involve the use of PHI, or disclosures that constitute sale of PHI, explained in further detail below.
Marketing. We must obtain our patients’ written authorization prior to using patients’ PHI for purposes that are marketing under the HIPAA privacy rules. For example, we will not accept any payments from other organizations or individuals in exchange for making communications to our patients about treatments, therapies, health care providers, settings of care, case management, care coordination, products, or services unless the patient has given us his or her authorization to do so or the communication is permitted by law. We may communicate with patients about a product that is currently prescribed so long as any payment we receive in relation to making the communication is reasonably related to the cost of making the communication. In addition, we may market to patients in a face-to-face encounter and give patients promotional gifts of nominal value without obtaining patients’ written authorization
Sale of Protected Health Information. We will not make any disclosure of PHI that is a sale of Protected Health Information without our patients’ written authorization.
II. Patients’ Rights
HIPAA (and associated regulations) provide our patients with rights concerning their PHI. With limited exceptions (which are subject to review) each patient has the right to the following:
1) Patient’s Record
Each patient has the right to access and copy the patient’s PHI contained in a designated record set upon written request. The designated record set usually will include prescription and billing records. We may charge patients a fee as authorized by law to fulfill such requests. Upon receiving a patient’s request to access his or her PHI, we are required to respond to the patient no later than thirty (30) days after the receipt of the request. We may deny the request to inspect and copy in certain limited circumstances. If a patient is denied access to his or her PHI, the patient may request that the denial be reviewed. Patients may request access to their health information in a certain electronic form and format, if readily producible, or, if not readily producible, in a mutually agreeable electronic form and format. Further, patients may request in writing that we transmit such a copy to any person or entity they designate. The written, signed patient request must clearly identify such designated person or entity and where we should send the copy. To inspect or copy PHI, patients should email us at firstname.lastname@example.org.
2) Accounting for Disclosures
Each patient can, upon written request, obtain a list of the disclosures of the patient’s PHI by us that have occurred within the 6 years preceding the request, except for disclosures made for the purposes of treatment, payment or health care operations and certain others. We will provide patients with an accounting no later than sixty (60) days after receipt of such request, with an option to extend for an additional thirty (30) days if we are unable to provide the accounting within the time required. There will be no charge for the first request in any twelve (12) month period, but we are entitled to charge a reasonable cost based fee for additional requests made in the same period of time. Patients should submit requests for an accounting of disclosures to email@example.com.
Each patient may ask to change the record of his or her own PHI upon written request explaining why the change should be made. We will review the request, but may decline to make the change if in our professional judgment we conclude that the record should not be changed. If we deny your request for amendment, you have the right to file a statement of disagreement with the decision and we give a rebuttal to your statement. We will respond to patient requests no later than sixty (60) days after receipt of such request, with an option to extend for an additional thirty (30) days if we are unable to provide the accounting within the time required. Patients should submit requests for an amendment to firstname.lastname@example.org.
4) Confidential Communications
Upon written request, each patient can ask us to communicate with him or her about their own PHI in a confidential manner such as by sending mail to an address other than the home address or using a particular telephone number. Patient requests must state how or where the patient would like to be contacted. We will attempt to accommodate all reasonable requests, and will not request an explanation for the basis for the request. Patients should submit requests for confidential communication to email@example.com.
5) Special Restrictions
Upon written request, each patient can ask us to adopt special restrictions that further limit our use and disclosure of the patient’s PHI (except where use and disclosure are required of us by law or in emergency circumstances). You may also request that any part of your PHI not be disclosed to family members or friends who may be involved in your care or for your notification purposes. We will consider the request, but in accordance with HIPAA we are not required to agree to with the request. Patients also have to right to request restriction with regards to disclosure of health information to a patient’s health insurance company if: (1) the disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law; and (2) the health information pertains solely to a health care item or service for which we have been paid in full (other than by your health insurance company). We will accommodate such a request, except where we are required by law to make a disclosure. If we agree to your requested restriction, we will comply with your request unless the information is needed to provide you emergency treatment. Patients should submit requests for restriction to firstname.lastname@example.org.
6) Revoking Authorization
If a patient has signed an authorization to disclose information, the patient can later revoke that authorization, in writing, to stop future uses and disclosures. Revocation will not apply to disclosures or uses already made or taken in reliance on the authorization. Patients should submit revocations to email@example.com.
If a patient believes that we have violated the patient’s rights as to the patient’s PHI under HIPAA or if a patient disagrees with a decision we made about access to the patient’s PHI, the patient has the right to file a written complaint with our Contact Person listed below. Our Contact Person is required to investigate, and if possible, to resolve each such complaint, and to advise the patient accordingly. The patient also has the right to send a written complaint to the U.S. Department of Health and Human Services at the address listed below. Under no circumstances will we permit any retaliation against any patient for filing a complaint.
U.S. Department of Health and Human Services Office for Civil Rights
200 Independence Avenue, S.W.
Washington, D.C. 20201
We are required by law to protect the privacy of our patients’ PHI, to provide this notice about our privacy practices, and follow the privacy practices that are described in this notice. We reserve the right to make changes in our privacy practices that will apply to all PHI that we maintain. If or when we change our notice, we will post the new notice on our website.
Corporate Compliance Officer
3 Wing Drive, Suite 102
Cedar Knolls NJ 07927
Copyright 2019 Schraft’s 2.0, LLC. All rights reserved.