Notice of Privacy Practices: This notice describes how medical information about you may be used and disclosed, and how you can get access to this information. Please review it carefully.
This Notice of Privacy Practices applies to the Health Care Components of Cofactor Genomics, including our clinical diagnostic laboratory services. We will refer to the Health Care Components of Cofactor Genomics as the Cofactor Genomics Covered Entity or CFG-CE.
CFG-CE is required by law to maintain the privacy of your health information. In fact, we are committed to protecting the privacy and confidentiality of your healthcare information in accordance with the Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). We maintain policies and procedures to protect your health information, and our employees receive training on how to protect your health information.
CFG-CE is required to provide you with notice of our legal duties and privacy practices with respect to your health information. This Notice of Privacy Practices describes our legal duties and how CFG-CE may use or disclose your protected health information (PHI) in order to provide clinical services to you, to facilitate payment of the clinical services provided to you, and to support the healthcare operations of our clinical diagnostic laboratories. We also describe your rights and certain obligations we have regarding the use and disclosure of your PHI. We must follow the terms of this Notice currently in effect. We must also notify you following a breach of unsecured PHI as described in more detail below.
Protected Health Information (PHI)
Protected Health Information or “PHI” includes your demographic information such as name, address, telephone number, social security number, birth date and gender. PHI also includes information regarding your health, illnesses and injuries, and information about the medical services provided to you. CFG-CE obtains your PHI from you and your physician, health plan, and other sources when you order clinical diagnostic tests or receive other healthcare services from CFG-CE.
CFG-CE is committed to protecting the confidentiality of every individual’s laboratory test results and other patient PHI. To ensure protection of PHI, CFG-CE has implemented policies and procedures to:
- comply with federal, state and local laws and regulations regarding the use and disclosure of such PHI
- protect confidentiality and integrity of PHI we collect, create or exchange as part of our diagnostic testing services
- prevent inappropriate access to or disclosure of such information
Uses and disclosure of PHI
CFG-CE may use or disclose PHI for treatment, payment or healthcare operation purposes and for other purposes permitted or required by law. While we cannot list every possible use or disclosure, most of the ways we use or disclose PHI will fall into one of the categories listed below. If we want to use or disclose PHI for purposes that do not fall into these categories, we must first obtain your written authorization. CFG-CE may use or disclose your PHI for the following types of activities according to law:
As a healthcare provider that provides laboratory testing for patients as requested by physicians, CFG-CE uses PHI as part of our testing processes, and CFG-CE discloses PHI to physicians and other authorized health care professionals who need access to the laboratory results to treat you and implement your care plan. In addition to the treating physician, we may provide a consulting specialist physician with information about a patient’s results to further validate the results before release to the ordering physician. We may also disclose a patient’s PHI to another testing laboratory if we are unable to perform the testing ourselves, and need to refer the specimen to that laboratory to perform the requested testing. Note that psychotherapy notes will not be disclosed for treatment purposes absent your authorization.
Our billing department will use and disclose PHI to certain insurance companies, hospitals, physicians and health plans for payment purposes, or to our third-party billing partners to assist us in creating bills and claim forms, and getting paid for our services. For example, we may send a patient’s name, date of service, test performed, diagnosis code and other information to a health plan so that the plan will pay us for the services we provided. In some cases, we may have to contact the patient to obtain billing information or for other billing purposes. When required, we may use an outside collection agency to obtain payment.
We may use or disclose PHI in the course of activities required to support our healthcare operations, such as performing quality checks on our testing, or for developing normal reference ranges for tests that we perform. This information will be used in an effort to continually improve the quality and effectiveness of the healthcare services we provide. We may also disclose health information to other healthcare providers or payers for their healthcare operations, but only if they already have a relationship with you and the purpose is for quality-assurance, peer-review or fraud-detection activities, or for other limited purposes.
Disclosures to business associates
CFG-CE may disclose your PHI to other companies or individuals who need your PHI to perform specific services for, and on behalf of, CFG-CE related to your healthcare. These other entities are known as “business associates.” Our business associates must comply with the terms of a contract that requires them to comply with the same HIPAA privacy and security requirements that we do. For example, PHI may be disclosed to couriers we use to transport specimens to us, or to private accrediting organizations that inspect and certify the quality of our laboratories.
Other ways your PHI may be used or disclosed without your authorization
In some circumstances, CFG-CE may use or disclose your PHI without your authorization when state and federal privacy laws permit or require such use or disclosure as set forth below.
Release of information to family/friends
We may disclose your PHI to a family member, close friend or other person you identify, to the extent the information is relevant to that person’s involvement in your care or payment related to your care. We will provide you with an opportunity to object to such a disclosure when it is reasonably practicable for us to do so.
Required by law
We may use or disclose PHI to the extent required by law and in a manner limited to the specific requirement of the law: for example, to comply with federal or state laws, the orders of a court, or the orders of a governmental agency; to report information related to victims of abuse, neglect or domestic violence; to assist law enforcement officials in performing their duties; or to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.
Your PHI may be used or disclosed for public health activities such as assisting public health authorities or other legal authorities to prevent or control disease, injury or disability; tracking of prescription drug or medical device problems; or for other health oversight activities.
Health oversight activities
Your PHI may be disclosed to a health oversight agency for healthcare system oversight activities authorized by law (for example as part of our regular inspection of our laboratory by state regulators ensuring compliance with state laws).
Judicial and administrative proceedings
Your PHI may be disclosed in the course of a legal proceeding, in response to an order of a court or an administrative tribunal and, in certain cases, in response to a subpoena, discovery request or other lawful process.
We may use your PHI for research purposes or disclose your PHI to researchers when the research has been approved by an institutional review board that has reviewed the research proposal and established protocols to ensure the privacy of your health information.
In most circumstances, we are required by law to receive your written authorization before we use or disclose your health information for marketing purposes. However, we may provide you with general information about our health-related services and with promotional gifts of nominal value.
Threats to health or safety
We may use or disclose your PHI to prevent a serious threat to personal health or safety (for example, in the course of an investigation of a physician’s license).
Specialized government functions
We may use or disclose your PHI in connection with military command authorities, Veterans Administration, and national security and intelligence officials for activities deemed necessary to carry out their respective missions, or to law enforcement officials having custody of an inmate.
Your PHI may be disclosed to the extent authorized by and to comply with laws relating to workers compensation or similar programs established by law.
We may use your PHI to create de-identified information or we may disclose your information to a business associate so that the business associate can create de-identified information on our behalf. When we de-identify health information, we remove information that identifies you as the source of the information. Health information is considered de-identified only if there is no reasonable basis to believe that the health information could be used to identify you.
We may disclose your PHI to a coroner, medical examiner or funeral director as necessary to carry out their duties.
Note regarding state law
For all of the above purposes, when state law is more restrictive than federal law, we are required to follow the more restrictive state law.
Uses and disclosures of PHI that require written authorization
Uses and disclosures of PHI other than those listed above will be made only with your written authorization, unless otherwise permitted or required by law. For example, we must receive your authorization for any use or disclosure of your PHI that constitutes a sale of PHI. You may revoke your written authorization, at any time in writing, except to the extent we have already taken action in reliance on the authorization.
You have the following rights with respect to your PHI:
Right to access and receive copies of your PHI
Subject to certain exceptions, you have the right to request and receive a copy of your healthcare records we maintain. You have the right to receive a copy of your PHI in electronic format, if we maintain your PHI in an electronic format and we can readily produce a readable electronic copy. We may ask you to make your request for a copy of your records in writing and to provide us with the specific information we need to fulfill your request. We reserve the right to charge a reasonable fee for the cost of producing and mailing the copies of such information.
Right to amend your PHI
If you believe that your medical information is incorrect or incomplete, you have the right to ask us to amend your PHI. All requests for amendment must be in writing. In certain cases, we may deny your request. For example, we may deny a request if we did not create the information, or if we believe the current information is correct. All denials will be made in writing.
Right to request confidential communications
You have the right to request, and we must accommodate reasonable requests by you, to receive communications of your PHI confidentially. This means that you can request that we send your PHI to you by alternative means or at alternative locations. All requests for confidential communications must be in writing.
Right to an accounting of disclosures of PHI
You have the right to request an accounting of certain instances in which we have disclosed your PHI. We will require you to provide us with the specific information we need to fulfill your request. If you request this accounting more than once in a 12-month period, we may charge you a reasonable fee.
Right to request restrictions on uses and disclosures of your PHI
You have the right to request a restriction on the way we use or disclose your PHI for treatment, payment or healthcare operations. In most cases, we are not required to agree to a requested restriction. If we do agree to a restriction, we may not use or disclose your PHI in violation of the restriction, unless otherwise required by law or an emergency when the information is necessary to treat you. If you request that we not provide PHI to your health insurer for purposes of carrying out payment or healthcare operations, we are required to agree to that restriction if you have paid in full for the service provided. All requests for reasonable restrictions must be in writing.
Right to receive Notice of Privacy Practices
You have a right to receive a paper copy of this Notice of Privacy Practices upon request at any time by contacting our Privacy Officer.
Right to breach notification
You have the right to receive notice of any breach of your unsecured PHI. Generally, a breach occurs if an unauthorized acquisition, access, use or disclosure of PHI compromises the security or privacy of the PHI.
Changes to this Notice
We reserve the right to revise and change this Notice effective for PHI we already have about you as well as any information we receive in the future. We will post a copy of the current Notice on our website and will update the effective date accordingly.
If you believe your privacy rights have been violated, you may file a complaint with CFG-CE and with the Secretary of the Department of Health and Human Services. You will not be retaliated against for filing a complaint.
A complaint to CFG-CE may be sent to: HIPAA Privacy Officer, Cofactor Genomics, 4044 Clayton Ave, St. Louis, MO 63110. You may also call us regarding compliance and privacy at (888) 602-0448.
A complaint to the Secretary may be sent to: Medical Privacy, Complaint Division, Office for Civil Rights (OCR) U.S. Department of Health and Human Services, 200 Independence Avenue SW, Room 509F, HHH Building Washington DC, 20201.
You may also contact OCR’s Voice Hotline Number at (800) 368-1019 or send the information to their Internet address www.hhs.gov/ocr.
How to obtain information about this Notice or complain about our privacy practices
To request a copy of this Notice of Privacy Practices at any time, or obtain additional information about this notice, you may contact:
HIPAA Privacy Officer
4044 Clayton Ave
St. Louis, MO 63110