HIPAA BUSINESS ASSOCIATE PRIVACY STATEMENT
HealthRight LLC takes privacy very seriously. HealthRight is a Business Associate, which provides services, such as maintenance of medical records, customer-intake, billing and technical services to the physicians, known as Covered Entities, who provide telehealth services to our customers (“Physicians”). As a Business Associate, we share a commitment with the Physicians to protect the privacy and confidentiality of health information that we obtain about you subject to the terms of our Business Associate Agreements with Physicians and in compliance with the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act, and the HIPAA Privacy and Security Rules (collectively “HIPAA”).
This Privacy Statement is provided to help you better understand how we at HealthRight use, disclose, and protect your health information in accordance with the terms of Business Associate Agreements between HealthRight and Covered Entities such as Physicians and as required by HIPAA.
Business Associate Agreement. The Business Associate Agreement is a formal written contract between HealthRight and a Covered Entity that requires HealthRight to comply with specific requirements related to the use and disclosure of your health information.
Covered Entity. A Covered Entity is a health plan, health care provider (e.g., physician, physician group practice, hospital), or healthcare clearinghouse that must comply with HIPAA.
Use and Disclosure of Your Health Information
The following is a description of how HealthRight may use and disclose your health information:
- We may disclose your health information when you have signed a written authorization permitting the physician to disclose it.
- We may use your health information for our management, administration, data aggregation and legal obligations to the extent such use of your health information is permitted or required by the Business Associate Agreements and not prohibited by law.
- We may use or disclose your health information on behalf of, or to provide services to, Physicians for purposes of fulfilling our service obligations to the Physicians, if that use or disclosure is permitted or required by HIPAA or the Business Associate Agreement. For example:
- We may use and disclose your health information to facilitate the provision of telehealth and related services provided by Physicians.
- We may use and disclose your health information for billing and payment purposes.
- We may use and disclose your health information for the Physicians’ healthcare operations, which are business tasks that we assist with on behalf of the Physicians that are necessary for the Physicians to continue to provide telehealth services and for them to maintain quality telehealth for HealthRight customers. Whenever practical, we remove information that identifies you.
- In the event that your health information must be disclosed to a subcontractor or agent, we will ensure that, under a Subcontractor Business Associate Agreement, the subcontractor or agent agrees to abide by the same restrictions and conditions that apply to us under our Business Associate Agreements with the Physicians with respect to your health information.
- We may use your health information to report violations of law to appropriate federal and state authorities or as otherwise required by law.
- We may not use or disclose your psychotherapy notes without your written authorization.
- May not use or disclose your health information for marketing purposes unless you have authorized the Physicians to do so.
Use and Disclosure of De-Identified Health Information
For various reasons, HealthRight may use de-identified health information, and the de-identified health information of other HealthRight users. In this situation, all identifiers are removed from your health information in accordance with HIPAA requirements, so there is no reasonable basis to believe that the information can be used to identify you.
We use appropriate safeguards to prevent the use or disclosure of your health information. We have implemented administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of your electronic health information that we create, receive, maintain, or transmit on behalf of Physicians. By way of example, such safeguards include:
- Maintaining appropriate clearance procedures and providing supervision to assure that our workforce follows appropriate security procedures;
- Providing appropriate training for our staff to assure that our staff complies with our security policies;
- Securing all transmissions of your health information within existing technology, such as sending password-protected, encrypted electronic prescriptions;
- Properly securing all communication modalities;
- Using appropriate storage, backup, disposal and reuse procedures to protect your health information;
- Using appropriate authentication and access controls to safeguard your health information, including your medical record;
- Using best efforts to secure your health information to make it unusable, unreadable or indecipherable to individuals who do not have authorization to review your health information;
- Using appropriate security incident/breach procedures and providing training to our staff sufficient to detect and analyze security incidents and breaches; and
- Maintaining a current contingency plan and emergency access plan to assure that your health information that we hold on behalf of a Physician is available when needed.
Mitigation of Harm
In the event of a use or disclosure of your health information that is in violation of the requirements of the Business Associate Agreements, we will mitigate, to the extent practicable, any harmful effect resulting from the violation. Such mitigation will include:
- Reporting to the Physician any use or disclosure of your health information not provided for by the Business Associate Agreements and any security incident of which we become aware;
- Cooperating with the Physicians; and
- Documenting disclosures of your health information and information related to such disclosures as would be required for the Physicians to respond to a request for an accounting of disclosures of your health information in accordance with HIPAA requirements.
Access to Your Health Information
We will make your health information available to Physicians, or as directed by them, to you, in accordance with your right of access under HIPAA. HealthRight will comply with your health information amendment and accounting obligations set forth in HIPAA. If you wish to access your health information, please send a written/email request to:
Chief Administrative Officer
181 Washington Street
Conshohocken PA 19428
Or via email to: Privacy@HealthRight.com
Upon request, we will make available our internal practices, books, and records relating to the use and disclosure of your health information received from, or created or received by HealthRight on behalf of a Physician to the Secretary of the U.S. Department of Health and Human Services for the purpose of determining compliance with HIPAA.