HIPAA Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
This Notice of Privacy Practices applies to Invitrox Inc and all its business units.
Invitrox Inc’s Protection of Protected Health Information (PHI)
Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Invitrox is required by law to maintain the privacy of health information that identifies you, called protected health information (PHI), and to provide you with notice of our legal duties and privacy practices regarding PHI. Invitrox is committed to the protection of your PHI and will make reasonable efforts to ensure the confidentiality of your PHI, as required by statute and regulation. We take this commitment seriously and will work with you to comply with your right to receive certain information under HIPAA.
Invitrox Inc’s Use and Disclosure of PHI
As permitted under HIPAA, the following categories explain the types of uses and disclosures of PHI that Invitrox may make. Some of the uses and disclosures described may be limited or restricted by state laws or other legal requirements, for example, the Clinical Laboratory Improvement Amendments of 1988 (CLIA). Please contact our Privacy Officer, using the contact information provided at the end of this notice, for specific information regarding your state.
- For treatment – Invitrox may use or disclose PHI for treatment purposes, including disclosure to physicians, pharmacies, and other health care professionals who provide you with health care services and/or are involved in the coordination of your care, such as providing your physician with your laboratory test results.
- For payment – Invitrox may use or disclose PHI to bill and collect payment for laboratory services we provide. For example, Invitrox may provide PHI to your health plan to receive payment for the health care services provided to you.
- For health care operations – Invitrox may use or disclose PHI for health care operations purposes. These uses and disclosures are necessary, for example, to evaluate the quality of our laboratory testing, accuracy of results, accreditation functions and for lab operation and management purposes.
- Individuals involved in your care or payment for your care – Invitrox may disclose, as allowed by federal and state law, the PHI of minors to their parents or legal guardians.
- As required by law – Invitrox must disclose your PHI if required to do so by federal, state, or local law.
- Research – Invitrox may use and disclose PHI for research purposes. Limited data or records may be viewed by researchers to identify patients who may qualify for their research project or for other similar purposes, so long as the researchers do not remove or copy any of the PHI. Before we use or disclose PHI for any other research activity, one of the following will happen: 1) a special committee will determine that the research activity poses minimal risk to privacy and that there is an adequate plan to safeguard PHI; 2) if the PHI relates to deceased individuals, the researchers give us assurances that the PHI is necessary for the research and will be used only as part of the research; or 3) the researcher will be provided only with information that does not identify you directly.
- Workers’ compensation – As authorized by applicable laws, Invitrox may use or disclose PHI to comply with workers’ compensation or other similar programs established to provide work-related injury or illness benefits.
- De-identified Information and Limited Data Sets: Invitrox may use and disclose health information that has been “de-identified” by removing certain identifiers making it unlikely that you could be identified. Invitrox also may disclose limited health information, contained in a “limited data set”. The limited data set does not contain any information that can directly identify you. For example, a limited data set may include your city, county, and zip code, but not your name or street address.
Other Uses and Disclosures of PHI
For purposes not described above, including uses and disclosures of PHI for marketing purposes and disclosures that would constitute a sale of PHI, Invitrox will ask for patient authorization before using or disclosing PHI. If you signed an authorization form, you may revoke it, in writing, at any time, except to the extent that action has been taken in reliance on the authorization.
Information Breach Notification
Invitrox is required to provide patient notification if it discovers a breach of unsecured PHI unless there is a demonstration, based on a risk assessment, that there is a low probability that the PHI has been compromised. You will be notified without unreasonable delay and no later than 60 days after discovery of the breach. Such notification will include information about what happened and what can be done to mitigate any harm.
Patient Rights Regarding PHI
Subject to certain exceptions, HIPAA establishes the following patient rights with respect to PHI:
- Right to Receive a Copy of the Invitrox Notice of Privacy Practices – You have a right to receive a copy of the Invitrox Notice of Privacy Practices at any time by contacting us at firstname.lastname@example.org, calling us at 919-381-5625 and asking for the Invitrox HIPAA Privacy Officer, or by sending a written request to: HIPAA Privacy Officer, Invitrox Inc, 76 TW Alexander Drive, Research Triangle, NC 27709. This Notice will also be posted on the Invitrox internet site at www.invitrox.com.
- Right to Request Limits on Uses and Disclosures of your PHI – You have the right to request that we limit: 1) how we use and disclose your PHI for treatment, payment, and health care operations activities; or 2) our disclosure of PHI to individuals involved in your care or payment for your care. Invitrox will consider your request but is not required to agree to it unless the requested restriction involves a disclosure that is not required by law to a health plan for payment or health care operations purposes and not for treatment, and you have paid for the service in full out of pocket. If we agree to a restriction on other types of disclosures, we will state the agreed restrictions in writing and will abide by them, except in emergency situations when the disclosure is for purposes of treatment.
- Right to Request Confidential Communications – You have the right to request that Invitrox communicate with you about your PHI at an alternative address or by an alternative means. Invitrox will accommodate reasonable requests.
- Right to See and Receive Copies of Your PHI – You and your personal representative have the right to access PHI consisting of your laboratory test results or reports ordered by your physician. Within 30 days after our receipt of your request, you will receive a copy of the completed laboratory report from Invitrox unless an exception applies. Exceptions include a determination by a licensed health care professional that the access requested is reasonably likely to endanger the life or safety of you or another person, and our inability to provide access to the PHI within 30 days, in which case we may extend the response time for an additional 30 days if we provide you with a written statement of the reasons for the delay and the date by which access will be provided. You have the right to access and receive your PHI in an electronic format if it is readily producible in such a format. You also have the right to direct Invitrox to transmit a copy to another person you designate, provided such request is in writing, signed by you, and clearly identifies the designated person and where to send the copy of your PHI. To request a copy of your PHI:
- Complete the Invitrox HIPAA Patient Request Form.
- Contact the Privacy Officer at 919-381-5625 or by email at email@example.com.
- Right to Receive an Accounting of Disclosures – You have a right to receive a list of certain instances in which Invitrox disclosed your PHI. This list will not include certain disclosures of PHI, such as (but not limited to) those made based on your written authorization or those made prior to the date on which Invitrox was required to comply. If you request an accounting of disclosures of PHI that were made for purposes other than treatment, payment, or health care operations, the list will include disclosures made in the past six years, unless you request a shorter period of disclosures. If you request an accounting of disclosures of PHI that were made for purposes of treatment, payment, or health care operations, the list will include only those disclosures made in the past three years for which an accounting is required by law, unless you request a shorter period of disclosures.
- Right to Correct or Update your PHI – If you believe that your PHI contains a mistake, you may request, in writing, that Invitrox correct the information. If your request is denied, we will provide an explanation of the reasoning for our denial.
How to Exercise Your Rights
To exercise any of your rights described in this notice, you must send a written request to: HIPAA Privacy Officer, Invitrox Inc, 76 TW Alexander Drive, Research Triangle, NC 27709.
How to Contact Us or File a Complaint
If you have questions or comments regarding the Invitrox Notice of Privacy Practices or have a complaint about our use or disclosure of your PHI or our privacy practices, please contact: firstname.lastname@example.org, call us at 919-381-5625 and ask for the Invitrox HIPAA Privacy Officer, or send a written request to: HIPAA Privacy Officer, Invitrox 76 TW Alexander Drive, Research Triangle, NC 27709. You also may file a complaint with the Secretary of the U.S. Department of Health and Human Services. Invitrox will not take retaliatory action against you for filing a complaint about our privacy practices.
Changes to the Invitrox Notice of Privacy Practices
Invitrox reserves the right to make changes to this notice and to our privacy policies from time to time. Changes adopted will apply to any PHI we maintain about you. Invitrox is required to abide by the terms of our notice currently in effect. When changes are made, we will promptly update this notice and post the information on the Invitrox website at www.invitrox.com. Please review this site periodically to ensure that you are aware of any such updates.