iGenomeDx Labs is committed to protecting the privacy of the users of this Web site. We will use and disclose the information you provide us as stated in our Web Site Privacy Statement.
In addition, if you provide health information that identifies who you are (as when health information also includes your name or Social Security number) we will only use and disclose such information as stated in the Notice of Privacy Practices.
Web Site Privacy Statement
Use and disclosure of health information includes using the information to provide treatment to the individual, to collect payments for such treatment, and to conduct ongoing quality improvement activities. Our use and disclosure of an individual’s personal information (including health information) is limited as required by state and federal law. We do not sell or rent personal information about visitors to this site or customers who use the site.
This Web site has security measures in place to help protect against the loss, misuse, or alteration of information under our control. These measures include encryption of data using the Secure Socket Layer (SSL) system, and using a secured messaging service when we send you personal information electronically. Despite these measures, the confidentiality of any communication or material transmitted to or from us via this site by Internet or e-mail cannot be guaranteed. At your discretion, you may contact us at the mailing address or telephone number listed in the “Questions, complaints, and contacts” section at the end of this Privacy Statement.
Revisions to the Privacy Statement
We may revise this Privacy Statement from time to time as we add new features or as laws change that may affect our services. If we make material changes to our Privacy Statement, we will post notice of this on our Web site. Any revised Privacy Statement will apply both to information we already have about you at the time of the change, and any personal information created or received after the change takes effect. We include a version number on this Privacy Statement consisting of the date (year, month, and day) it was last revised. We encourage you to periodically reread this Privacy Statement, to see if there have been any changes to our policies that may affect you.
Web Site Visitor Data
iGenomeDx routinely gathers data on Web site activity, such as how many people visit the site, the pages they visit, where they come from, how long they stay on the site, etc. The data is collected on an aggregate, anonymous basis, which means that no personally identifiable information is associated with the data. This data helps us improve site content and overall usage. The information is not shared with other organizations for their independent use.
Collecting and Using Personal Information
Except as disclosed in this Privacy Statement, we do not collect any identifiable information about visitors to this site or our customers who use this site. The policies, sources, and uses of information are outlined in Sections 1 through 13 that follow:
1. WEB LOGS
We maintain standard Web logs that record data about all visitors and customers who use this site and we store this information for a while. These logs may contain the Internet domain from which you access the site (such as aol.com, abc.org, etc.); the IP address which is automatically assigned to your computer when you get on the Internet (a static IP address may be identifiable as being connected to you, while a dynamic address is usually not identifiable); the type of browser and operating system you use; the date and time you visited the site; the pages you viewed on the site; the address of the Web site you linked from, if any. If you sign on to this Web site to use its secured features, our Web logs will also contain an individual identifier and show the services you have accessed.
All Web logs are stored securely, and may only be accessed by iGenomeDx employees or designees on a need-to-know basis for a specific purpose. iGenomeDx uses Web log information to help us design our site, to identify popular features, to resolve user, hardware, and software problems, and to make the site more useful to visitors.
2. INTERNET COOKIES
We may place Internet “cookies” on the computer hard drives of visitors to this iGenomeDx Web site. Information we obtain from cookies helps us to tailor our site to be more helpful and efficient for our visitors. The cookie consists of a unique identifier that does not contain information about you or your health history. We use two types of cookies, “session” cookies and “persistent” cookies.
A session cookie is temporary, and expires after you end a session and close your Web browser. We use session cookies to help customize your experience on our site, maintain your signed-on status as you navigate through our features, and to track your “click path” through our Web pages.
Persistent cookies remain on your hard drive after you’ve exited from our site, and we use them for several reasons. For instance, when you give us permission to “remember” a feature about you when asked by the Web site, such as your iGenomeDx region, we place a persistent cookie on your hard drive so that the next time you visit us, we won’t have to ask you that information again. If you’ve given us permission to e-mail you with information about your iGenomeDx benefits, or for other reasons, we may place a persistent cookie on your hard drive that will let us know when you come back to visit our site. We sometimes may use this type of persistent cookie with a “Web beacon” (see below). Persistent cookies will not contain any personal information about you such as a iGenomeDx Health/Medical Record number.
You may have software on your computer that will allow you to decline or deactivate Internet cookies, but if you do so, some features of this site may not work properly for you. For instructions on how to remove cookies from your hard drive, go to your browser’s Web site for detailed instructions. In addition, further information regarding cookies may be available on other Web sites or from your Internet service provider. Netscape and Internet Explorer are two common browsers.
3. WEB BEACONS
We may also occasionally use “Web beacons” (also known as “clear gifs,” “Web bugs,” “1-pixel gifs,” etc.) that allow us to collect non-personal information about your response to our e-mail communications, and for other purposes. Web beacons are tiny images, placed on a Web page or e-mail, that can tell us if you’ve gone to a particular area on our Web site. For example, if you’ve given us permission to send you e-mails, we may send you an e-mail urging you to use a certain feature on our Web site. If you do respond to that e-mail and use that feature, the Web beacon will tell us that our e-mail communication with you has been successful. We do not collect any personal health information with a Web beacon, and do not link Web beacons with any other personal health information you’ve given us.
Since Web beacons are used in conjunction with persistent cookies (described above), if you set your browser to decline or deactivate cookies, Web beacons cannot function.
iGenomeDx uses a third-party vendor to help us manage some of our e-mail communications with you. While we do supply this vendor with e-mail addresses of those we wish them to contact, your e-mail address is never used for any purpose other than to communicate with you on our behalf. When you click on a link in an e-mail, you may temporarily be redirected through one of the vendor’s servers (although this process will be invisible to you) which will register that you’ve clicked on that link, and have visited our Web site. iGenomeDx never shares any information, other than your e-mail address, with our third-party e-mail vendor, which does not share these e-mail addresses with anyone else.
Even if you have given us permission to send e-mails to you, you may revoke that permission at any time by following the “unsubscribe” information at the bottom of the e-mail.
5. EVALUATION AND RESEARCH
We will periodically ask users to complete surveys asking about their experiences with features of the Web site. Our surveys ask visitors for demographic information such as age, gender, and education, but will not request that users provide specific information about any medical condition. We use survey information for research and quality improvement purposes, including helping iGenomeDx to improve information and services offered through the Web site. In addition, users giving feedback may be individually contacted for follow-up due to concerns raised during the course of such evaluation. Demographic information and Web log data may be stored for future research and evaluation.
6. REGISTRATION WITH IGENOMEDX LABS
If you register with iGenomeDx through this Web site, you will be asked during the application process to disclose certain personal information so that we can evaluate your eligibility. Specifically, you will be asked to provide demographic information (name, address, other contact information), answer questions regarding your practice and anticipated testing protocols.
7. MESSAGES AND TRANSACTIONS
Comments or questions sent to us using e-mail or secure messaging forms will be shared with iGenomeDx staff who are most able to address your concerns. We will archive your messages once we have made our best effort to provide you with a complete and satisfactory response.
Some of our services interact directly with other iGenomeDx data systems. Data about your transaction may be stored in these systems, and available to people who test and support these systems.
When you use a service on a secure section of this Web site to interact directly with iGenomeDx, some information you provide may be retained in our records.
8. FINANCIAL TRANSACTIONS
If you provide us with information for the handling of billing and collections activity, such as credit card numbers or insurance information, we will treat that information in a secure manner.
9. DATA INTEGRITY AND CORRECTION
Requests to view and correct personal information from this Web site may be submitted using the contact information in the “Questions, complaints, and contacts” section below.
We do not knowingly allow people under the age of 18 to create accounts that allow access to the secured features of this site.
We may disclose personal information to any person performing audit, legal, operational, or other services for us. We will use information which does not identify the individual for these activities whenever feasible. Information disclosed to vendors or contractors for operational purposes may not be re-disclosed to others by such a vendor or contractor.
We may disclose personal information when required to do so by a subpoena, court order, or search warrant. We may disclose personal information as we deem it appropriate to protect the safety of an individual or for an investigation related to public safety or to report an activity that appears to be in violation of law. We may disclose personal information to protect the security and reliability of this site and to take precautions against liability.
12. OPT OUT
If a user makes a request to receive information in an ongoing manner through this Web site by providing their e-mail address (for example, requesting a subscription to one of our online publications), a user may make a request to discontinue future mailings. Similarly, if you receive information about iGenomeDx through e-mail, you may make a request to discontinue receiving similar messages in the future. All such materials sent to you by e-mail will contain information about how to opt out.
Also, if you register to use protected features on our Web site, you may be given an opportunity to receive e-mails about different types of iGenomeDx products, services, announcements, and updates. You may change your preferences by selecting the appropriate option.
13. OTHER REQUESTS TO LIMIT USE AND DISCLOSURE OF YOUR PERSONAL INFORMATION
State and federal laws may allow you to request that we limit our uses and disclosures of your personal information for treatment, payment, and health care operations purposes. However, by law, we do not have to agree to your request. It is our policy not to agree to requests for restrictions beyond what is described in the “Opt out” section above.
Questions, Complaints, and Contacts
If you have any questions about this Privacy Statement, our policies and practices concerning this site, your rights under this statement, and your dealings with the iGenomeDx Web site, you can contact iGenomeDx by telephone at (210) 257-6973, by sending a message to the iGenomeDx via this Web site.
NOTICE OF PRIVACY PRACTICES
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT PATIENTS MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.
PLEASE REVIEW IT CAREFULLY.
In this notice we use the terms “we,” “us,” and “our” to describe iGenomeDx. For more details, please refer to section IV. of this notice.
I. WHAT IS “PROTECTED HEALTH INFORMATION”?
Protected health information (PHI) is health information that contains identifiers, such as a name, Social Security number, or other information that reveals an identity. For example, a patient’s medical record is PHI because it includes a name and other identifiers.
II. ABOUT OUR RESPONSIBILITY TO PROTECT YOUR PHI
By law, we must protect the privacy of PHI, inform persons providing us with PHI of their rights and our legal duties with respect to PHI, and tell persons providing us with PHI about our privacy practices and follow our notice currently in effect.
We take these responsibilities seriously and we will continue to take appropriate steps to safeguard the privacy of PHI.
In the course of providing health care services, we collect various types of PHI. The medical information may be used, for example, to provide health care services and customer services, evaluate benefits and claims, measure performance (utilization review), detect fraud and abuse, and fulfill legal and regulatory requirements. The types of PHI that we collect and maintain about patients include, for example, hospital, medical, mental health and substance abuse patient records, laboratory results, pharmacy records and appointment records, medical services received, claims history, and information from benefits plans or employer about group health coverage.
III. RIGHTS REGARDING PHI
This section tells you about rights regarding patient PHI—for example, patient medical and billing records. It also describes how patients can exercise these rights.
Patient Right to See and Receive Copies of Patient PHI
In general, patients have a right to see and receive copies of patient PHI in designated record sets such as patient medical record or billing records. If patients would like to see or receive a copy of such a record, they can contact us at (619) 282-2293 or by e-mail. After we receive a patient written request, we will let the patient know when and how the patient can see or obtain a copy of the patient record. If the patient agrees, we will give the patient a summary or explanation of PHI instead of providing copies. We may charge patients a fee for the copies, summary, or explanation. If we don’t have the record asked for but we know who does, we will tell patients who to contact to request it.
In limited situations, we may deny some or all of a patient request to see or receive copies of patient records, but if we do, we will tell patients why in writing and explain patient rights, if any, to have our denial reviewed.
Patient Right to Choose How We Send PHI to Patients
Patients may ask us to send patient PHI to them at a different address (for example, patient work address) or by different means (for example, fax instead of regular mail). If the cost of meeting the patient request involves more than a reasonable additional amount, we are permitted to charge patients our costs that exceed that amount.
Patient Right to Correct or Update Patient PHI
If patients believe there is a mistake in their PHI or that important information is missing, patients may request that we correct or add to the record. They may call or e-mail us and tell us what they are asking for and why we should make the correction or addition. We will respond in writing after receiving the request. If we approve the request, we will make the correction or addition to the PHI. If we deny the request, we will tell patients why and explain patient rights to file a written statement of disagreement. The patient statement must be limited to 250 words for each item in the patient record that is believed to be incorrect or incomplete. Patients must clearly tell us in writing if they want us to include their statement in future disclosures we make of that part of the patient record. We may include a summary instead of a patient statement.
Patient Right to an Accounting of Disclosures of PHI
Patients may ask us for a list of our disclosures of patient PHI. The list we give patients will include disclosures made in the last six years, unless patients request a shorter time. Patients are entitled to one disclosure accounting in any 12-month period at no charge. If patients request any additional accountings less than 12 months later, we may charge a fee.
An accounting does not include certain disclosures, for example, disclosures to carry out treatment, payment and health care operations; disclosures for which iGenomeDx had a signed authorization; disclosures of PHI to patients; or disclosures to persons involved in patient care and persons acting on patient behalf.
Patient Right to Request Limits on Uses and Disclosures of Patient PHI
Patients may request by phone or e-mail that we limit our uses and disclosures of patient PHI for treatment, payment, and health care operations purposes. We will review and consider patient requests.
Patient Right to Receive a Paper Copy of this Notice
Patients also have a right to receive a paper copy of this notice upon request.
IV. IGENOMEDX LABS USE
To provide patients with our services, to be reimbursed for patient services, and to conduct our operations, such as quality assurance, accreditation, licensing and compliance, iGenomeDx personnel may have access to patient PHI either as employees, physicians, or professional staff members.
V. HOW WE MAY USE AND DISCLOSE PATIENT PHI
Patient confidentiality is important to us. Our employees are required to maintain the confidentiality of the PHI of our patients, and we have policies and procedures and other safeguards to help protect patient PHI from improper use and disclosure. Sometimes we are allowed by law to use and disclose certain PHI without patient written permission. We briefly describe these uses and disclosures below and give some examples.
How much PHI is used or disclosed without patient written permission will vary depending, for example, on the intended purpose of the use or disclosure. Sometimes we may only need to use or disclose a limited amount of PHI, such as to send patients correspondence.
Payment: patient PHI may be needed to permit us to bill and collect payment for services that patients receive.
Health care operations: We may use and disclose patient PHI for certain health care operations—for example, quality assessment and improvement, training and evaluation, accreditation, and determining costs of providing service.
Business associates: We may contract with business associates to perform certain functions or activities on our behalf, such as payment and operations. These business associates must agree to safeguard patient PHI.
Specific types of PHI: There are stricter requirements for use and disclosure of some types of PHI—for example, mental health and drug and alcohol abuse patient information, HIV tests, and genetic testing information. However, there are still circumstances in which these types of information may be used or disclosed without patient authorization.
Communications with family and others when patients are not present: There may be times when it is necessary to disclose patient PHI to a family member or other person involved in patient care because there is an emergency, patients are not present, or patients lack the decision making capacity to agree or object. In those instances, we will use our professional judgment to determine if it is in the patient’s best interest to disclose PHI. If so, we will limit the disclosure to the PHI that is directly relevant to the person’s involvement with patient health care.
Disclosures to parents as personal representatives of minors: In most cases, we may disclose patient minor child’s PHI to patients. In some situations, however, we are permitted or even required by law to deny parent access to a minor child’s PHI. An example of when we must deny such access based on type of health care is when a minor who is 12 or older seeks care for a communicable disease or condition. Another situation when we must deny access to parents is when minors have adult rights to make their own health care decisions. These minors include, for example, minors who were or are married or who have a declaration of emancipation from a court.
Research: iGenomeDx engages in extensive and important research. Some of our research may involve medical procedures and some is limited to collection and analysis of health data. Research of all kinds may involve the use or disclosure of patient PHI.
Public health activities: Public health activities cover many functions performed or authorized by government agencies to promote and protect the public’s health and may require us to disclose patient PHI.
For example, we may disclose patient PHI as part of our obligation to report to public health authorities certain diseases or conditions. Sometimes we may disclose patient PHI to someone patients may have exposed to a communicable disease or who may otherwise be at risk of getting or spreading the disease.
We may use and disclose patient PHI as necessary to comply with federal and state laws that govern workplace safety.
Health oversight: As health care providers, we are subject to oversight conducted by federal and state agencies. These agencies may conduct audits of our operations and activities and in that process, they may review patient PHI.
Disclosures to patient employer or patient employee organization: If patients are enrolled in an insurance plan or with another third party payor through an employer or employee organization, we may share certain PHI with them without patient authorization, but only when allowed by law. For example, we may disclose patient PHI for a workers’ compensation claim or to determine whether patients are enrolled in a plan or whether premiums have been paid on the patient’s behalf. For other purposes, such as for inquiries by patient employer or employee organization on the patient’s behalf, we will obtain patient authorization when necessary under applicable law.
Workers’ compensation: In order to comply with workers’ compensation laws, we may use and disclose patient PHI. For example, we may communicate patient medical information regarding a work-related injury or illness to claims administrators, insurance carriers, and others responsible for evaluating patient claim for workers’ compensation benefits.
Military activity and national security: We may sometimes use or disclose the PHI of armed forces personnel to the applicable military authorities when they believe it is necessary to properly carry out military missions. We may also disclose patient PHI to authorized federal officials as necessary for national security and intelligence activities or for protection of the president and other government officials and dignitaries.
Required by law: In some circumstances federal or state law requires that we disclose patient PHI to others. For example, the secretary of the Department of Health and Human Services may review our compliance efforts, which may include seeing patient PHI.
Lawsuits and other legal disputes: We may use and disclose PHI in responding to a court or administrative order, a subpoena, or a discovery request. We may also use and disclose PHI to the extent permitted by law without patient authorization, for example, to defend a lawsuit or arbitration.
Law enforcement: We may disclose PHI to authorized officials for law enforcement purposes, for example, to respond to a search warrant, report a crime on our premises, or help identify or locate someone.
Serious threat to health or safety: We may use and disclose patient PHI if we believe it is necessary to avoid a serious threat to patient health or safety or to someone else’s.
Abuse or neglect: By law, we may disclose PHI to the appropriate authority to report suspected child abuse or neglect or to identify suspected victims of abuse, neglect, or domestic violence.
Coroners and funeral directors: We may disclose PHI to a coroner or medical examiner to determine cause of death, or for other official duties. We may also disclose PHI to funeral directors.
Inmates: Under the federal law that requires us to give patients this notice, inmates do not have the same rights to control their PHI as other individuals. If patients are an inmate of a correctional institution or in the custody of a law enforcement official, we may disclose patient PHI to the correctional institution or the law enforcement official for certain purposes, for example, to protect patient health or safety or someone else’s.
VI. ALL OTHER USES AND DISCLOSURES OF PHI REQUIRE PRIOR WRITTEN AUTHORIZATION
Except for those uses and disclosures described above, we will not use or disclose patient PHI without patient written authorization. When patient authorization is required and patients authorize us to use or disclose patient PHI for some purpose, patients may revoke that authorization by notifying us in writing at any time. Please note that the revocation will not apply to any authorized use or disclosure of patient PHI that took place before we received patient revocation. Also, if patients gave patient authorization to secure a policy of insurance, patients may not be permitted to revoke it until the insurer can no longer contest the policy issued to patients or a claim under the policy.
VII. HOW TO CONTACT US ABOUT THIS NOTICE OR TO COMPLAIN ABOUT OUR PRIVACY PRACTICES
If patients have any questions about this notice, or want to lodge a complaint about our privacy practices, please let us know by e-mail or telephone. Patients also may notify the secretary of the Department of Health and Human Services.
We will not take retaliatory action against patients if patients file a complaint about our privacy practices.
VIII. CHANGES TO THIS NOTICE
We may change this notice and our privacy practices at any time, as long as the change is consistent with state and federal law. Any revised notice will apply both to the PHI we already have about patients at the time of the change, and any PHI created or received after the change takes effect. If we make an important change to our privacy practices, we will promptly change this notice and provide a new notice on our Web site. Except for changes required by law, we will not implement an important change to our privacy practices before we revise this notice.
IX. EFFECTIVE DATE OF THIS NOTICE
This notice is effective on January 1, 2010.
X. SUPPLEMENTAL NOTICE FOR MEDI-CAL BENEFICIARIES
UNDER STATE LAW APPLICABLE TO MEDI-CAL BENEFICIARIES, IGENOMEDX LABS NEEDS PATIENT PERMISSION TO USE OR DISCLOSE PATIENT MEDICAL INFORMATION IN THE FOLLOWING SITUATIONS:
To comply with workplace safety laws or workers’ compensation laws, except disclosures for treatment or to state or local officials;
To allow other companies to market their products or services to patients; and
To respond to subpoenas or court orders, or orders from government agencies, unless they relate to administration of the Medi-Cal program or are otherwise authorized by law.
Except in these cases, iGenomeDx may use and disclose patient protected health information.