Notice of HIPAA Privacy Practices
Last Updated: June 14, 2021
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED BY CARBON HEALTH, AND IF APPLICABLE, OUR INDEPENDENT MEDICAL PRACTITIONER PARTNERS (DEFINED BELOW) AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
Carbon Health Technologies and Carbon Health Medical (collectively “Carbon Health”) are both accountable for their compliance with HIPAA and both are required by law to maintain the privacy of your Protected Health Information.
Carbon Health Technologies, Inc. (“Carbon Health Technologies,” “we,” “our,” or “us”) is not a medical group, but is a Business Associate that has partnered with specific medical groups (“Independent Medical Practitioners”) to bring healthcare services nationwide, as well as online with our telehealth solution. Carbon Health Medical Group of Florida, P.A., Carbon Health Medical Group, Inc., Direct Urgent Care, Inc., Carbon Health Medical Group of New Jersey, P.A., Carbon Health Medical Group of Kansas, P.A. and Djavaherian Medical Practice, PLLC (collectively, “Carbon Health Medical”), are each an independent medical group with a network of United States based health care providers (each, a “Provider”).
Each of the Carbon Health entities, their related sites, locations, and care providers follow the terms of this Notice. Additionally, the entities, sites, locations and care providers may share medical information with each other for treatment, payment, or healthcare operations related to the Business Associated Agreement (“BAA”) they share.
Carbon Health medical visits at any of our clinic and Carbon Health telemedicine consults obtained through our Website or Applications are provided by independent medical practitioners including, but not limited to, Carbon Health Medical. Independent providers, and your own medical provider if you do not use a Carbon Health Medical Provider, are responsible for providing you with a Notice of Privacy Practices describing their collection and use of your health information.
This Notice of HIPAA Privacy Practices is published on the Carbon Health website, in the Carbon Health Applications, and is available at all Carbon Health clinics.
In compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) we are required to ask each of our patients to acknowledge receipt of our Notice of HIPAA Privacy Practices.
You acknowledge receipt of the Notice of HIPAA Privacy Practices when you select the “Sign Form” button after being presented these forms during the account creation/sign-up process in the Carbon Health patient mobile applications or Carbon Health Patient website, or by indicating or signing your acknowledgement in another written or digital format provided to you. You can receive a copy of the Notice of HIPAA Privacy Practices by asking for one at any Carbon Health clinic, or by visiting our website and printing the form from there.
Your acknowledging the Notice of HIPAA Privacy Practices is required by HIPAA and Carbon Health, and if you do not wish to be bound by this Notice you are not authorized to access or use our Website, Applications, or make use of our healthcare services, and you must promptly exit our Websites or Applications.
Carbon Health’s Commitment and Responsibilities
The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) defines strict rules and regulations identifying the controls companies must implement to protect patient privacy, and our responsibility to guard “Protected Health Information” (“PHI”). The information collected when you authenticate to accounts in Carbon Health Applications and Websites, or when you communicate with our staff about healthcare matters, whether electronically, orally, or by alternative offline methods, is all considered PHI. PHI includes any and all medical information you share with Carbon Health, including your medical history and any medical records from other providers or services you share with us, and also includes more general personal information that may identify you, such as your name, social security number, billing information, addresses, phone numbers, date of birth, and email address.
Your Protected Health Information is kept safe through our commitment to your privacy, and the processes, procedures, controls, and staff training we have in place to ensure our compliance with federal and state laws and regulations.
In keeping with these commitments, we are proud to take responsibility for ensuring that:
- Our Privacy Practices are made available in plain language: ensuring we are transparent when informing you and all recipients of Carbon Health products and services of our responsibilities for protecting your PHI.
- We document all of our best practices, company policies, staff procedures, and ensure all staff receive annual training on each, such that all business and healthcare activities are performed with a clear understanding of what is required to keep your data private.
- We follow the practices and procedures defined in this Notice of Privacy Practices
- We are transparent about how in providing our products and services we will use your Protected Health Information.
- We are transparent about your rights to authorize disclosure of Protected Health Information and your rights to revoke those authorizations at any time.
- We remain transparent in our communications with you, disclosing in a timely manner if any problems arise that affect you: informing you directly if a breach occurs (If your PHI is ever mistakenly exposed.)
Additionally, on your behalf Carbon Health will always try to apply the strictest protections available on your behalf: we are committed to adhering not just with federal and individual state regulations, but also to maximizing the protections applied to your data, which we do by applying the more stringent of protections defined by any individual state to all states (unless that causes a direct conflict with your own state’s laws.)
Uses and Disclosures of Protected Healthcare Information That Do Not Require Your Authorization
We think the title of this section seems much scarier than it is. Our own policies as well as Federal and State regulations have been designed to keep your Protected Health Information private to you. These policies and regulations, including HIPAA, have provisions to support healthcare data sharing that is performed as part of delivering healthcare services: including for treatment, for billing and payment processing, and in healthcare operations. Some sharing is often necessary in order to deliver care: sharing between doctors and a laboratory running tests, between a clinic doctor and your family doctor, between our clinic and a pharmacy, with your health insurance company, etc. HIPAA and the other regulations define exactly when and how data can be shared, and also how that sharing must be securely managed. Examples of use cases where we may use and disclose your PHI without first receiving your authorization include:
Your Protected Health Information may be disclosed to:
- Doctors, registered nurses, x-ray technicians and other medical staff working for Carbon Health Medical or as Independent Medical Practitioners, who are involved in providing you with healthcare services when they need access to PHI to perform critical parts of their work.
- Medical partners responsible for aspects of your medical care, including lab partners that may be performing tests on samples collected from you, a pharmacy to which a prescription is sent on your behalf, or a Support RN that will follow up with you after a visit to ensure you are feeling better, if and when each may need access to PHI in order to accurately provide you with care.
- Specialists and other healthcare providers responsible for treatments and services not available at the location or time of your visit, and to whom you may be referred, may need access to PHI in order to fulfill their role in your healthcare journey.
Your Protected Health Information may be disclosed:
- To validate your insurance eligibility and inform you of your expected out-of-pocket expenses.
- To accept payment or bill you directly for healthcare services we provide.
- To carry out our obligations and enforce our rights arising from contracts, including for billing and collection.
Carbon Health strives for the continuous improvement of all aspects of how we deliver healthcare, and Protected Health Information is used in our healthcare operations to help us improve our services and products. PHI may be disclosed:
- For the administration and support of our healthcare services.
- For quality control and quality assurance measures that help us identify areas in which we can improve our applications and websites for both staff and patients.
- To support patient inquiries and requests for assistance associated with how we deliver care.
- To protect against abuses including fraud and waste.
- For review by individuals such as contractors, and our business associates, including service, that serve a role in how we deliver our products and services to you. All contractors, business associates, and other third-party companies involved in our healthcare operations are also required to provide protections for your PHI and must also abide by HIPAA.
In addition to the reasons above, there exist a few other reasons why in the best interests of patients, the community, of for adherence to the law, among other reasons, that we may find it necessary to use or disclose PHI without your authorization:
- To protect the safety of an individual or the public when we think someone may be a victim of abuse, neglect, or domestic violence, and to protect that person or persons we believe disclosure to a public health authority or other appropriate government authority is necessary.
- For public health activities, or health oversight activities, that may be defined by federal, state, or county authorities. Examples include efforts to prevent or control the spread of a disease (as when reporting Hepatitis A or Covid-19 infections, administered Covid-19 vaccinations), injury, or disability, but also includes vital events such as births, or deaths where disclosures of your PHI apply for family arrangements (your decedents), or “gift of life” purposes (organ, eye, or tissue donations).
- To avert a threat to individual or public health or safety: as when we, in good faith, and in compliance with applicable laws and regulations, believe disclosure to an appropriate authority will prevent or lessen a serious or imminent threat to the health of a person or the public; or when we believe disclosure is necessary to identify or apprehend an individual that has admitted to a violent crime that may have caused serious harm or is known to have escaped from lawful custody.
- For instances where disclosure is required by law, judicial and administrative proceedings, or for law enforcement purposes such as when compelled by a court order or in response to a subpoena, or a government or regulatory request
- As required for specialized government functions, including a response to a public health investigation or public health surveillance activity; when helping to ensure the quality, safety, or effectiveness of an FDA-regulated product or activity, including prescription drugs, medical devices, and supplements; in compliance with regulatory and oversight agencies for activities including initial licensure, audits, reviews, examinations, inspections, investigations.
- To parents and legal guardians overseeing the care of minors in accordance with applicable laws and regulations. This may include sharing where parental and legal guardian consent is required for the services rendered and will exclude sharing where parental and legal guardian consent is not required, unless explicit consent in accordance with applicable laws and regulations is received from the minor. We will share a minor’s data with a parent or guardian when required to do so by applicable law.
- As applies to work-related injuries or illness as with workers’ compensation or similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault.
- To more efficiently communicate with your other care providers, through our participation in Health Information Exchanges (HIE) that enable us to share your healthcare information with other organizations lawfully participating in treatment, payment, or healthcare operations involving you. For your protection we provide opt-in and opt-out rights to you for all HIE in which we participate, and we do so in accordance with the strictest interpretation of all applicable federal and state laws.
More About Carbon Health’s Healthcare Operations
There are a number of reasons Carbon Health may use your PHI as part of providing our services to you. The most critical of these for us, are in ensuring we are continually conducting quality assessment and improvements of our websites, applications, and staff processes in order to continually improve how we deliver our products and services to you. As part of these efforts we use PHI:
- To present our Websites and Applications, and their contents to you.
- To provide our healthcare related products and services to you.
- To answer your requests for information, products, or services from Carbon Health, or when we believe it is in your best interest that we inform you of additions and changes to our applications, websites, products, and services.
- To process, fulfill, support, and administer transactions and orders for products and services you have requested.
- To provide you with notices about your Carbon Health Technologies account.
- To administer surveys and solicit feedback.
- To fulfill any purpose for which you have provided PHI on which we are being asked to act.
- For specific uses described at the time you provide the information.
- For any other purpose for which you have provided your authorization as described in “A Note About Your Authorization to Disclose Protected Health Information”
A Note About Research
While federal and state regulations, including HIPAA, make accommodations for sharing Protected Health Information for research purposes, and this sharing is only allowed with authorized Institutional Review Boards (IRB), and under specific circumstances, Carbon Health does not participate in this kind of legal sharing of your PHI without explicitly first requesting then receiving your authorization. We do think this kind of research is important, and that you should know that each IRB is required to protect your PHI, poses minimal risk to your privacy, and can offer great benefits to healthcare research. Choosing to share your data for research purposes, and as a contribution to improving healthcare, is completely voluntary, and you will never be required to share your PHI in order to receive care, and non-participation in research sharing will have no effect on the quality of care you receive.
Uses and Disclosures of Protected Healthcare Information That Require Your Authorization
Carbon Health is committed to your privacy, and this means that your data is protected as yours, and that without your written or electronically signed authorization, your PHI will not be shared outside of the purposes and audiences listed in the preceding sections of this Policy. Other than for the purposes described in this document, we commit that:
- Carbon Health will not sell your Protected Health Information.
- Carbon Health will not share your Protected Health Information with your employer, unless you grant authorization for such a disclosure.
- Carbon Health will not share your Protected Health Information with your school or educational institution, unless you provide an authorization for such a disclosure.
- Carbon Health will not use your Protected Health Information for Marketing (We will, as described above, contact you about our own Websites, Applications, products, and services to improve our offerings to you, but we will not let a third party market to you, and we will additionally always allow you to opt-out of even these HIPAA permitted communications that we believe are beneficial to you.)
Additionally, Carbon Health abides by all applicable Federal and State laws regarding special protections. As stated above, we apply the most stringent of any one state’s laws to the protections of all state’s patients (save where they conflict with your individual state’s laws and regulations), and this includes the rules governing authorization requirements that must be met prior to sharing Protected Health Information related to:
- Mental health treatment - Carbon Health will not share a mental health provider’s process notes save for when covered by the very specific use cases defined by HIPAA.
- Sexual assault
- Sexually transmitted diseases
- Drug and alcohol abuse
- Specific communicable diseases, including HIV/AIDS
A Note About Your Authorization to Disclose Protected Health Information
Outside of the permitted disclosures described elsewhere in this document, Federal and state laws and regulations, including HIPAA, have very clear rules defining the processes by which any authorization to disclose your Protected Health Information must be requested and received from you. In all cases where your authorization is required, if you have not granted your authorization in accordance with these rules, your information will not be disclosed. Additionally, if you have granted an authorization for a disclosure, it is important that you know you may revoke that authorization at any time. What this means for you, is that unless you see an authorization form meeting the requirements detailed in this section, and unless you choose to sign that form (electronically or by other means), your data will not be shared for any reason outside those identified as permissible elsewhere in this policy. Any request made of you for your authorization to disclose your PHI must clearly, and in plain language provide:
- A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.
- A name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
- A name or other specific identification of the person(s), or class of persons, who will be the recipient of the requested use or disclosure.
- A description of each purpose for which the requested use or disclosure is being made. (If you are asking for the disclosure of your own data, you do not need to explain your reasons other than to make a statement such as: “At the request of the individual.”
- An expiration date, or expiration event that relates to the defined individual purpose for which the use or disclosure is being made. Additionally, if you choose to contribute to the advancement of healthcare by participating in a research study, acceptable expiration statements include: “At the end of the research study”, “none”, or similar language.
- A process for receiving your physical or electronic signature with a recorded signing date. If the authorization is signed by a personal representative, as with a Power of Attorney, Parent, or legal Guardian, a description of the representative’s authority to act for the individual is also required.
Additionally, the request for authorization to disclose PHI will specifically state:
- Your right to revoke the authorization, including a description of how you may revoke the authorization, as well as any exceptions to the right to revoke. (Other companies may include this in their Notice of Privacy Practices, but Carbon Health Technologies and Carbon Health Medical will include this information directly in each authorization form presented for your signature.)
- Our commitment that your authorization to disclose your Protected Health Information will never be required for you to receive healthcare services you acquire directly from us: This protection applies to healthcare services specific to you as an individual. This protection may not apply to services organized by a third party and including you, for example: participation in research studies may require your authorization as a prerequisite for study participation, and similarly, healthcare processes initiated specifically for disclosure to a third party, as with employer funded medical tests for “return to work” purposes, may not be available from Carbon Health and the third parties involved, without your authorizing the disclosure for which those activities have been organized.
- The potential for information you authorize to be disclosed to a third party to end up subject to redisclosure by that third party, and if that third party is not required to comply with HIPAA, mention that it is possible the information will no longer receive the original protections applied when it was first provided to your healthcare provider.
- Your right to receive a copy of any authorization you sign.
Your Rights Regarding Your Protected Health Information
Carbon Health will always uphold your rights over the Protected Health Information belonging to you that we may obtain. We will ensure we protect your rights:
- To access your data: We will protect your data, and we will also ensure that it is available to you.
- To request that we restrict any use and disclosure of your data. We will not always be able to honor these requests, and we are not obligated by law or regulation to apply disclosure restrictions related to our treatment, payment, or health care operations, save in specific use cases of payment disclosures to a health plan for services you have paid in full and where the disclosure is payment related. This said, where we have documented our ability to comply with your request, we will honor that commitment in all cases, save for exceptions defined under HIPAA including when: We determine that a disclosure is required for emergency treatment (in that use case we will request that the party to whom the data is disclosed does not disclose the information any further); When required by the Secretary of Health and Human Services
- To receive confidential communications of your Protected Health Information. We will make this information available to you in your accounts accessible on our websites and applications, and you may also request alternative means of secure communication. We may ask that you submit such requests in writing, but we will generally agree to secure alternative communication methods that are deemed reasonable.
- To inspect and copy your Protected Health Information.
- To request corrections to your data.
- To receive an accounting of disclosures.
- To receive notice of any breach.
- To receive an electronic or paper copy of your PHI with some restrictions. This may potentially include charging a reasonable fee associated with the cost of printing and mailing physical copies.
You can review, copy, and change your Personal Data by logging into our Websites or Applications and visiting either the Settings or Account sections. Additionally, we have provided detailed Contact Information (below) through which you may notify us of any changes or errors in the Personal Data we have about you. We will reply to all such contact to help you ensure that your PHI records are complete, accurate, and as current as possible. If desired, you may also contact us to have us disable or delete your account. For any deletion request, we will make every effort to delete your account and all personal information you have shared with us. Please note that while we will do everything we can to comply with any deletion request, we are not permitted to delete PHI if we believe it would violate any law or legal requirement, or cause the information to be incorrect.
Our commitment to the privacy of your Protected Health Information, and to transparency in our adherence to this Notice of Privacy Practices includes our making this notice available to you on paper when requested through the contact information below. In protecting your right to receive an accounting of any disclosures of your Protected Health Information, we have committed that we will make such an accounting available covering minimally the 6 years prior to which the accounting is requested, and covering all disclosures not otherwise excepted by HIPAA.
A Note About De-identification
Health information that does not identify an individual, and data for which there is no reasonable basis to believe it could be used to identify an individual, including you, represents essentially no usefulness to identity thieves and others involved in criminal practices. While of no value for those with illegitimate motivations, this data represents great value for Healthcare, where providers and researchers employ de-identified data in accordance with the HIPAA safe harbor provision, to both protect the privacy of individuals, and also to protect the health of the many, by identifying critical trends or anomalies in group data as well as studies that follow other research pathways. Carbon Health does contribute to healthcare research by making data that has been de-identified in accordance with the safe harbor provision available to trusted research organizations. Safe harbor data is Protected Health Information that as specified by HIPAA has the following 18 individual identifiers removed so that it cannot identify any individual, including you:
- Social Security Numbers
- Telephone numbers
- Fax numbers
- Geographic subdivisions (including addresses information) smaller than a state
- All elements of dates (with the exception of year): birth and death dates, admission dates, discharge dates, ages for anyone over 89.
- E-Mail addresses
- Medical record numbers
- Health Plan Beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identification numbers or serial numbers, license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URL)
- Internet Protocol (IP) addresses
- Biometric data (Fingerprints, Face ID, Voice Prints, etc.)
- Full face photographic images and comparable images
- Any other number, characteristic, or code that would uniquely identify you
In addition to the protections defined throughout this document, Carbon Health has committed that we will never share your Protected Health Information if we have any actual knowledge that the information could be used alone or in combination with other information to identify you or any individual who is the subject of the information, unless we have your direct authorization, documented and signed as described in A Note About Your Authorization to Disclose Protected Health Information
Changes to Our Notification of Privacy Practices
Questions, Concerns, and Complaints
If you have any questions, concerns, complaints or suggestions regarding our Privacy Practices or otherwise need to contact us, you may contact us at the contact information below or through the “Contact Us” page on our Website or in the Application. In addition to being able to report complaints to us at any time, if you believe your privacy rights have been violated or have other concerns, you may also report complaints to the national Secretary of Health and Human Services. Any questions, concerns, or complaints you raise will never be allowed to negatively affect the quality of care you receive from us, and there will never be any retaliation against you for any such filings.
How to Contact Us
Carbon Health Technologies, Inc. Attn: Privacy 300 California Ave. 7th Floor San Francisco, CA 94104 Telephone: 1-415-869-8858 Email: firstname.lastname@example.org