Initial Effective Date: 1/1/2022

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN OBTAIN THIS INFORMATION. PLEASE REVIEW THIS INFORMATION CAREFULLY.

Visit Health respects that you have entrusted us with your health data, and we are committed to safeguarding all the information you supply.

This Privacy Policy sets forth Visit Health’s obligations and your rights in accordance with the Health Insurance Portability & Accountability Act and amendments thereto (HIPAA), the Health Information Technology for Economic and Clinical Health Act and amendments thereto (HITECH), and the regulations promulgated under these Acts. In all situations, your protected health information (PHI) is obtained, maintained and shared in a private and secure manner consistent with HIPAA requirements by each of these entities. All capitalized terms not otherwise defined shall have the meanings assigned to them under HIPAA. References to “us”, “we” and “our” refer to Visit Health.

I. OUR COMMITMENT TO PROTECTING HEALTH INFORMATION ABOUT YOU

Visit Health has policies and procedures in place to protect the privacy and security of your personal information including your PHI. To the extent Visit Health is providing services for or on behalf of a HIPAA Covered Entity, Visit Health is required by law to maintain the privacy of PHI and to notify the Covered Entity of any breach of unsecured PHI.

Visit Health keeps your PHI safe through the use of a combination of physical, technical, and administrative safeguards in accordance with applicable Federal and State laws. Data is secured and transmitted via secure encryption technology, regular data backups, and key code authentication. Visit Health also limits access to your PHI to employees, contractors and agents who need the data to do their jobs or provide their services.

Also, where required by law or in accordance with a Business Associate Agreement, third-party partners must protect the privacy of data shared by Visit Health and they are required to keep your information private and secure.

Visit Health reserves the right to make changes to this notice and to make such changes effective for all PHI we may already have about you. If and when this notice is changed, we will post this information on our website and provide you with a copy of the revised notice upon your request or as otherwise required by law. It is your responsibility to check our website periodically for updates or changes to our policy.

II. HOW VISIT HEALTH MAY USE AND DISCLOSE PROTECTED HEALTH INFORMATION ABOUT YOU

A. USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS

Visit Health is permitted to use and disclose PHI for treatment, payment, and health care operations and, when applicable, in accordance with a Business Associate Agreement as required by HIPAA. The following examples are illustrative and do not list every type of use or disclosure that may fall within that category.

Treatment: Visit Health may use and disclose your PHI in connection with your participation in a vaccination or testing program.

Payment: Visit Health is allowed to use and disclose PHI so that we can bill and collect payment for our services, if applicable, or to assist your health plan with their claims payment processes.

Health Care Operations: Visit Health may use and share your data to support the operations of our business or contact you when necessary. For example, we may retain a copy of your health information for auditing purposes or to improve our services.

Health Related Services: Visit Health may contact you to provide you with information about services that may be of interest to you as we view such information as part of the treatment you receive from us, and as directed by you. Our contracted third-party vendors may contact you directly with such information.

To You: In accordance with HIPAA and applicable Business Associate Agreements, Visit Health will provide you with access to your health care information.

B. OTHER USES AND DISCLOSURES YOU AUTHORIZE VISIT HEALTH TO MAKE

Business Associates: In accordance with the above Treatment and/or Health Care Operations permitted uses and disclosures, we may provide your PHI to other companies or individuals to assist us in providing you with services or vendors that perform various activities on our behalf. These other entities are referred to under HIPAA as Business Associates. Visit Health is required by HIPAA to have written Business Associate Agreements with these entities whenever we share your PHI with the Business Associate. Business Associates are required by HIPAA to maintain the privacy and security of your PHI and to only use and disclose your PHI in accordance with HIPAA.

Communication with individuals involved in your care or payment for your care. We may disclose your PHI to a family member, other relative, close friend, or any other person you identify that is directly relevant to that person’s involvement in your care or payment related to your care.

Protected health information of minors. As permitted by federal and state law, we may disclose PHI about minors to their parents or guardians.

Creating “de-identified” information. We may use your PHI to create “de-identified” information, which means that information that can be reasonably used to identify you will be removed. There are specific rules under the law about what type of information needs to be removed before information is considered de-identified. Once the information has been de-identified as required by law, it is no longer considered PHI, not covered by this Notice, and we may use it for any lawful purpose without further notice to you.

C. USES AND DISCLOSURES REQUIRED BY LAW

Visit Health may use and disclose your PHI as allowed or required by law. PHI can be shared for public health oversight activities. It can also be shared for judicial or administrative proceedings, with public health authorities, for law enforcement reasons, and with coroners or medical examiners. PHI can also be shared with organ donation groups for certain reasons, for research (in accordance with HIPAA restrictions), and to avoid a serious threat to health or safety. It can be shared for special government functions, for Workers’ Compensation, to respond to requests from the U.S. Department of Health and Human Services, and to alert proper authorities if we reasonably believe that you may be a victim of abuse, neglect, domestic violence or other crimes. PHI can also be shared in any other manner required by law.

D. OTHER USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION REQUIRE YOUR AUTHORIZATION

Other uses and disclosures of PHI about you will be made only with your written authorization. If you have authorized us to use or disclose PHI about you, you may revoke your authorization at any time, except to the extent we have taken action based on the authorization. You may make such revocation by providing written notice to the address provided below. Information disclosed pursuant to your authorization may be subject to re-disclosure by the recipient and no longer be protected under HIPAA. However, Visit Health executes Business Associate Agreements with any wellness/disease management providers wherein they agree to maintain the privacy and security of your information.

III. YOUR RIGHTS REGARDING PROTECTED HEALTH INFORMATION ABOUT YOU

Right to Request Restrictions: You have the right to request additional restrictions on the PHI that Visit Health may use for treatment, payment, and health care operations. You may also request additional restrictions on our disclosure of PHI to certain individuals involved in your care or benefit coverage that otherwise are permitted by HIPAA. Visit Health is not required to agree to your request. If we do agree to your request, we are required to comply with our agreement except in certain cases, including where the information is needed to treat you or verify coverage in the case of an emergency. To request restrictions, you must make your request in writing to our Compliance Officer. In your request, please include (1) the information that you want to restrict, (2) how you want to restrict the information (for example, restricting use to this notice, restricting disclosure only to persons outside this office, or restricting both), and (3) to whom you want those restrictions to apply.

Right to Receive Confidential Communications: You have the right to request that you receive communications regarding PHI in a certain manner such as email or at a certain location. For example, you may request that Visit Health contacts you at home, rather than at work. You must make your request in writing to our Compliance Officer. You must specify how you would like to be contacted (for example, by regular mail to your post office box and not your home). We may be required via the provisions of a Business Associate Agreement to accommodate reasonable requests and, regardless, we will do our best to facilitate reasonable requests.

Please keep in mind that communications via email over the internet are not secure. Although it is unlikely, there is a possibility that information you include in an email can be intercepted and read by other parties besides the person to whom it is addressed.

Right to Inspect and Copy: You have the right to request the opportunity to inspect and receive a copy of PHI about you from the Covered Entity and perhaps in certain records that Visit Health maintains as a Business Associate. Such records may include your insurance and billing records but does not include information gathered or prepared for a civil, criminal, or administrative proceeding. We may deny your request to inspect and copy PHI only in limited circumstances. To inspect and copy PHI, contact our Compliance Officer. If you request a copy of PHI about you, we may charge you a reasonable fee for the copying, postage, labor, and supplies used to meet your request.

Right to Amend: You have the right to request that the Covered Entity and perhaps in certain instances that we amend PHI about you as long as such information is kept by or for our office. To make this type of request of us, you must submit your request in writing to our Compliance Officer. You must also give us a reason for your request. We may deny your request in certain cases, including if it is not in writing or if you do not give us a reason for the request or if we are not the proper entity under HIPAA to perform such amendments.

Right to Receive an Accounting of Disclosures: You have the right to receive a list of certain disclosures of your PHI in the past six years other than disclosures made for treatment, payment or health care operations. You may exercise this right by contacting Visit Health and we will provide any accounting of disclosures in accordance with HIPAA.

Right to Breach Notification: Visit Health will provide any information to you as required in accordance with HIPAA.

Right to a Paper Copy of this Notice: You have a right to receive a paper copy of this notice at any time, even if you have previously agreed to receive this notice electronically. To obtain a paper copy of this notice, contact the Compliance Officer.

Questions/Complaints: If you want further information about matters covered in this notice, or believe that your privacy rights have been violated, or disagree with a decision made about access to your personal and health information, you can contact our Compliance Officer. You may also submit a complaint to the office of the Secretary of Health and Human Services. We want to hear your concerns and you will not be retaliated against if you file a complaint.