THIS NOTICE DESCRIBES HOW MEDICAL AND HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN ACCESS THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

NOTICE OF PRIVACY PRACTICES

Effective as of June 17, 2016
Our Commitment

In the United States, health care providers, including laboratories like Celmatix Clinical Laboratories, are required by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to maintain the privacy of your health information; to provide you this detailed Notice of our legal duties and privacy practices relating to your identifiable medical and health information (referred to as “Protected Health Information” or “PHI”); and to abide by the terms of the Notice that are currently in effect.

This Notice applies to Celmatix Clinical Laboratories (“Celmatix”), including its scientists, clinical directors, genetic counselors and administrative employees. Celmatix is committed to protecting the privacy of your PHI as required by HIPAA. We urge you to read this Notice carefully so that you will understand our commitment to the privacy and protection of your PHI, and learn how you can involve yourself in the protection of your PHI.

What Is Protected Health Information or “PHI”?

“Protected health information,” or “PHI,” is information that identifies who you are and relates to your past, present, or future physical or mental health or condition, the provision of health care to you, or past, present, or future payment for the provision of health care to you. Your PHI includes your genetic information. PHI does not include information about you that does not identify who you are.

What Are Your Rights?

You have specific rights protected by federal and state laws concerning your PHI. The following section describes your rights. To exercise any of your below rights or if you have any questions regarding these rights, contact the Celmatix Privacy Officer in writing at the following address:

Attn: Privacy Officer
Celmatix Clinical Laboratories LLC
760 Parkside Avenue
Room 219
Brooklyn, New York 11226

Access Your PHI: You have the right to review your PHI. You have the right to request an electronic or a paper copy of your PHI. Requests must be made in writing and Celmatix may charge you a reasonable, cost-based fee as allowed by the applicable state and federal laws. Celmatix will provide this copy or a summary of your PHI within five (5) days from our receipt of your written request. If your request is denied, we will explain the reasons for denying your request in writing and inform you of the rights you have. In some cases you may request review of the denial.

Amend Your PHI: You have the right to ask us to amend PHI that you believe is incorrect or incomplete, for as long as Celmatix keeps the information. Requests must be made in writing and include the reason for the amendment. Celmatix will respond in writing within 60 days. We may deny your request for an amendment if the information (a) was not created by Celmatix; (b) is not part of the health information maintained by or for Celmatix; (c) is not part of the information to which you have a right of access; or (d) is already accurate and complete, as determined by Celmatix. If your request to amend is denied, Celmatix will make efforts to provide a written statement with the reason(s) for denial and what other steps are available to you.

Receive a List of with Whom We’ve Shared Your PHI: You have the right to receive an accounting of certain disclosures listing the times your health information has been shared for up to six (6) years prior to the date of your request, with whom we shared it with, and why. We will include all of the disclosures made during this time period, except those for treatment, payment, health care operations, and certain other disclosures such as those you authorized us to make.

Celmatix will respond to requests in writing within 60 days. If we deny your request, we will provide a written statement with the reason(s) for denial and what other steps are available to you.

Your first request in any 12-month period is free, however, subsequent requests will be at a reasonable cost in providing this information to you. We will notify you of the fee before we process your request so that you may stop the request if you do not wish to pay the fee.

Request Restrictions Regarding Your PHI: You have the right to ask for restrictions on our uses and/or disclosures of your PHI. You also have the right to request restrictions on personal information we disclose about you to a family member, friend or other person who is involved in your care or the payment for your care. All requests for restrictions must be made in writing. You may not ask us to restrict uses and disclosures that we are legally required to make. Celmatix is not required to agree to your requested restriction. If we do agree to accept your requested restriction, we will make best efforts to comply with your request.

Request Confidential Communications: You have the right to ask us in writing to contact you in a specific way (e.g., home or office phone) or to send mail to a different address. We will agree to all reasonable requests.

Receive Copy of the Notice of Privacy Practices: You have the right to receive a paper copy of this Notice upon request, even if you previously agreed to receive this Notice electronically.

Choose Someone to Act for You: If you have given someone medical power of attorney or if someone is your legal guardian, that person can exercise your rights and make choices about your health information. We will make sure the person has this authority and can act for you before we take any action.

How May Celmatix Use and Disclose Your PHI?

When you do provide us with PHI, we use your PHI for four general reasons. First, we use PHI to provide you with the laboratory services that you request and communicate with you about these services. Second, we may use your PHI to send you information about Celmatix (including its affiliates) and Celmatix’s and its affiliates products and services. Third, we may use your PHI in aggregate form to help us evaluate, modify, and improve Celmatix and the services we provide. Fourth, we may customize our marketing communications depending on the PHI we have about you by sending you information that we believe will be to your benefit.

While we cannot list every possible use or disclosure, Celmatix may also disclose collected PHI to certain third parties as further described below. Some of the uses and disclosures described may be limited or restricted by state laws or other legal requirements. If your state’s law is stricter than the federal law, we will abide by your state’s law.

Treatment: Celmatix may use PHI it receives from your physician(s) as part of its laboratory services (for example, to identify and process your specimens and test requests). Additionally, after completing the testing, Celmatix reports your results as new PHI, back to your physician(s) and/or other authorized health care professionals who are treating you. If a physician requests your test results from us, we will ask you to provide written permission to authorize our release of this information to the physician. Forms to facilitate this type of disclosure are available upon your request.

You have the right to revoke your authorization in writing at any time. A revocation is not effective to the extent that Celmatix has taken action in reliance on your authorization prior to receiving your withdrawal.

It is possible that we may also disclose your PHI to another testing laboratory that is similarly required by law to protect your PHI. This type of disclosure will happen if we are unable to perform the testing ourselves and need to refer your specimen to that laboratory to perform the requested testing.

Payment: Celmatix may use and disclose your PHI to bill and collect payment for the laboratory services we provide. For example, if your health insurance covers services you received, we will disclose your PHI to your health insurance plan so it will pay for your services.

Health Care Operations: Celmatix may use and disclose your PHI in the course of activities required to support Celmatix’s health care operations, such as tracking our utilization of resources, detecting fraud, reviewing our billing and claims processing efficiencies, or for performing quality assessment or improvement, employee review activities, training, and conducting or arranging for other business activities. This information will be used internally in an effort to continually improve the quality and effectiveness of the health care services we provide. We may also disclose your PHI to other health care providers or payers for their health care operations, but only if they already have a relationship with you and only for the purposes of quality assurance activities, peer review activities, detecting fraud, or for other limited purposes.

Disclosures to Business Associates: Celmatix may disclose your PHI to other companies or individuals (“Business Associates”) who need your PHI in order to provide specific services to Celmatix. All of our Business Associates are legally required to use and maintain the privacy and security of your PHI in the same manner that we do. Whenever a disclosure of your PHI is made, Celmatix makes every effort possible to ensure that that disclosure is limited to the least amount necessary for support services to be provided. For example, the couriers we use to transport specimens will be provided with only the portion of PHI they need to perform their services.

Appointment Reminders and Health-Related Benefits and Services: Celmatix may use and disclose PHI to contact you as a reminder that you have an appointment with your physician. Celmatix may also use your PHI to tell you about our health-related benefits and services that may interest you.

When Required by Law: Celmatix must disclose your PHI when required to comply with federal or state laws, a court order, or an order issued by a government agency. Celmatix may disclose your PHI to courts, parties to a lawsuit or government agencies, as may be required for certain law enforcement purposes, including, for example, to comply with reporting requirements; to comply with a court order, warrant, or similar legal process; or to answer certain requests for information concerning crimes.

Individuals Involved in Your Care or Payment for Your Care: As part of the laboratory services provided, we may disclose PHI about you to a family member, close personal friend, or other person(s) you identify, including personal responders, who are involved in your care.

Judicial and Administrative Proceedings: Celmatix may disclose your health information in response to a court or administrative order. We also may disclose information in response to a subpoena, discovery request, or other lawful process; efforts must be made to contact you about the request or to obtain an order or agreement protecting the information.

Coroners, Medical Examiners, Funeral Directors, Organ Procurement Organizations: Celmatix may disclose PHI to coroners, medical examiners, funeral directors, and, if you are an organ donor, to appropriate entities engaged in organ donation for their duties as authorized by law.

To Avert a Serious Threat to Health or Safety: Celmatix may use or disclose your PHI when necessary to prevent or lessen a serious threat to your personal health or safety, or the personal health and safety of others.

Public Health: Celmatix may disclose your PHI to public health authorities for preventing or controlling disease, injury, or disability; reporting vital events, abuse, neglect, domestic violence, and communicable and sexually transmitted diseases; or other purposes as required by law.

Reporting Victims of Abuse, Neglect or Domestic Violence: If we believe that you have been a victim of abuse, neglect, domestic or other type violence, we may use and disclose your health information to notify a government authority, if authorized by law or if you agree to the report.

Emergencies: We may use or disclose your health information as necessary in emergency treatment situations.

Health Oversight Activities: Celmatix may disclose your PHI to health oversight agencies for oversight activities authorized by law (e.g., as part of mandated laboratory audits or inspection of our facilities by state regulators or licensure activities). Celmatix may disclose your PHI to government agencies overseeing compliance with HIPAA or other statues (e.g., the Secretary of Health and Human Services, the Food and Drug Administration).

Research: Celmatix may use and disclose your PHI for research purposes. Before we use or disclose your PHI for a research activity, Celmatix will either: 1) obtain your specific permission to disclose this information for research purposes; 2) consult a committee which will determine that the research activity poses minimal risk to privacy and that the plan to secure PHI is adequate; or 3) ensure the researcher will be provided only with information that does not identify you directly. The results of our research may be published or presented without any identifying information. In preparation for research, we may review limited PHI to draft research protocols, to identify prospective research participants, or for similar purposes provided the information is not removed from our premises.

Government Functions: Celmatix may disclose PHI to military command authorities, veterans’ administration, and national security and intelligence officials for activities deemed necessary to carry out their respective missions.

Workers’ Compensation: Celmatix may, to the extent authorized by and to the extent necessary to comply with laws relating to workers’ compensation or similar programs, disclose your PHI.

Data Breach Notification Purposes: We may use your contact information to provide legally-required notices of unauthorized acquisition, access, or disclosure of your health information. Celmatix will notify you within 60 days of if we discover a breach of your PHI. Notification may include a description of the breach, how it may impact you, and the steps Celmatix is taking to mitigate the effects of the breach.

Additional Uses and Disclosures: Celmatix will not use or disclose collected PHI in ways substantially different from what is described in this Notice, unless otherwise required by law, or unless Celmatix has obtained your expressed authorization. If we want or need to use or disclose your PHI for purposes that do not fall into these general categories, we will obtain your permission in writing. Celmatix will not condition your treatment on whether you provide authorization for a requested use or disclosure if to do so would be prohibited by federal or state law. If a reason exists under law for conditioning your treatment on obtaining an authorization, you will be advised of that fact and of the consequences of refusing to sign the authorization.

In the event you have issued us permission, you have the right to withdraw that permission in writing at any time. A revocation is not effective to the extent that Celmatix has taken action in reliance on your permission prior to receiving your withdrawal.

Examples include, but are not limited to:
  • Disclosure for Marketing or Sales Activities: We must obtain your written authorization in order to use your PHI to send you marketing materials. No authorization is required for marketing information provided to you during a face-to-face communication, or for promotional gifts of nominal value. We must obtain your written authorization prior to any sale of your PHI. Celmatix has no plans to sell your PHI.
  • Disclosure for Fundraising:In the case of fundraising, we may contact you for fundraising efforts, but you can tell us not to contact you again.
Our Responsibilities

Celmatix is required to abide by the terms of this Notice currently in effect. Celmatix reserves the right to change the terms of this Notice at any time without notice to you. The revised notice will be available upon request or on our website. Please be aware that your other health care provider(s) may have different notices regarding the use and disclosure of your PHI maintained by them.

Questions and Complaints

If you believe your privacy rights have been violated, you have the right to register a complaint with Celmatix by writing to our HIPAA Privacy Officer at the address at the beginning of this Notice and/or with the government by writing to the Office for Civil Rights, U.S. Department of Health & Human Services, 26 Federal Plaza – Suite 3313, New York, NY 10278, (212) 264-3313 (TEL), (212) 264-2355 (TDD), (212) 264-3039 (FAX), or e-mailing your complaint to OCRComplaint@hhs.gov. Celmatix will not retaliate against any individual for filing a complaint.

If you have any questions about this Notice you can write us at the following address:
Attn: HIPAA Privacy Officer
Celmatix Clinical Laboratories LLC
760 Parkside Avenue
Room 219
Brooklyn, New York 11226