THIS NOTICE OF PRIVACY PRACTICES DESCRIBES HOW INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION MAY BE USED AND DISCLOSED BY ASPARIA, INC. (“ASPARIA”) PATIENT ENGAGEMENT SOLUTION.
PLEASE REVIEW IT CAREFULLY.
I. Purpose of This Notice of Privacy Practices
This Notice describes the health information privacy practices of Asparia, Inc. Any user of the Asparia Solution (the “Asparia Solution”), should note that Asparia is not a licensed health care provider or a health plan. Rather, Asparia provides its Platform for use by health care providers, payers and individuals (each a “User”), in some cases as a business associate, under the applicable provisions of the Laws. THE ASPARIA SOLUTION MAY BE USED BY ITS USERS TO TRANSMIT PROTECTED HEALTH INFORMATION. THE ASPARIA SOLUTION STORES PATIENT CONTACT INFORMATION FOR NOT MORE THAN 24 HOURS PER USE.
II.Asparia’s Privacy Obligations
Under the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health chapter of the American Recovery and Reinvestment Act of 2009 (HITECH) and the implementing regulations and other applicable state and federal laws (Collectively, the “Laws”), Asparia may be required by law to maintain the privacy of the protected health information (“Protected Health Information” or “PHI”) of its Users and to provide each such User with this Notice of Privacy Practices regarding Protected Health Information. Asparia may be a business associate, as defined in those Laws, depending upon the nature of the User and User’s relationship with a healthcare payer or provider. When Asparia transmits Protected Health Information, it may be required to abide by the terms of its privacy policies as reflected in this Notice as it may be amended or updated from time to time.
The Laws divide uses and disclosures of PHI into those which can be done without individual authorization and those which require individual authorization. Section III describes uses and disclosures that can be done without individual authorization. Section IV describes uses and disclosures that can be made only with written Individual authorization.
III.Permissible Uses and Disclosures Without A Written Authorization
A. Uses and Disclosures For Treatment, Payment and Health Care Operations. The Asparia Solution enables its Users to use and disclose information regarding patient care, including but not limited to PHI, under federal law in order to enable treatment, receive payment or engage in healthcare operations as described below:
Treatment. Pursuant to and consistent with an arrangement among a User and provider or health plan, Asparia Users may use and disclose PHI to those who provide diagnosis and treatment to a User.
Payment. Asparia Users may use and disclose PHI to obtain payment for services such User provides. Asparia Users may also disclose PHI to a provider or health care facility when such PHI is required for such a provider or health care facility to engage in treatment, payment or health care operations. Under the Laws, a patient may pay for the services and request that his/her PHI not be disclosed to the health plan for that service.
Health Care Operations. Asparia may use and disclose PHI for health care operations, which include administration, management and activities that improve the quality and cost effectiveness of the Asparia Solution.
B.Disclosure to Relatives, Close Friends and Other Caregivers. Asparia Users may use the Solution to disclose PHI to a patient’s family member, other relative, a close personal friend or any other person identified by a User with a written authorization received from the User patient prior to the disclosure.
If a patient has not provided a written authorization and such authorization cannot practicably be provided because of incapacity or an emergency circumstance, Asparia Users may exercise professional judgment to determine whether a disclosure is in the best interest of the patient User. If Asparia Users disclose information to a provider, payer, family member, other relative or a close personal friend without an authorization, Asparia Users would disclose only the minimum necessary information that Asparia determines to be necessary for the purpose of the disclosure. Asparia Users may also disclose PHI in order to notify (or assist in notifying) such persons of a User’s location, general condition or death.
C.Public Health Activities. Asparia Users may disclose PHI in order to comply with public health requirements, including but not limited to: (1) to report certain diseases, conditions or other findings to public health authorities for the purpose of preventing or controlling disease, injury or disability; (2) to report child abuse and neglect to public health authorities or other government authorities authorized by law to receive such reports; (3) to report information about products and services under the jurisdiction of the U.S. Food and Drug Administration; (4) to alert a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition (under specifically limited circumstances); and (5) to report suspected abuse or neglect to a governmental authority, including a social service or protective services agency, authorized by law to receive reports of such abuse or neglect.
D.Health Oversight Activities. Asparia Users or Asparia may disclose PHI to a health oversight agency that oversees the health care system and is charged with responsibility for ensuring compliance with the rules of government health programs such as Medicare or Medicaid and civil rights laws.
E.Judicial and Administrative Proceedings. Asparia Users or Asparia may disclose PHI in the course of a judicial or administrative proceeding in response to a legal order or other lawful process.
F.Law Enforcement Officials. Asparia Users or Asparia may disclose PHI to the police or other law enforcement officials as required or permitted by law or in compliance with a court order or a grand jury or administrative subpoena.
G.Uses or Disclosures Required By Law. Asparia or its Users may use and disclose PHI when required to do so by any other law not already referred to in the preceding categories.
IV.Uses and Disclosures Requiring Written Authorization
This Section IV describes the circumstances pursuant to which Asparia Users must obtain an individual’s written authorization to use or disclose PHI.
Pursuant to both the Federal Laws and applicable state laws, Asparia Users may use or disclose PHI for the following purposes when they receive a written authorization for such use or disclosure for any purpose other than the ones described above in Section III, and as described below.
A.HIV/AIDS Related Information. Asparia Users shall only disclose PHI related to HIV or AIDs with the express authorization of the Individual, and as consistent with applicable state and federal laws.
B.Behavioral Health Information. Consistent with State and Federal laws, Asparia Users will only disclose Behavioral Health Information pursuant to a valid written authorization. The confidentiality of alcohol and drug abuse records maintained by Asparia Users are protected by federal and state law and regulations. Asparia may not disclose drug and alcohol medical records without a patient User’s written authorization.
V.Rights Regarding Protected Health Information
A.For Further Information; Complaints. Further information, concerns or complaints about Asparia’s privacy practices, or about any violations of patient privacy rights or disagreements regarding use of the Asparia Solution, should be addressed to the Asparia Privacy Office, at the following address:
Privacy Officer Asparia, Inc. PO Box 2747 Saratoga, CA 95070
A User may also file written complaints with the Office of Civil Rights of the U.S. Department of Health and Human Services, at the following address:
Office for Civil Rights U.S. Department of Health and Human Services Complaint Portal https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf
Asparia will not retaliate against any person who reports a privacy issue or files a complaint with the Director of OCR/HHS or with the Privacy Officer.
B.Right to Request Restrictions. A patient may request restrictions on a SimplifMed User’s use and disclosure of PHI (1) for treatment, payment and health care operations, (2) to individuals (such as a provider, family member, other relative, close personal friend or any other person identified by the User) involved with care or with payment related to care, or (3) to prevent or limit the notification of such individuals regarding a User’s location and general condition.
C.Right to Receive Confidential Communications. A patient may request, and Asparia Users are required by law to accommodate, any reasonable written request to receive his or her PHI by alternative means of communication or at alternative locations. Requests should be made to the User’s Privacy Office in writing.
D.Right to Revoke Authorization. A User may revoke his or her Authorization, except to the extent that Asparia Users have taken action in reliance upon it, by delivering a written revocation statement to the User’s Privacy Office.
E.Right to Inspect and Copy Health Information. As described above, Asparia retains patient contact information for a period not to exceed 24 hours. To the extent that Asparia has PHI, a patient may request access to medical record files and billing records maintained by Asparia in order to inspect and request copies of the records. Under limited circumstances, Asparia may deny access to a portion of such records. Record requests must be made in writing to the Privacy Office.
F.Right to Amend Records. To the extent that Asparia stores PHI, and it has no obligation to do so, each patient User has the right to request that Asparia amend Protected Health Information maintained by Asparia, by making such a request in writing to the Privacy Office. Asparia will comply with such requests unless Asparia believes that the amendment is inaccurate or would result in an inaccurate or incomplete record.
G.Right to Receive An Accounting of Disclosures. Upon written request to the Privacy Office, Asparia will provide a User with an accounting of certain disclosures of PHI made by Asparia during any period of time prior to the date of said request to the Effective Date, provided such period does not exceed six years. Asparia disclosures are logged by and through a third party communications applications provider.
H.Right to Receive Paper Copy of this Notice. Upon request, Asparia will provide a paper copy of this Notice.
VI.Effective Date and Duration of This Notice
A.Effective Date. This Notice is effective on September 25, 2019.
B.Right to Change Terms of this Notice. Asparia may change the terms of this Notice at any time. If Asparia changes this Notice, Asparia may make the new notice terms effective for all Protected Health Information that Asparia maintains, including any information created or received prior to issuing the new notice. Copies of any amended notice will be available from the Privacy Office.