Notice of Privacy Practices
This notice describes how medical information about you may be used and disclosed, and how you can get access to this information.
This Notice is effective as of February 9, 2024.
We understand the importance of, and are committed to, maintaining the privacy of your protected health information (PHI). PHI is health and nonpublic personal financial information that can reasonably be used to identify you and that we maintain in the normal course of either administering your employer’s self-insured group health plan or providing you with insured health care coverage and other services. PHI also includes your personally identifiable information that we may collect from you in connection with the application and enrollment process for health insurance coverage.
We are required by applicable federal and state laws to maintain the privacy of your PHI. We are also required to provide you with this Notice which describes our privacy practices, our legal duties, and your rights concerning your PHI. We are required to follow the privacy practices that are described in this Notice while it is in effect.
We reserve the right to change our privacy practices and the terms of this Notice at any time and to
make the terms of our revised Notice effective for all of your PHI that we either currently maintain or
that we may maintain in the future. If we make a significant change in our privacy practices, we will post a revised Notice on our web site by the effective date, and provide the revised Notice, or information about the change and how to get the revised Notice, to covered individuals in our next annual mailing.
How we protect your PHI:
- Our workforce is trained on our privacy and data protection policies and procedures;
- We use administrative, physical and technical safeguards to help maintain the privacy and security of your PHI;
- We have policies and procedures in place to restrict our workforce’s use of your PHI to those who are authorized to access this information for treatment or payment purposes or to perform certain healthcare operations; and
- Our corporate Compliance Office monitors how we follow our privacy policies and procedures.
How we must disclose your PHI:
- To You: We will disclose your PHI to you or someone who has the legal right to act on your behalf (your personal representative) in order to administer your ‘Individual Rights’ under this Notice.
- To The Secretary of the Department of Health and Human Services (HHS): we will disclose your PHI to HHS, if necessary, and ensure that your privacy rights are protected.
- As Required by Law: we will disclose your PHI when required by law to do so.
How we may use and disclose your PHI without your written authorization:
We may use and disclose your PHI without your written authorization in a number of different ways in connection with your treatment, the payment for your health care, and our health care operations. When using or disclosing your PHI, or requesting your PHI from another entity, we will make reasonable efforts to limit such use, disclosure or request, to the extent practicable, to the minimum necessary to accomplish the intended purpose of such use, disclosure or request. The following are only a few examples of the types of uses and disclosures of your PHI that we may make without your written authorization.
- For Treatment: We may use and disclose your PHI as necessary to aid in your treatment or the coordination of your care. For example, we may disclose your PHI to doctors, dentists, hospitals, or other health care providers in order for them to provide treatment to you.
- For Payment: We may use and disclose your PHI to administer your health benefits policy or contract. For example, we may use and disclose your PHI to pay claims for services provided to you by doctors, dentists or hospitals. We may disclose your PHI to a health care provider or another health plan so that the provider or plan may obtain payment of a claim or engage in other payment activities.
- To Family, Friends, and Others for Treatment or Payment: Our disclosure of your PHI for the treatment and payment purposes described above may include disclosures to others who are involved in your care or the administration of your health benefits policy or contract. For example, we may disclose your PHI to your family members, friends or caregivers if you direct us to do so or if we exercise professional judgment and determine that they are involved in either your care or the administration of your health benefits policy. We may send an explanation of benefits to the policyholder, which may include claims paid and other information. We may determine that persons are involved in your care or the administration of your health benefits policy if you either agree or fail to object to a disclosure of your PHI to such persons when given an opportunity. In an emergency or in situations where you are incapacitated or not otherwise present, we may disclose your PHI to your family members, friends, caregivers or others, when the circumstances indicate that such disclosure is authorized by you and is in your best interests. In these situations we will only disclose your PHI that is relevant to such other person’s involvement in your care or the administration of your health benefits policy.
- For Health Care Operations: We may use and disclose your PHI to support other business activities. For example, we may use or disclose your PHI to conduct quality assessment and improvement activities, to conduct fraud and abuse investigations, to engage in care coordination or case management, or to communicate with you about health related benefits, products or services or treatment alternatives that may be of interest to you. We may also disclose your PHI to another entity subject to federal privacy laws, as long as the entity has or had a relationship with you and the PHI is disclosed only for certain health care operations ofthat provider, plan, or other entity. We may use and disclose your PHI as needed to conduct or arrange for legal services, auditing, or other functions. We may also use and disclose your PHIto perform underwriting activities, however, we are prohibited from using or disclosing your genetic information for underwriting purposes.
- To Business Associates for Treatment, Payment or Health Care Operations: Our use of your PHI for treatment, payment or health care operations described above (or for other uses or disclosures described in this Notice) may involve our disclosure of your PHI to certain other individuals or entities with which we have contracted to perform or provide certain services on our behalf (Business Associates). We may allow our Business Associates to create, receive, maintain, or transmit your PHI on our behalf in order for the Business Associate to provide services to us, or for the proper management and administration of the Business Associate or to fulfill the Business Associate’s legal responsibilities.
These Business Associates include lawyers, accountants, consultants, claims clearinghouses, and other third parties. Our Business Associates may redisclose your PHI to subcontractors in order for these subcontractors to provide services to the Business Associates. These subcontractors will be subject to the same restrictions and conditions that apply to the Business Associates. Whenever such arrangement with a Business Associate involves the use or disclosure of your PHI, we will have a written contract with our Business Associate that contains terms designed to protect the privacy of your PHI.
- For Public Health and Safety: We may use or disclose your PHI to the extent necessary to avert a serious and imminent threat to the health or safety of you or others. We may also disclose your PHI for public health and government health care oversight activities and to report suspected abuse, neglect or domestic violence to government authorities.
- As Permitted by Law: We may use or disclose your PHI when we are permitted to do so by law.
- For Process and Proceedings: We may disclose your PHI in response to a court or administrative order, subpoena, discovery request, or other lawful process.
- Criminal Activity or Law Enforcement: We may disclose your PHI to a law enforcement official with regard to crime victims and criminal activities. We may disclose your PHI if we believe that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. We may also disclose your PHI if it is necessary for law enforcement authorities to identify or apprehend an individual.
- Special Government Functions: When the appropriate conditions apply, we may use or disclose PHI of individuals who are Armed Forces personnel (i) for activities deemed necessary by appropriate military command authorities; (ii) for the purpose of determination by the Department of Veterans Affairs of your eligibility for benefits, or (iii) to foreign military authorities if you are a member of that foreign military service. We may also disclose your PHI to authorized federal officials for conducting national security and intelligence activities, including the provision of protective services to the President or others legally authorized to receive such governmental protection.
- Inmates: We may use or disclose your PHI if you are an inmate of a correctional facility and your physician created or received your PHI in the course of providing care to you.
- To Plan Sponsors, if applicable (including employers who act as Plan Sponsors): We may disclose enrollment and disenrollment information to the plan sponsor of your group health plan. We may also disclose certain PHI to the plan sponsor to perform plan administration functions. We may disclose summary health information to the plan sponsor so that the plan sponsor may either obtain premium bids or decide whether to amend, modify or terminate your group health plan. Please see your plan documents, where applicable, for a full explanation of the limited uses and disclosures that the plan sponsor may make of your PHI in providing plan administration functions for your group health plan.
- For Coroners, Funeral Directors, and Organ Donation: We may disclose your PHI to a coroner or medical examiner for identification purposes, determining cause of death or for the coroner or medical examiner to perform other duties authorized by law. We may also disclose PHI to a funeral director, as authorized by law, in order to permit the funeral director to carry out his or her duties. We may disclose such information in reasonable anticipation of death. PHI may be used and disclosed for cadaveric organ, eye, or tissue donation purposes.
- Research: We may disclose your PHI to researchers when their research has been approved by an institutional review board that has reviewed the research purposes and established protocols to ensure the privacy of your PHI, or as otherwise permitted by federal privacy law.
- Fundraising: We may use your PHI to contact you in order to raise funds for our benefit. You have the right to opt out of receiving such communications.
- Limited data sets and de-identified information: We may use or disclose your PHI to create a limited data set or de-identified information, and use and disclose such information as permitted by law.
- For Workers’ Compensation: We may disclose your PHI as permitted by workers’ compensation and similar laws.
Uses and disclosures of PHI permitted only after authorization is received:
We will obtain your written authorization, as described below, for:
- uses and disclosures of your PHI for marketing purposes, including subsidized treatment communications (except for certain activities otherwise permitted by federal privacy law, such as face-to-face communications or promotional gifts of nominal value);
- disclosures of your PHI that constitute a sale of PHI under federal privacy law and that requires your authorization; and
- other uses and disclosures of your PHI not described in this Notice.
There are also other federal and state laws that may further restrict our disclosure of certain PHI (to the extent we maintain such information) that is deemed highly confidential. Our intent is to meet the requirements of these more stringent privacy laws and we will only disclose this type of specially protected PHI with your prior written authorization except when our disclosure of this information is permitted or required by law.
Authorization:
You may give us written authorization to use your PHI or disclose it to anyone for any purpose not otherwise permitted or required by law. If you give us an authorization, you may revoke it in writing at any time. Your revocation will not affect any use or disclosure permitted by your authorization while it was in effect. In the event that you are incapacitated or are otherwise unable to respond to our request for an authorization, (for example, if you are or become legally incompetent), we may accept an authorization from any person who is legally authorized to give such authorization on your behalf.
Individual Rights:
To exercise any of these rights, please call the customer service number on your ID card.
- Access: With limited exceptions, you have the right to inspect, or obtain copies of, your PHI. We may charge you a reasonable fee as permitted by law. We will provide you a copy of your PHI in the form and format requested, if it is readily producible in such form or formator, if not, in a readable hard copy form or such format as agreed to by you and us. Where your PHI is contained in one or more designated record sets electronically, you have the right to obtain a copy of such information in the electronic form and format requested, if it is readily producible in such form and format; or if not, in a readable electronic form and format as agreed to by us and you.
- Amendment: With limited exceptions, you have the right to request that we amend your PHI.
- Disclosure Accounting: You have the right to request and receive a list of certain disclosures made of your PHI. If you request this list more than once in a 12-month period, we may charge you a reasonable fee as permitted by law to respond to any additional request.
- Use/Disclosure Restriction: You have the right to request that we restrict our use or disclosure of your PHI for certain purposes. We are required to agree to a request to restrict the disclosure of your PHI to a health plan if you submit the request to us and: (i) the disclosure is for purposes of carrying out payment or health care operations and is not otherwise required by law; and (ii) the PHI pertains solely to a health care item or service for which you, or a person on your behalf other than the health plan, has paid the covered entity out-of-pocket in full. We may not be required to agree to all other restriction requests and, in certain cases, we may deny your request. We will agree to restrict the use or disclosure of your PHI provided the law allows and we determine the restriction does not impact our ability to administer your benefits. Even when we agree to a restriction request, we may still disclose your PHI in a medical emergency and use or disclose your PHI for public health and safety and other similar public benefit purposes permitted or required by law.
- Confidential Communication: You have the right to request that we communicate with you in confidence about your PHI at an alternative address. When you call the customer service number on your ID card to request confidential communications at an alternative address, please ask for a “PHI address.”
- Note: If you choose to have confidential communications sent to you at a PHI address, we will only respond to inquiries from you. If you receive services from any health care providers, you are responsible for notifying those providers directly if you would like a PHI address from them.
- Privacy Notice: You have the right to request and receive a copy of this Notice at any time. For more information or if you have questions about this Notice, please contact us using the information listed at the end of this Notice.
- Breach: You have the right to receive, and we are required to provide, written notification of a breach where your unsecured PHI has been accessed, used, acquired, or disclosed to an unauthorized person as a result of such breach, and which compromises the security or privacy of your PHI. Unless specified in writing by you to receive the notification by electronic mail, we will provide such written notification by first class mail or, if necessary, by such other substituted forms of communication permitted under the law.
- Paper Copy: You have the right to receive a paper copy of this Notice, upon request, even if you have previously agreed to receive the Notice electronically.
Complaints
- We will not retaliate against you for exercising any of the Rights afforded you or for filing a complaint.
- You can complain if you feel we have violated your rights by contacting the XO Health
Privacy Officer:
Compliance Officer/Privacy Officer
800-398-9765
For all other requests, please submit your request in writing to:
Privacy Officer
Privacy@xohealth.com
XO Health Inc.,
1266 E. Main Street, Suite 700R,
Stamford, CT 06902
You can file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights
by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-877-696-6775,
or visiting www.hhs.gov/ocr/privacy/hipaa/complaints/.