-Effective 31 Dec 2019-
Privacy at CardiacFITT is our top priority.
We are extremely serious about protecting your privacy.
THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
1. Who Must Follow This Notice
CardiacFITT Health, LLC. (“CardiacFITT”) provides you with health care by working with health coaches and other health care providers (referred to as “we,” “our,” or “us”) when you apply for or participate in the CardiacFITT Healthcare Management Program and other CardiacFITT services (the “Services”). This is a joint notice of our information privacy practices (“Notice”). The following people or groups will follow this Notice:
1. Any health care provider who provides services to you at or from CardiacFITT ’s locations, whether physical or on-line, including health coaches and others;
2. All departments and units of our organization, including mobile units; and
3. Our employees, contractors, and volunteers, including regional support offices and affiliates. These entities, sites, and locations may share health information with each other for treatment, payment, or health care operations purposes described in this Notice. In addition, we also use and share your information for other reasons as allowed and required by law. If you have any questions about this Notice, please see our contact information on the last page of this Notice.
2. What Information Does This Notice Cover?
We are a “covered entity” under the federal law called the Health Information Portability and Accountability Act of 1996 (“HIPAA”). Regulations under that law tell us how we can use and disclose, and how we must safekeep and secure, identifiable health information we collect from and about you. Once you enroll in the CardiacFITT Program, we collect that information directly from you via questionnaires, your scale weights, your exercise and other information, food tracking, and health information you disclose to coaches and other program participants. Sometimes, to ensure we are operating the CardiacFITT program efficiently and in a clinically effective manner, or for payment, we receive health information about you from others such as labs. For example, we may receive a blood glucose result about you so we can make sure we are offering you a clinically effective program. Once we receive this information, it is treated as “protected health information” or “PHI” under HIPAA, and this Notice applies to all such information.
PHI is identifiable health information you (such as your name, social security number, or address), and that relates to (a) your past, present, or future physical or mental health or condition, (b) the provision of health care to you, or (c) your past, present, or future payment for the provision of healthcare. We need PHI to provide you with quality care and to comply with certain legal requirements.
3. Our Commitment to Your Privacy
We understand that health information about you is private and personal. We are dedicated to maintaining the privacy and integrity of the protected health information that we receive from you as part of your application for or participation in the Services.
We are required by law to maintain the privacy of your PHI and to provide you with notice of our legal duties and privacy practices with respect to your PHI. When we use or disclose your PHI, we are required to abide by the terms of this Notice (or other Notice in effect at the time of the use or disclosure).
This Notice applies to the records of services you receive at or from CardiacFITT. Your doctor and your health care providers other than us may have different practices or notices about their use and sharing of health information in their own offices or clinics. We will gladly explain this Notice to you or your family member, and a copy is always available at www.cardiacfitt.com.
4. How We May Use and Disclose Protected Health Information About You
This section of our Notice tells how we may use PHI about you. We will protect PHI as much as we can under the law. Sometimes state law gives more protection to PHI than federal law. Sometimes federal law gives more protection than state law. In each case, we will apply the laws that protect PHI the most.
We are required to maintain the confidentiality of your PHI, and we have policies and procedures and other safeguards to help protect your PHI from improper use and disclosure. The following categories describe different ways that we use your PHI within CardiacFITT and disclose your PHI to persons and entities outside of CardiacFITT. We have not listed every use or disclosure within the categories below, but all of the ways that we are permitted to use and disclose PHI will fall within one of the following categories. In addition, there are some uses and disclosures that will require your specific authorization, which are described below as well.
How much PHI may legally be used or disclosed without your written permission will vary depending, for example, on the intended purpose of the use or disclosure.
Sometimes we may only need to use or disclose a limited amount of PHI, such as to send you a reminder or to confirm your health insurance coverage. At other times, we may need to use or disclose more PHI such as when a doctor is providing medical treatment.
Below are examples of ways that we may disclose PHI about you without a written authorization from you.
Disclosure at Your Request. If you ask us to send PHI about you to a third party such as a friend, family member, or healthcare provider, we will do so if we believe that your request is authentic. We may ask you to prove your identity before we honor this request. We may need up to 60 days to honor a request like this, depending on the data you want us to disclose, but in most cases we can honor this request in 30 or fewer days.
Treatment. This is an important use and disclosure of your PHI. We may use and disclose your PHI to a physician or other health care provider to provide treatment and other services to you. For example, we may disclose your weight loss results to your physician so that she can monitor your results in our program.
Payment. We may use and disclose your PHI to obtain payment for services that we provide to you. For example, we may make disclosures to claim and obtain payment from your health insurer, HMO, or other company that arranges or pays the cost of some or all of your health care (“Your Payor”) or to verify that Your Payor will pay for health care.
Our Health Care Operations. We may use and disclose your PHI for our health care operations. Examples of our health care operations include improving the operation of our program, training clinical personnel, and legal, audit and other internal management functions. When we use your PHI for our health care operations, we are required to use only that which is necessary. For example, if we were evaluating the accuracy of our digital scale, and we could do so only looking at log lists of scale weights by day and GPS location, without other identifiers, that is the information we would be limited to.
Health Care Operations of Other Covered Entities. We are also permitted to share PHI about you with other covered entities for their health care operations (including, for example, your employer, health plan and certain service providers serving as the business associates of such entities). For example, we might share PHI about you with your health insurer when they are evaluating whether they have made the right types of diabetes programs available to you. Or, we might share PHI about you with your physician’s office so that she can demonstrate to the federal government that she has referred you to a diabetes prevention program and how it is working for you. Any other covered entity in this example must have or have had a relationship with you. And, like our health care operations, any other covered entity may only seek from us PHI about you that is the minimum necessary for its purposes. Other examples include of another’s health care operations include, but are not limited to, using information about you to improve quality of care, quality assessment activities, disease management programs, patient satisfaction surveys, compiling health information, training, de-identifying PHI and benchmarking.
Business Associates. Some services in our organization are provided through our contracts with business associates. Examples of business associates include accreditation agencies, management consultants, quality assurance reviewers, and billing and collection services, and secure cloud hosting of data, including PHI, that we are legally responsible for. We may disclose your PHI to our business associates so that they can perform the job we have asked them to do. To protect your PHI, we require our business associates to sign a contract or written agreement stating that they will appropriately safeguard your PHI and will use it only as we permit them to under that contract.
Health-Related Products and Services. We may use and disclose your PHI to tell you about our health-related products or services that may be of interest to you.
Communications with Family and Others When You Are Present.Sometimes a family member or other person involved in your care will be present when we are discussing your PHI with you. We may use or disclose your PHI to a family member, other relative, a close personal friend or any other person identified by you when you are present for, or otherwise available prior to, the disclosure, if we (1) obtain your agreement; (2) provide you with the opportunity to object to the disclosure and you do not object; or (3) reasonably infer that you do not object to the disclosure.
Communications with Family and Others When You Are Not Present or Are Incapacitated. If you are not present, or the opportunity to agree or object to a use or disclosure cannot practicably be provided because of your incapacity or an emergency, we may exercise our professional judgment to determine whether a disclosure is in your best interest. If we disclose information to a family member, other relative, or a close personal friend, we would disclose only information that we believe is directly relevant to the person’s involvement with your health care or payment related to your health care. We may also disclose your PHI in order to notify (or assist in notifying) such persons of your location, general condition or death.
Threat to Health or Safety. We may use and disclose your PHI when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat as determined by us in good faith.
5. Special Situations That Do Not Require Your Authorization
The following categories describe some additional circumstances in which CardiacFITT may use or disclose your PHI without your authorization.
Public Health Activities. We may disclose your PHI for the following public health activities to: (1) prevent or control disease, injury or disability; (2) report births and deaths; (3) report regarding the abuse or neglect of children, elders and dependent adults; (4) report reactions to medications or problems with products; (5) notify people of recalls of products they may be using; (6) notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition; and (7) notify emergency response employees regarding possible exposure to HIV/AIDS, to the extent necessary to comply with state and federal laws.
Victims of Abuse, Neglect or Domestic Violence. If we reasonably believe you are a victim of abuse, neglect, or domestic violence, we may disclose your PHI to a governmental authority, including a social service or protective services agency, authorized by law to receive reports of such abuse, neglect, or domestic violence.
Health Oversight Activities. We may disclose your PHI to a health oversight agency for activities authorized by law. An example of a health oversight agency is a state health insurance regulator or Medicaid program. These oversight activities include, for example, audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws.
Lawsuits and Other Legal Disputes. We may use and disclose PHI in responding to a court or administrative order, a subpoena, or a discovery request. We may also use and disclose your PHI to the extent permitted by law without your authorization, for example, to defend a lawsuit or arbitration.
Law Enforcement Officials. We may disclose your PHI to the police or other law enforcement officials as required or permitted by law: (1) in response to a court order, subpoena, warrant, summons or similar process; (2) to identify or locate a suspect, fugitive, material witness, or missing person; (3) about the victim of a crime if, under certain limited circumstances, we are unable to obtain the person’s agreement; (4) about a death we believe may be the result of a criminal conduct; (5) about criminal conduct at CardiacFITT ; and (6) in emergency circumstances to report a crime; the location of the crime or victims; or the identity, description or location of the person who committed the crime.
Decedents. We may disclose your PHI to a coroner or medical examiner as authorized by law.
Organ and Tissue Donation. We may disclose your PHI to organizations that facilitate organ, eye or tissue procurement, tissue banking or transplantation.
Research that Does Not Involve Your Treatment. When a research study does not involve any treatment, we may disclose your PHI to researchers. To do this, we will either ask your permission to use your PHI or we will use a special process that protects the privacy of your PHI. For example, we are allowed to supply to a third party researcher a data set with identifiers about you removed except for complete dates and five digit zip codes. The researcher, before receiving this data set, must contract with us to limit her use of it, to safe-keep the data, and to destroy or return it when the research concludes. .
Specialized Government Functions. We may use and disclose your PHI to units of the government with special functions, such as the U.S. military or the U.S. Department of State, under certain circumstances. We may use and disclose your PHI to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law. We may use and disclose your PHI to authorized federal officials so they may provide protection to the President, other authorized persons or foreign heads of state, or conduct special investigations.
Inmates. If you are an inmate of a correctional institution or under custody of a law enforcement official, we may disclose PHI about you to the correctional institution or the law enforcement official. This is necessary for the correctional institution to provide you with health care, to protect your health and safety and the health and safety of others, and to protect the safety and security of the correctional institution.
Workers’ Compensation. We may disclose your PHI as authorized by and to the extent necessary to comply with state laws relating to workers’ compensation or other similar programs.
As Required By Law. We may use and disclose your PHI when required to do so by any other law not already referred to in the preceding categories. For example, the Secretary of the Department of Health and Human Services may review our compliance efforts, which may include seeing your PHI.
6. Situations Requiring Your Written Authorization
If there are reasons we need to use your PHI that have not been described in the sections above, we will obtain your written permission. This permission is described as a written “authorization.” If you authorize us to use or disclose PHI about you, you may revoke that authorization in writing at any time. If you revoke your authorization, we will no longer use or disclose PHI about you for the reasons stated in that written authorization, except to the extent we have already acted in reliance on your authorization. You understand that we are unable to take back any disclosures we have already made with your permission, and we are required to retain our records of the care we provide to you. Also, a revocation applies only to what was authorized, and does not apply to the situations above where we are permitted to use or disclose PHI about you without an authorization. Some typical disclosures that require your authorization are:
Special Categories of Treatment Information. In most cases, federal or state law requires your written authorization or the written authorization of your representative for disclosures of drug and alcohol abuse treatment, Human Immunodeficiency Virus (HIV) and Acquired Immune Deficiency Syndrome (AIDS) test results, and mental health treatment.
Research Involving Your Treatment. When a research study involves your treatment, we may disclose your PHI to researchers only after you have signed a specific written authorization. In addition, an Institutional Review Board (IRB) will already have reviewed the research proposal, established appropriate procedures to ensure the privacy of your PHI and approved the research. You do not have to sign the authorization, but if you refuse, you cannot be part of the research study and may be denied research-related treatment.
Marketing. We must also obtain your written authorization prior to using your PHI to send you any information that HIPAA defines as marketing information. HIPAA defines marketing as a communication about a product or service that encourages you to purchase or use the product or service when that product is not one of CardiacFITT’s programs or services, or when we are paid to communicate about the product or service to you.
There are some types of communications me may send you that are not part of the Services, for which we do not need your prior authorization. We might send these communications to you directly, or one of our business associates may send them for us. One type is communications from us to you about care coordination and care management services that may be available to you, when we are not paid to make this communication. We are also allowed to give you a promotional gift of nominal value. And, we can remind you to fill a prescription so long as we are only reimbursed for our actual expense in doing so.
7. Your Rights Regarding Your PHI
You have the following rights regarding PHI we maintain about you. You may contact us to obtain additional information and instructions for exercising the following rights.
Right to request additional restrictions. You may request restrictions on our use and disclosure of your PHI (1) for treatment, payment and health care operations, (2) to individuals (such as a family member, other relative, close personal friend or any other person identified by you) involved with your care or with payment related to your care, or (3) to notify or assist in the notification of such individuals regarding your location and general condition. While we will consider all requests for additional restrictions carefully, we are not required to agree to a requested restriction, unless the request is regarding a disclosure to a health plan for a payment or health care operation purpose and the PHI relates solely to a health care item or service for which we have been paid out-of-pocket in full. This request must be in writing. We will send you a written response. If we agree with the request, we will comply with your request except to the extent that disclosure has already occurred or if you are in need of emergency treatment and the information is needed to provide the emergency treatment.
Right to Receive Confidential Communications. You may request to receive your PHI by alternative means of communication or at alternative locations. For example, you can request that we only contact you at work or by mail. To request confidential communications, you must make your request in writing. We will not ask you for the reason for your request. We will accommodate all reasonable requests. Your request must specify how or where you wish to be contacted. We note, however, that as our program operates best through an online digital platform, a request for alternative communications may negatively impact how you experience the program.
Inspection and Copies. You have an absolute right to obtain copies of the PHI we have about you that we collect and use in the normal course of providing the Services to you. You do not have a right to get copies of PHI we have about you in research databases or in data sets we use to study and improve the quality of our business, to train our employees, or manage the legal and financial aspects of our business, although typically, we do not use PHI for most such purposes. To obtain a copy, we require that you request that copy in a way that we can reliably conclude is authentic. You may request a copy of PHI about you in writing on paper, or, via the messaging feature of your CardiacFITT account, via an email where we have the means to confirm your identity, or through contacting firstname.lastname@example.org when our support team can confirm your identity. We can do this because when you enroll, we issue digital identity credentials to you. If you want your legal representative or attorney to request this copy for you, they will have to request the copy in writing as we have not issued any digital identity credentials to them. We reserve the right to reject an online request as inauthentic.
Once we have your authentic request, we will see if the information you want is easily available to you on your account with us, and coach you through how to access it. If more work is required by us, we have up to 30 days to complete that work, which we may extend by another 30 days if necessary to prepare the data.
Once we have your authentic request, we will also discuss with you in what form and format you want the information, among those we offer. For example, do you want the information printed, or in a secure spreadsheet. We will also discuss with you how to deliver it where you want it to go. We are always obliged to send PHI securely, and we do not allow the copying of PHI onto mobile storage devices like thumb-drives to protect the security of our systems.
We will provide (or transmit at your request) one copy of your PHI per calendar year at no cost to you. If you request more than one copy per year, we are allowed to charge you for copying (for example, the cost of paper and ink) and mailing/transmission, and will supply you with an estimate before proceeding, so that you can change your mind if you want to.
Right to Amend Your Records. You have the right to request that we amend PHI we have about you. If you desire to amend your records, your request must be in writing. We will accept an email or secure message that we believe is authentically from you. We will comply with your request unless we believe that the information that would be amended is accurate and complete or other special circumstances apply. If we deny your request, you will be permitted to submit a statement of disagreement for inclusion in your records.
Right to Addendum. You have the right to add an addendum to your PHI maintained in your medical record.
Right to Receive an Accounting of Disclosures. You can request that we give you an “accounting of disclosures”. This is summary of the people and organizations to whom we have disclosed PHI about you that are outside of CardiacFITT or who are not covered entities that have a relationship with you and who have received PHI as described in this notice. Your request must be written (not by phone) so we know exactly what you want. We will accept as a writing writing on paper, or, via the messaging feature of your CardiacFITT account, via an email where we have the means to confirm your identity, or through contacting email@example.com when our support team can confirm your identity. We can do this because when you enroll, we issue digital identity credentials to you. If you want your legal representative or attorney to make this request for you, they will have to request the copy in writing as we have not issued any digital identity credentials to them. We reserve the right to reject an online request as inauthentic. Through your request, you may obtain an accounting of certain disclosures of your PHI made by us during any period of time six years prior to the date of your request. Your written request should indicate in what form you want the list (for example, on paper or electronically). If you request an accounting more than once during a twelve (12) month period, we will charge you for the costs involved in fulfilling your additional request. We will inform you of such costs in advance, so that you may modify or withdraw your request to save costs. Copy of this Notice. You are entitled to a copy of this notice. You can print out a paper copy of this notice from our website any time you like. You are also entitled to ask us to print it and mail it to you. . You may obtain a copy of this Notice at our website: https://www.cardiacfitt.com/hippa. To obtain a paper copy of this Notice, contact us using the contact information at the end of this Notice.
8. Minimum Necessary
To the extent required by law, when using or disclosing your PHI or when requesting your protected health information from another covered entity, we will make reasonable efforts not to use, disclose, or request more than the minimum amount of protected health information necessary to accomplish the intended purpose of the use, disclosure, or request, taking into consideration practical and technological limitations.
9. Changes to this Notice
We may prospectively change the terms of this Notice from time to time. Changes will apply to current PHI, as well as new PHI after the change occurs. We will post the new Notice on our website at https://www.cardiacfitt.com/hippa. Upon your request, you may obtain any revised Notice by calling or emailing us and requesting that a revised copy be sent to you in the mail.
9. Concerns or Complaints
If you desire further information about your privacy rights, are concerned that we have violated your privacy rights, or disagree with a decision that we made about access to your PHI, you may contact our Privacy Officer (listed below). Finally, you may send a written complaint to the U.S. Department of Health and Human Services, Office of Civil Rights. Our Privacy Officer can provide you the address. We will not take any action against you for filing a complaint.
10. How to Contact Us
If you would like more information about your privacy rights, please contact CardiacFITT by calling (214) 238-2825 and ask to speak with the Privacy Compliance Officer or email firstname.lastname@example.org (Subject: HIPPA). To the extent you are required to send a written request to CardiacFITT to exercise any right described in this Notice, you must submit your request to CardiacFITT at:
By email: email@example.com
Privacy & HIPPA
2201 Main Street, Suite 400-9
Dallas, TX 75201
By phone: 214.238.2825
We will make every effort to respond to your questions, concerns complaints and requests within a reasonable time.
Effective Date: December 31, 2019
Consent to Share and Release Information
CardiacFITT, LLC. (“CardiacFITT”), as part of administering the CardiacFITT program (the “Services”), may have access to and use my personal health information (“PHI”), which I provide to CardiacFITT as part of my participation in the Services. I understand that other participants may also be able to see my information, including PHI that I post and/or disclose in the course of engaging with the Services and/or CardiacFITT. CardiacFITT may provide aggregated, de-identified health information to my health plan; if my health plan requests any of my PHI, CardiacFITT may provide such PHI as is minimally necessary, as defined by HIPAA, to accomplish the request. Furthermore, CardiacFITT may share and use my PHI to review and improve the quality of the Services. I understand also that CardiacFITT may store my PHI for the time period that is necessary under CardiacFITT ’s policies regarding record retention.
You acknowledge that you have read and understand the terms of the Consent to Share and Release such Information.